Cybersecurity Week in Review: April 29

Major Data Breaches and Leaks

Texas HHSC (USA): State health workers improperly accessed data for 33,529 program enrollees. Exposed information includes names, birthdates, addresses, Social Security and Medicaid/Medicare IDs, plus health and financial details. The breach, uncovered Apr 2025, reflects insider threat risks in government systems.
VeriSource Services (USA): Personal data of up to 4 million individuals may have been exposed in a breach discovered Feb 2024 and disclosed April 30, 2025. Affected data reportedly include full names, Social Security numbers, birthdates, and addresses. A law firm announced the incident and an investigation is underway.
National Public Data (USA): In a massive leak reported Apr 29, threat actors offered 2.9 billion individuals’ records (including full names, addresses, SSNs) for sale. Dubbed one of the largest breaches ever, this exposure of PII was posted on a dark-web forum by a group calling itself “USDoD.” Affected database records were reportedly compiled by the marketing firm National Public Data, which now faces a class-action lawsuit.

Significant Cyberattacks and Incidents

Several high-impact cyberattacks were reported. Retail, IT services, public services and critical infrastructure were targeted by ransomware, DDoS, and hacking campaigns. Key incidents included:

Marks & Spencer (UK): The retailer confirmed a cyber-attack linked to the “Scattered Spider” group in late April. Hackers reportedly stole data in February and deployed DragonForce ransomware, encrypting M&S systems. Online sales were temporarily halted and the attack wiped roughly £500 million off the company’s market value.
Hitachi Vantara (Global): Hitachi’s IT-services subsidiary was hit by an Akira ransomware intrusion on Apr 26, 2025. The company took servers offline to contain the breach, engaged cybersecurity experts, and is working to restore systems. (Akira operators claimed to have stolen files, though Hitachi’s cloud services remained unaffected.)
Italian Citizenship Referendum (Italy): On Apr 27, the website for Italy’s June 2025 citizenship referendum was crippled by a massive hack. The committee reported ~21 million access attempts in one day, coming from masked IPs worldwide. A “We are performing maintenance” message greeted visitors while technicians investigated. The attack (likely DDoS) underscored the risks to electoral infrastructure.
Romanian Government Sites (Romania): On May 4, pro-Russian “NoName057” hackers launched a DDoS attack against multiple Romanian government websites (Interior, Justice, etc.). Romanian authorities confirmed the attack, which flooded servers with traffic and rendered sites inaccessible. By 2:00 PM that day the National Cyber Security Directorate reported all sites were restored. The assailant group, known for politically motivated DDoS (“DDOSIA” tool), claimed responsibility on Telegram.
Kingsmen Creatives (Singapore): Creative-services firm Kingsmen disclosed on May 2 that it had suffered a ransomware incident. No data exfiltration was detected, but systems were encrypted. The company activated its continuity plan and worked with external experts. This case highlights that even organizations outside typical targets face growing ransomware threats.
Larva-24005 / Kimsuky (North Korea → S. Korea, Japan): Security researchers reported a North Korean APT campaign (tagged “Larva-24005” by a vendor) targeting government organizations in South Korea and Japan. The group initially exploited the old BlueKeep RDP vulnerability (CVE-2019-0708) to gain access, then deployed MySpy and other malware. The attacks aimed at espionage, reflecting Korea’s ongoing cyber conflict in the region.
Fowler School District (USA): The Fowler Elementary School District in Phoenix, Arizona, was hit by Interlock ransomware. Attackers exfiltrated ~400 GB of sensitive data, including student and staff records (identification details, medical records, payroll info, SSNs). Interlock posted proof-of-breach data on the dark web. This incident — disclosed May 5 — highlights the surge of ransomware in K-12 education and the severe privacy impact of such attacks.

Critical Vulnerabilities and Patches

Commvault Command Center (CVE-2025-34028): A remote code execution flaw (path traversal) in Commvault Command Center (v11.38.0–11.38.19) was disclosed and actively exploited. This critical (CVSS 10.0) vulnerability allows unauthenticated attackers to execute code by uploading crafted ZIP files. Patches have been released in versions 11.38.20+; CISA added it to its Known Exploited Vulnerabilities list on May 5. Users must update immediately to avoid compromise.
SureTriggers WordPress Plugin (CVE-2025-27007): A high-severity (CVSS 9.8) privilege-escalation bug was found in the SureTriggers plugin (<=1.0.82). An attacker with low privileges could manipulate authorization and gain higher access. Patch version 1.0.83 was issued in early May; WordPress site owners should update to eliminate this critical flaw.
Apple AirPlay “AirBorne” Bugs (e.g. CVE-2025-24252): Researchers disclosed a set of severe zero-click RCE vulnerabilities in Apple’s AirPlay protocol. One example, CVE-2025-24252 (use-after-free in AirPlay), allows unauthenticated attackers on a local network to execute arbitrary code on Apple devices (iOS, macOS, tvOS) when AirPlay is enabled. Dubbed “AirBorne,” these flaws could propagate malware network-wide. Apple has released patches (in iOS/iPadOS 18.4.1, macOS Sonoma 14.7.4+, etc.) to fix the issues; organizations should apply them promptly.
macOS Sandbox Escape (CVE-2025-31191): Microsoft researchers discovered a sandbox escape vulnerability in macOS (leveraging security-scoped bookmarks and Office macros). This flaw (CVE-2025-31191) could allow a malicious app to break out of Apple’s App Sandbox without user action. Apple addressed it in the Mar 31, 2025 security update (macOS Sonoma 14.7.5, Sequoia 15.4). All Mac users should ensure their systems are updated to eliminate this cross-platform threat.

Government and Industry Cyber Responses

US Sanctions for Cyber Fraud (May 5, 2025): The U.S. Treasury’s Office of Foreign Assets Control (OFAC) added Myanmar’s Karen National Army (KNA) and leader Saw Chit Thu to its sanctions list. The designation targets a militia running “industrial-scale” cyber scam operations (online investment fraud) from bases along the Thailand-Myanmar border. This is part of a wider effort by US authorities to disrupt global cyber-fraud networks. Sanctioning the KNA freezes any U.S. assets and bans financial dealings with U.S. entities.
CISA Advisories (May 1, 2025): The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published two new Industrial Control Systems (ICS) security advisories. These cover a vulnerability in KUNBUS’ Revolution Pi system and an issue in MicroDicom DICOM Viewer, both used in critical infrastructure contexts. CISA urged affected users to apply vendor mitigation steps. This continues CISA’s role in alerting industry to emerging ICS risks.
IBM $150B R&D Investment (USA): IBM announced on Apr 29 a massive $150 billion investment over the next decade to expand computing research and innovation in the U.S.. This plan (IBM’s largest-ever corporate pledge) earmarks ~$24B for security, software and advanced computing projects. It highlights industry commitment to bolstering national technology leadership, including in areas like quantum computing and cybersecurity.
Palo Alto Networks Acquisition (USA): Palo Alto Networks confirmed the acquisition of AI-security firm Protect AI (announced Apr 2025). Protect AI provides tools for auditing and protecting machine-learning models. Integrating these into Palo Alto’s Prisma AIRS will enhance customers’ ability to secure AI workloads and detect AI-specific attacks. This reflects growing industry focus on securing emerging AI systems.

Miscellaneous

RSA Conference 2025: The RSA security conference was held April 28–May 1 in San Francisco. This marquee industry event brought together thousands of experts and executives to discuss emerging threats (e.g. AI, cloud security, quantum readiness) and share threat intelligence. Keynotes and workshops reinforced the community’s focus on proactive defense and zero-trust strategies.
Security Research & Trends: Veeam’s recent ransomware trends report (Apr 2025) found that in 2024 36% of ransomware victims did not pay a ransom, and of those who paid, 82% settled for less than the attackers’ initial demand. This indicates a shift toward stronger backup/recovery practices. Another report highlighted that 50% of mobile devices still run outdated OS versions, leaving them vulnerable to exploits; notably, SMS phishing (“smishing”) now accounts for 69.3% of all mobile phishing attacks. These findings underscore persistent security gaps and attack vectors in endpoints.
Regulatory Developments: (While outside this week’s strict window, note that policymakers continue to advance cybersecurity laws.) For example, in the UK the government has outlined a forthcoming Cyber Security and Resilience Bill (announced Apr 2025) to extend security requirements to IT service providers and critical industries. Similar initiatives (NIS2, EU Cyber Act review) are under discussion internationally. These regulatory moves respond to the rising threat landscape.

Conclusion

Last week’s events illustrate the breadth of cyber challenges facing organizations: from massive data exposures and ransomware outbreaks to supply-chain and state-backed attacks. Key takeaways include the enduring value of robust security hygiene (e.g. patching critical flaws like CVE-2025-34028), the necessity of insider-threat controls (as seen in the Texas breach), and the importance of resilience (many victims opt not to pay ransoms). The international cooperation on sanctions and advisories shows that governments are increasingly willing to use legal and regulatory tools to combat cybercrime. For security leaders, these incidents reinforce the need to monitor threat intelligence closely, apply timely patches, and ensure robust incident response plans. Vigilance is required across all fronts – from legacy vulnerabilities (BlueKeep) to emerging AI/quantum threats – as adversaries continue to exploit any weakness.

Sources

News reports, advisories, and research from April 29 – May 5, 2025: