Top news stories this week
- Fines and fallout. Capita and US auto insurers fined over major data lapses.
- Plan before panic. NCSC urge CEOs to embed cybersecurity response plans amid rising threat.
- A princely sum UK and US governments sanction scam centre operator.
- Hackers on holiday. Scattered Lapsus$ Hunters claim to take another break from breaches.
- Another bad day. Harvard suffers a cyber incident amid Oracle E-Business Suite vulnerability confusion
- Remotely abused. Importance of VPN security increased due to RDP botnet attacks as SonicWall falls victim again.
1. Data breaches across two continents draw record fines on Capita and US insurers
In separate oversight actions, authorities fined Capita GBP 14 million for failing to quarantine a compromised device for 58 hours, which allowed the exposure of personal data belonging to 6.6 million people. In New York, regulators collectively fined eight auto insurers over USD 14.2 million for insufficient security in quote-pre-fill systems that leaked sensitive driver data used in large scale fraud.
So what?
Data protection cannot be an afterthought for organizations; cross jurisdictional regulators are willing to severely punish systemic negligence with heavy fines.
[Researcher: Lawrence Copson]
2. NCSC pushes CEOs to own incident response planning
The UK’s National Cyber Security Centre (NCSC) is urging chief executives and boards to establish written, tested cyber incident response plans, including roles, communications, and resilient alternatives when digital services fail. The NCSC reported a 50 percent increase in “highly significant” cyber incidents over the past year.
So what?
The process of putting response plans in writing is key to building cyber resilience should your organization fall victim to cybercriminals. Contact our proactive services team if you'd like to discuss any aspect of improving your cyber resilience
[Researcher: Lawrence Copson]
3. UK and US governments sanction scam centre operator; USD 15 billion in Bitcoin seized
The US and UK governments have sanctioned The Prince Group, a multi-billion-pound conglomerate with extensive business activities across Southeast Asia, due to its connections to scam centres in the region. In a separate action, the US Department of Justice announced forfeiture actions against the chairman of The Prince Group, which included the seizure of various assets, including USD 15 billion in cryptocurrency.
So what?
The seizure of such a large amount in a single stroke by law enforcement highlights the increasing effectiveness of authorities in combating cybercrime. However, this may escalate the ongoing battle between authorities and threat actors - companies should take this opportunity to increase vigilance.
[Researcher: Lester Lim]
4. Scattered Lapsus$ Hunters announce retirement, again
The cybercriminal group known as Scattered Lapsus$ Hunters (SLSH) has announced it will cease all activity following increased pressure from law-enforcement. Known for targeting high profile organizations through extortion and data leaks, the group has indicated it will return in 2026.
SO WHAT?
Organizations should remain cautious of cybercriminal groups that claim to pause or cease operations. Such announcements can be strategic moves for threat actors to reorganise or rebrand under a different identity, as demonstrated previously by the ransomware group Conti.
[Researcher: Clay Palmer]
5. Harvard suffers cyber incident
Harvard university is investigating a data breach by ransomware gang Cl0p, which exploited a zero-day vulnerability (CVE-2025-61882) in the Oracle E-Business Suite system. Although Oracle patched the vulnerability in July 2025, an unclear security advisory created confusion about whether a new vulnerability (CVE-2025-61884) was connected to Harvard’s breach.
So What?
Organizations should ensure their vulnerability prioritisation process is evaluated using internal and external threat intelligence sources and not based solely on a vendor's disclosure.
[Researcher: Milda Petraityte]
6. Importance of VPN security increased due to RDP botnet attacks
Researchers have identified a large, multi-country botnet campaign actively exploiting Remote Desktop Protocol (RDP) services in the US. While recommendations to combat these attacks include using of secure VPN services with MFA, this comes amid a security breach at SonicWall, where over 100 SSL VPN accounts were compromised using stolen credentials.
SO WHAT?
Organizations should rotate likely compromised SSL VPN credentials now and remain vigilant on unusual or unexpected VPN and RDP activity.
[Researcher: Jenny Eysert ]
