Top news stories this week
- Confused goose. Adidas and Canada Goose suffer third party data breaches.
- Won too many. Luxury brands fined for data breaches in South Korea.
- Threats in high tide. Wave five data confirms high incident rates across UK organizations.
- QR con-spiracy. Phishing letters tricks users into surrendering their credentials.
- Phobos cuffed. Europol Operation Aether yields another arrest in ongoing Phobos ransomware investigation.
- Bold reverse. Dutch man tries to extort police after erroneous file share.
1. Adidas and Canada Goose suffer third-party data breaches linked to ShinyHunters
ShinyHunters has published over 600,000 alleged Canada Goose customer records, including names, addresses, order histories, and partial payment card data. Canada Goose denied its own systems were compromised and claimed the data originated from a third-party payment processor breach in August 2025. Separately, a threat actor, who alleges a connection to Lapsus$, claimed to have stolen 815,000 rows of data from an Adidas licensing partner.
So what?
Both incidents highlight the supply chain as a primary attack vector — organizations must apply the same security scrutiny to third-party partners as to their own systems, and should treat unverified threat actor attribution claims with skepticism until independently confirmed.
[Researcher: James Tytler]
2. Luxury brands fined for data breaches in South Korea
South Korea’s Personal Information Protection Commission fined luxury brands Christian Dior, Louis Vuitton and Tiffany & Co a total of KRW 36 billion (USD 25 million) after hacker group ShinyHunters compromised their Salesforce systems, leading to major customer breaches. The fines were imposed by the PIPC after investigations deemed the brands to have had inadequate security practices.
So what?
Organizations should ensure their controls are current and appropriate, particularly those targeted by tactics, techniques and procedures (TTPs) utilized by this specific threat actor group. Contact us for more information on Scattered LAPSUS$ Hunters.
[Researcher: Lester Lim]
3. UK government survey confirms majority of UK organizations hit by cyberattacks
Results from the fifth annual Cyber Security Longitudinal Survey indicate that 82% of businesses and 77% of charities have experienced some form of cyber incident over the last twelve months. Phishing was reported as the most common attack type. The survey covers medium and large businesses and high-income charities.
So what?
The study confirms that organizations should prepare for exposure to cyber risk, not isolated threat events, and prioritise resilience‑based security strategies.
[Researcher: Tlhalefo Dikolomela]
4. Phishing letters trick users into surrendering control over cryptocurrency assets
Threat actors are mailing physical letters impersonating the makers of cryptocurrency hardware wallets Trezor and Ledger to trick users into scanning a QR code that leads to online phishing sites. These fake notices warn of mandatory authentication or transaction checks to create urgency, ultimately directing victims to enter their wallet recovery phrases. Once submitted, the phrases allow attackers to take full control of the wallets and steal funds.
SO WHAT?
Phishing communications often exploit trust and create a false sense of urgency. It is important to exercise caution not only with digital communications but also with physical letters, and never share sensitive information if in doubt.
[Researcher: Milda Petraityte]
5. Polish authorities arrest suspected Phobos ransomware affiliate under Operation Aether
Polish police have arrested a 47 year old man linked to the Phobos ransomware group. Devices that contained logins, passwords, credit card numbers, and server IP addresses were seized. The arrest is part of Europol’s Operation Aether, an ongoing crackdown against the 8Base ransomware group, which is linked to Phobos.
So What?
Law enforcement continues to chip away at the Phobos/8Base network, however, organizations should not treat these victories as a substitute for sustained security investment.
[Researcher: Lawrence Copson]
6. Dutch man tries to extort police after erroneous file share
Dutch police were met with a bold extortion attempt, after accidentally sharing access to confidential police documents. The recipient of the erroneous link, a man who was originally volunteering to support a police investigation, demanded incentives to delete the files. He was subsequently detained by police for not cooperating and reporting the mistake appropriately.
SO WHAT?
Data and privacy laws apply to all data, intentionally or accidentally shared. It is recommended to cooperate with data owners or guardians and abstain from abusing accidental data leakage for personal benefits.
[Researcher: Jenny Eysert]
-1-1.jpeg?width=121&height=121&name=MicrosoftTeams-image%20(11)-1-1.jpeg)
