Top news stories this week
- Festive fraud. FBI warns of surge in account take over fraud during holiday period.
- Insider ejected. Cyber security firm dismisses employee who shared screenshots with cybercriminals.
- Down the chain. Vendor compromise exposes Iberia customer data and SitmusAMC breach exposes client data.
- Shared risk. Three London borough councils impacted by an ongoing cyber incident.
- SEC spares SolarWinds. SEC dismisses remaining charges on SolarWinds CISO.
- Shai-Hulud returns. Second Shai-Hulud attack exposes open-source security fragility.
1. USD 262 million stolen as FBI warns of surging ATO fraud scheme during holiday period
Ahead of the US holiday period the FBI has warned consumers of the rise in Account Take Over (ATO) fraud schemes in which cybercriminals impersonate financial institutions and subsequently take over customer accounts. In 2025 USD 262 million has reportedly been stolen through ATO schemes and over 5,000 complaints made to the FBI’s Internet Crime Complaint Center (IC3).
So what?
Cybercriminals continue to leverage compromised credentials from previous breaches to gain access to accounts and commit further fraud. Extra vigilance is needed to counter cybercriminals free riding on Christmas and Black Friday deals.
[Researcher: Jenny Eysert]
2. Cyber security firm dismisses employee who shared screenshots with cybercriminals
Cyber security firm Crowdstrike disclosed it identified and terminated the employment of a potentially malicious insider after they were caught sharing screenshots of employee dashboards, allegedly with cybercrime group Scattered Lapsus$ Hunters. Crowdstrike confirmed that its systems were not compromised and clients were not impacted.
So what?
Telegram messages attributed to the group show increased attempts to recruit insiders from specific industry sectors. Companies should ensure that controls remain in place to mitigate vulnerabilities stemming from insider activity – such as privileged access management, network segmentation and regular security assessments.
[Researcher: Lester Lim]
3. Major banks and lenders impacted by SitmusAMC breach and Iberia customer data stolen following vendor compromise
Global financial service provider SitmusAMC has disclosed a cyber incident in which corporate and client data, including accounting records, legal agreements, and clients' customer data, was exposed.
Separately, Spanish airline Iberia has notified customers of a supplier data breach. While unverified, the threat group Everest has claimed responsibility for the attack and reports stealing 596 GB of data containing sensitive customer information.
So what?
Performing ongoing security assessments on suppliers is a key part of third-party risk management. This will help to ascertain if the cyber practices of your supplier meets your organisation’s requirements.
[Researcher: Adelaide Parker]
4. Three London borough councils impacted by an ongoing cyber incident
The Royal Borough of Kensington and Chelsea and Westminster City Council have suffered a cyberattack on a shared IT system. A third London borough, Hammersmith and Fulham Council, also using the shared IT resources has isolated its network as a precaution. While the investigation is underway all three boroughs have activated emergency plans to ensure that critical services can still be provided to residents.
SO WHAT?
Organisations should ensure that they understand the risk of using shared resources and how such risks could be mitigated to build strong resilience and robust response plans.
[Researcher: Milda Petraityte]
5. SEC dismisses remaining charges on SolarWinds CISO
The US Securities and Exchange Commission (SEC) has dismissed all remaining charges brought against the CISO of SolarWinds relating to a cyber incident first discovered in December 2020 that impacted multiple US government agencies and organisations globally. The SEC initially brought charges related to fraudulent statements about cyber security practices at SolarWinds and disclosures following the breach.
So What?
The dismissal of these charges by the SEC should assuage some fears of CISOs of the ripple effect this case could have had on proactive identification and reporting of gaps in cyber security programs.
[Researcher: Steve Ross]
6. Second Shai-Hulud attack exposes the fragility of open-source security
A second wave of the Shai-Hulud malware has hit the npm ecosystem, compromising more than 25,000 repositories. The attack spreads through tampered packages that steal sensitive credentials during installation, including cloud keys and GitHub tokens. Its worm-like behaviour allows it to automatically republish infected packages, causing the threat to ripple across major projects and organisations.
SO WHAT?
This wave shows how easily trusted open-source tools can be weaponised, putting developers and companies at real risk. It underscores the urgent need for dependency audits, credential rotation and stronger supply-chain security before attackers gain deeper access.
[Researcher: Ayomikun Olayinka]
-1-1.jpeg?width=121&height=121&name=MicrosoftTeams-image%20(11)-1-1.jpeg)
