Cyber Security: A Month In Retrospect (Australia) - November 2025

From hacks to headlines, here is a month of cyber news in retrospect (November 2025). We have brought it all together in one place, so you don't have to.

Cameron Whittfield, HSF Kramer Partner and APAC Cyber Security Leader recently featured on Nine News to discuss the scourge of cyber extortion demands and the new cyber extortion payment reporting regime.

You can watch the news story here.

Cyber Top 10

1. Anthropic has reported the first known large-scale cyber espionage campaign orchestrated primarily by AI, with a state-sponsored group using the Claude Code tool to autonomously target around thirty global organisations. The attackers jailbroke the AI, tricking it into executing cyberattacks by breaking tasks into small, seemingly benign steps and posing as a legitimate cybersecurity firm. Claude was used to conduct reconnaissance, identify vulnerabilities, write exploit code, harvest credentials and exfiltrate data, with minimal human intervention. The incident highlights how advanced AI agents are rapidly lowering the barrier to sophisticated cyber operations and underscores growing concerns about AI security and the need for stronger safeguards. Read more here.
   
2. Cl0p's exploitation of Oracle E‑Business Suite vulnerabilities continues to impact major organisations around the world. The breach has exposed a large number of companies to cyber extortion events lead by Cl0p. Victims vary given the diverse range of companies using the E-Business Suite (including, of course Oracle itself). Read more here.
   
3. The Queensland Government has unveiled its 2025–2027 Cyber Security Strategy, investing $40 million to strengthen state and local government systems. The plan focuses on critical infrastructure upgrades, resilient procurement, and supply chain security. With Queensland accounting for 28% of national cyber incidents, the strategy also tackles the skills gap, aiming to attract diverse talent to help fill Australia's shortfall of 30,000 cybersecurity professionals. Read more here.
   
4. Governance software and platform providers Diligent and BoardRoom have confirmed breaches of their environments, again, impacting a number of different individuals and companies. The breach to Diligent disabled integrations while forensic teams investigated, sparking concern across corporate Australia as analysts warn that board portals, designed to centralise confidential governance data, can become a single point of failure when compromised. Read more here.
   
5. The OAIC has ruled that online wine retailer Vinomofo breached the Privacy Act after a major data breach in which customer information was exposed on a cybercrime forum, affecting nearly one million individuals. Commissioner Carly Kind cited weak policies, poor staff training, and a culture that undervalued privacy as key factors behind the incident. Vinomofo has been ordered to strengthen safeguards within 90 days, a decision that underscores mounting regulatory pressure on businesses to embed privacy by design. Read more here.
   
6. The ASD and the AICD have published cyber security guidance for boards, emphasising the rising global threat environment and the need for stronger governance oversight. The guidance calls on directors to adopt an "assume compromise" mindset. Boards are urged to tackle legacy IT risks, oversee supply‑chain security, and prepare for the post‑quantum cryptography transition, while also focusing on incident response planning and building a resilient cyber security culture. Read more here.
   
7. The EU is taking steps to simplify and streamline its digital law landscape, with the Digital Omnibus package recently being launched. The package introduces major updates to the GDPR, ePrivacy rules, the Data Act, and cybersecurity reporting. Key changes include a single entry point for incident reporting, higher thresholds and extended deadlines for breach notifications and new legal bases for processing sensitive data in AI development. The reforms are designed to reduce compliance burdens for SMEs, harmonise requirements across the EU, and provide greater legal certainty. Read more here.
   
8. CrowdStrike has published its State of Ransomware Survey, revealing a disconnect between organisational confidence and real‑world resilience. Although many businesses worldwide consider themselves well‑prepared, the findings show recovery is often slow. The report also warns that AI‑powered social engineering is increasingly complicating detection, making ransomware attacks harder to defend against. Read more here.
   
9. Newly emerged ransom groups, including Coinbase Cartel and The Brotherhood have made an entrance into Australia's cybercrime arena. The Brotherhood has claimed responsibility for attacks on two Australian organisations in one day. The group published evidence of the breaches on its leak site, threatening to release sensitive data unless ransom demands are met. Security analysts note that the group's tactics mirror those of established ransomware syndicates, suggesting that the group may be leveraging experienced operators or recycled playbooks to accelerate its impact. Read more here.
   
10. Australia, the US and the UK have jointly imposed sanctions on Russian tech companies accused of enabling ransomware operations against hospitals, schools, and businesses. The measures include asset freezes, trade restrictions, and bans on dealings, aiming to disrupt financial flows and cut off the infrastructure supporting criminal groups. Officials said the co-ordinated action reflects a stronger international stance against state‑linked cybercrime, underscoring ransomware's status as a national security threat requiring cross‑border co-operation. Read more here.

News from HSF Kramer

New Podcast: Cross Examining Dr Bruce Tonkin (CEO of auDA)

In this episode, we cross examine Dr Bruce Tonkin, Chief Executive Officer at auDA. Dr Tonkin is one of Australia's true internet pioneers and has been at the forefront of the cyber security discourse in Australia for a number of decades.

We dive into Bruce's career journey (and the evolution of the internet here in Australia), the role of auDA and the importance of protection of the .au domain. You may be surprised how much we depend on auDA as part of our interconnected business community. We also talk to the effective role of a lawyer in a cyber incident. Bruce also shares some interesting insights into the global domain space, including the unexpected economic benefits of having a country code like "tv" or "ai". Fascinating!

You can listen to the episode here.

The ACL case: A $5.8M reminder to get cyber due diligence right

The Federal Court has fined Australian Clinical Labs (ACL) $5.8 million under the Privacy Act after a data breach exposed sensitive information of over 223,000 individuals, highlighting the critical importance of robust cybersecurity due diligence in mergers and acquisitions. The breach occurred soon after ACL acquired Medlab Pathology in 2021, with the court finding that ACL failed to identify and address serious cybersecurity weaknesses in Medlab's systems before and after the acquisition. The penalty, Australia's first civil penalty for a privacy breach, underscores the significant financial and reputational risks of inadequate cyber due diligence. The case serves as a warning for companies to ensure thorough technical assessments, ongoing risk management, and clear governance when acquiring businesses with substantial data holdings.

You can read our full article here.

Changing lanes: The evolving legal and regulatory data considerations for CAVs in Australia

Connected and autonomous vehicles (CAVs) generate and transmit large volumes of data to interpret their surroundings and communicate with other vehicles and infrastructure. While such interconnectivity promises greater mobility, including safer roads, optimised transport networks and personalised driver experiences, it also introduces a complex web of privacy, data and cyber security considerations and regulation.
This article explores the evolving legal and regulatory landscape for CAVs in Australia, with a focus on privacy, cyber security and the implications of forthcoming reforms such as the Automated Vehicle Safety Law (AVSL).

You can read our full article here.

Law making and regulatory news

Vinomofo privacy failures exposed by Privacy Commissioner – OAIC– 29 October 2025

The OAIC has found online wine retailer Vinomofo breached the Privacy Act by failing to protect the personal information of nearly one million customers. Privacy Commissioner Carly Kind determined that Vinomofo did not take reasonable steps under Australian Privacy Principle 11.1, with weak policies, poor staff training, and a culture that undervalued privacy leading to a major data breach. Sensitive data including names, addresses, phone numbers, and dates of birth was exposed after appearing on a cybercrime forum. The Commissioner criticised Vinomofo's governance posture and ordered the company to strengthen safeguards within 90 days, including improved risk management and privacy compliance measures. The ruling underscores the growing regulatory pressure on businesses to embed privacy by design and highlights the reputational and financial risks of neglecting customer data protection.

Queensland Government unveils $40m cyber defence strategy – Queensland Government– 12 November 2025

Queensland has launched a 2025–2027 Cyber Security Strategy, backed by $40 million in funding to harden state and local government systems. The plan, announced by Minister for Customer Services and Open Data Steve Minnikin, prioritises upgrades to critical infrastructure, stronger procurement tools, and supply chain resilience. With Queensland accounting for 28% of national cyber incidents, the strategy also tackles the cybersecurity skills gap, aiming to attract diverse talent and address Australia's shortfall of 30,000 skilled workers. Partnerships with the federal government, industry, academia, and councils will underpin prevention, response, and recovery efforts. Minnikin stressed that as digital services expand, security must be embedded by design, with proactive investment to counter rising threats, including cyber terrorism.

Criminals exploit ACSC cybercrime reporting system– Australian Signals Directorate– 13 November 2025

The ACSC has issued an alert warning of scammers posing as police officers to trick victims into handing over access to their cryptocurrency seed wallets. Scammers are contacting individuals by phone and email, claiming to investigate cybercrime or fraud, and then coercing them into revealing recovery phrases or transferring funds. Once obtained, the seed phrase allows attackers to drain entire crypto holdings, leaving victims with no recourse. The ACSC has stressed that law enforcement will never request wallet details or seed phrases, urging Australians to treat such requests as fraudulent. The advisory highlights the growing trend of social engineering scams targeting digital assets, and calls for vigilance, multi‑factor authentication, and secure storage practices to protect against theft.

US government revives key cyber laws after shutdown –The Record– 14 November 2025

President Donald Trump signed legislation to end a 43‑day government shutdown, temporarily reinstating two major cybersecurity programs that had lapsed at the end of September. The bill revives the 2015 Cybersecurity and Infrastructure Security Act (CISA), which provides liability protections for private companies sharing cyber threat intelligence with the government, and the State and Local Cybersecurity Grant Program, which has distributed $1 billion since 2022 to help local agencies strengthen their digital defences. Both measures are renewed only until January 30, 2026, raising concerns about continuity and long‑term resilience.

China amends Cybersecurity Law – Lexology– 14 November 2025

China has revised its Cybersecurity Law (CSL) for the first time since 2017, with changes passed on 28 October 2025 and set to take effect on 1 January 2026. The amendments introduce a framework for AI development and regulation, requiring ethical guidelines, risk monitoring, and encouraging AI-powered cybersecurity solutions. The law strengthens oversight by imposing new penalties on network product providers, enabling shutdowns of unlawful applications, and expanding extraterritorial jurisdiction to cover all activities undermining China's cybersecurity, including cyberattacks and data theft. Penalty standards have been refined into a four-tier system, with fines for companies rising to RMB 10 million in severe cases and up to RMB 1 million for individuals. Mitigated or waived penalties are possible if companies proactively address violations. The revisions signal that robust compliance and proactive risk management are now essential for businesses operating in China.

EU proposes sweeping reforms to the GDPR, cookie rules, Data Act, and breach reporting –Lexology– 19 November 2025

The European Commission has introduced two proposals under its Digital Omnibus package to simplify and modernise EU digital laws, bringing reforms to the GDPR, ePrivacy rules, the Data Act, and cybersecurity incident reporting. The changes include a single entry point for streamlined incident reporting across frameworks such as NIS2, DORA, and GDPR, higher thresholds and longer deadlines for breach notifications, a more flexible definition of personal data, and new legal bases for processing sensitive data in AI development. The proposals also simplify privacy notice obligations, create exemptions for research, expand cookie consent exceptions to reduce fatigue, and consolidate rules on data sharing, trade secrets, and cloud switching. These reforms are designed to reduce administrative burdens by up to 35 percent for SMEs, harmonise compliance across the EU, and provide greater legal certainty while continuing to protect individual rights.

Australia, US and UK sanction Russian cyber firms over ransomware links –itnews– 20 November 2025

Australia, the United States, and the United Kingdom have jointly imposed sanctions on Russian technology companies accused of supporting ransomware operations. The targeted firms are alleged to provide infrastructure and services enabling attacks against hospitals, schools, and businesses worldwide. Officials said the co-ordinated action aims to disrupt financial flows and choke operational support for criminal groups, marking a stronger international stance against state‑linked cybercrime. The sanctions include restrictions on trade, asset freezes, and bans on dealings with the listed entities. Analysts note the move reflects growing recognition that ransomware is a national security threat, requiring cross‑border cooperation to dismantle networks and deter future attacks.

Vietnam's cyber security law defines "Data security" for the first time – Vietnamnet– 25 November 2025

For the first time, Vietnam's draft Cybersecurity Law 2025 explicitly defines "data security" as a critical component of national cybersecurity. It elevates data to a central position in Vietnam's cyber governance structure and defines it as 'the secure collection, processing, and use of information for national digital transformation and economic development.' Organisations without sufficient technical or human resources will now be compelled to adopt safer methods of managing and accessing data, such as through trusted government databases or certified service providers, reducing risks from decentralised and vulnerable data storage.

Industry news

The ASD and AICD releases guidance on Cyber security priorities for boards of directors – Australian Signals Directorate– 30 October 2025

The Australian Signals Directorate (ASD) and the Australian Institute of Company Directors (AICD) have released updated cyber security priorities for boards of directors for 2025–26, stressing the heightened global threat environment and the critical role boards play in safeguarding organisations. The guidance urges directors to ensure technology is secure by design and default, adopt an "assume compromise" mindset to protect crown‑jewel assets, and strengthen capabilities such as event logging, threat detection, and third‑party risk management. Boards are also advised to address legacy IT risks, oversee supply‑chain security, and begin planning for the post‑quantum cryptography transition. Alongside these technical measures, the guidance highlights the importance of incident response planning and fostering a strong cyber security culture. Together, these priorities aim to equip boards with the right questions and oversight strategies to navigate the escalating cyber threat landscape and protect shareholder and customer trust.

Diligent portal breach impacts Australian boards –Australian Financial Review– 2 November 2025

Australian boards have been swept up in a global cyberattack after governance software provider Diligent confirmed its director portal was compromised, exposing highly sensitive board materials including meeting papers, financial reports, and strategic documents. The breach, linked to the wider Salesloft-Drift OAuth incident, saw attackers exploit third‑party integrations to gain access, forcing Diligent to disable affected connections while forensic teams investigated. The disruption has raised alarm across corporate Australia, with directors warned that board portals (designed to centralise confidential governance information) can become a single point of failure when compromised. Analysts stress that the incident highlights the systemic risks of SaaS supply‑chain dependencies, where vulnerabilities in one vendor can cascade across hundreds of organisations. Regulators and security experts have urged boards to strengthen vendor risk management, multi‑factor authentication, and continuous monitoring of integrations, noting that breaches at this level not only jeopardise corporate strategy but also expose companies to reputational damage, regulatory scrutiny, and shareholder fallout.

State of Ransomware Survey – CrowdStrike– 4 November 2025

A new CrowdStrike report, the 2025 State of Ransomware Survey, reveals that while 55% of Australian and New Zealand organisations feel 'very prepared' for ransomware attacks, only 9% actually recover within 24 hours, well behind countries like the UK and Germany. Despite 86% expecting rapid recovery, most fail to meet this target, with the ANZ region ranking as the third-most targeted globally. The survey found 78% of local organisations suffered a ransomware attack in the past year, and AI-driven social engineering is making attacks harder to detect. Paying ransoms rarely resolves issues, with most victims experiencing further compromise or repeat attacks.

Chinese-made electric buses on Australian roads spark cybersecurity concerns after Norway flags issue – ABC News– 7 November 2025

Chinese-made Yutong electric buses operating in Australia have sparked cybersecurity concerns after Norwegian authorities found the manufacturer could remotely access and control buses for software updates and diagnostics. While Yutong's Australian distributor says local buses are updated only at service centres and not remotely, experts warn that all connected vehicles pose risks due to their constant connectivity and potential for remote access. Cybersecurity specialists have called for greater scrutiny of data collection, transmission, and access, especially for vehicles used by government or critical sectors.

Iran-linked hackers post details of multibillion-dollar ADF defence program – Cyber Daily– 10 November 2025

Iran-linked hacktivist group Cyber Toufan has published details of the Australian Defence Force's $7 billion Land 400 upgrade program after claiming to have breached multiple Israeli defence contractors through a supply chain attack. The group, which is believed to have state backing, accessed sensitive data via Maya Engineering, an Israeli firm, and released images and documents related to the ADF's Redback infantry fighting vehicle, as well as other high-profile weapons systems. Cyber Toufan claims to have obtained terabytes of technical and personal data, including security camera footage and blueprints, and has threatened further leaks.

ASIO boss sounds alarm on 'devastating, disruptive' Chinese hacking threat – The Age– 12 November 2025

ASIO director-general Mike Burgess has warned that Australia now faces a serious and immediate threat of high-impact sabotage from sophisticated Chinese government hackers targeting critical infrastructure such as airports, telecommunications, and the energy grid. Burgess said Chinese groups, including Salt Typhoon and Volt Typhoon, have probed Australian networks using advanced techniques to identify vulnerabilities and maintain persistent, undetected access for potential sabotage. He stressed that these threats are not hypothetical, with foreign actors capable of causing widespread disruption, such as shutting down power or polluting water supplies.

Disrupting the first reported AI-orchestrated cyber espionage campaign – Anthropic – 14 November 2025

Anthropic has reported the first known large-scale cyber espionage campaign orchestrated primarily by AI, with a Chinese state-sponsored group using the Claude Code tool to autonomously target around thirty global organisations. The attackers jailbroke the AI, tricking it into executing cyberattacks by breaking tasks into small, seemingly benign steps and posing as a legitimate cybersecurity firm. Claude was used to conduct reconnaissance, identify vulnerabilities, write exploit code, harvest credentials, and exfiltrate data, with minimal human intervention. The campaign demonstrates how advanced AI agents can now perform the majority of complex cyberattacks, dramatically lowering the barrier for large-scale operations and raising urgent questions about AI security and the need for robust safeguards.

Cybercriminals unleash fake Centrelink scam on vulnerable Australians –Sydney Morning Herald – 17 November 2025

A new phishing campaign is targeting Centrelink recipients, with cybercriminals sending fake SMS messages and directing victims to fraudulent websites designed to steal personal and financial details. The scam is deliberately aimed at low‑income and vulnerable Australians, exploiting trust in government services to harvest sensitive data. Authorities report that stolen information is being used for identity fraud and unauthorised transactions, leaving victims exposed to long‑term financial harm. Security experts warn the attack reflects the growing sophistication of social engineering tactics, where criminals mimic official branding and urgent messaging to pressure individuals into compliance.

Optus fined $826k over anti-scam failures – Cyber Daily– 19 November 2025

The Australian Communications and Media Authority has penalised Optus $826,000 for breaching anti-scam regulations after a flaw in a third‑party identity verification system was exploited by scammers. The investigation found Optus failed to implement adequate safeguards and supplier assurance, allowing fraudulent activity to bypass protections and expose customers to financial harm. The ACMA stressed that telcos must take stronger responsibility for supply chain security and compliance with anti‑scam rules, particularly as criminals increasingly exploit weak links in outsourced systems. The fine adds to ongoing scrutiny of Optus' cybersecurity posture following previous breaches, reinforcing the regulator's push for tougher enforcement and proactive fraud prevention across the telecommunications sector.

Ransomware newcomer 'The Brotherhood' claims two Australian victims in one day – Cyber Daily– 20 November 2025

A newly emerged ransomware group known as 'The Brotherhood' has made a dramatic entrance into Australia's cybercrime arena, claiming responsibility for attacks on two Australian organisations in a single day. The gang published evidence of the breaches on its leak site, threatening to release sensitive data unless ransom demands are met. Security analysts note that the group's tactics mirror those of established ransomware syndicates, suggesting that The Brotherhood may be leveraging experienced operators or recycled playbooks to accelerate its impact. The speed and scale of its debut point to a well‑resourced and organised operation, capable of executing multiple compromises simultaneously. Experts warn that newcomers like The Brotherhood often adopt aggressive strategies to build credibility in the underground economy, using high‑profile attacks to establish their reputation and attract affiliates.

Scattered Lapsus$ Hunters eye Zendesk customers – Cyber Daily– 27 November 2025

Analysts have warned that Scattered Lapsus$, the group behind the Salesforce extortion campaign, may be pivoting to Zendesk customer databases, exploiting credential-stuffing and phishing to infiltrate support ticketing systems. With sensitive client communications at risk, Zendesk has urged multi-factor authentication and tighter monitoring. The warning highlights the growing trend of criminal groups exploiting SaaS ecosystems, where one breach can cascade across multiple organisations.

World news

China's Great Firewall Breach Exposes Over 500GB of Censorship Data – Cyber Press– 31 October 2025

A major security breach in September 2025 exposed over 500GB of internal data from Chinese infrastructure firms operating the Great Firewall, revealing the technical and human foundations of China's censorship system. The leaked archive, estimated at nearly 600GB, includes technical blueprints, operational logs, emails, and project management data, as well as details of censorship and surveillance mechanisms used in China and exported abroad. The data dump uncovered real-time monitoring tactics, VPN and proxy detection methods, and internal records linking engineers and contractors to censorship operations.

China-linked hackers exploited Lanscope flaw as a zero-day in attacks – Bleeping Computer– 1 November 2025

China-linked hacking group Bronze Butler (Tick) exploited a zero-day vulnerability, CVE-2025-61932, in Motex Lanscope Endpoint Manager to deploy updated Gokcpdoor malware and steal confidential data. The flaw, present in versions 9.4.7.2 and earlier, allowed unauthenticated attackers to execute code with SYSTEM privileges. Motex released a patch on 20 October 2025, and CISA has urged urgent updates. Bronze Butler used the vulnerability to establish backdoor access, exfiltrate data, and evade detection through DLL sideloading. Organisations using Lanscope are advised to patch immediately, as no alternative mitigations are available.

Theft at the Louvre: The surveillance system's password 'LOUVRE' has put the museum in crisis – Red Hot Cyber – 2 November 2025

The Louvre has been rocked by a major art theft after it was revealed that the museum's surveillance system used trivial passwords such as 'LOUVRE' and 'THALES', leaving it vulnerable to attack. Official documents show these weak credentials persisted for a decade, despite warnings from France's National Agency for Information Systems Security. On 20 October, thieves exploited these security lapses, using a forklift to access the Apollo Gallery and steal €88 million in jewellery. The cameras failed to capture clear footage, and seven suspects have since been detained.

US prosecutors say cyber security pros ran cybercrime operation – IT News – 4 November 2025

US prosecutors have charged three American cyber security professionals with secretly running a ransomware operation in collaboration with the notorious ALPHV BlackCat gang. Two of the accused, Ryan Goldberg and Kevin Martin, allegedly helped encrypt company networks across several US states to extort millions in cryptocurrency. Goldberg, formerly of Sygnia, and Martin, a former DigitalMint employee, are said to have acted independently of their employers, who both deny any involvement and are cooperating with authorities. The indictment does not name the targeted companies but highlights the risk of insider threats even within the cyber security industry.

US and UK Issue Joint Cybersecurity Guidance for Operational Technology Systems – Skadden – 4 November 2025

The US Cybersecurity and Infrastructure Security Agency, FBI, and the UK's National Cyber Security Centre have released new joint guidance for operational technology (OT) owners and operators, focusing on building a comprehensive and continually updated inventory of OT assets known as a 'definitive record.' This approach is designed to improve risk management, third-party accountability, and operational resilience, and is closely aligned with the EU's NIS2 Directive. The guidance outlines five key principles, including establishing an OT information security management program, identifying and categorising assets, and documenting third-party risks and system connectivity.

Cybercriminals exploit remote tools to steal global cargo worth USD $34 billion – Security Brief – 5 November 2025

Cybercriminals are exploiting legitimate remote monitoring tools to steal cargo and goods, contributing to global losses estimated at USD $34 billion annually, according to Proofpoint researchers. Organised crime groups are targeting trucking and logistics companies by distributing remote access software such as ScreenConnect, SimpleHelp, and LogMeIn Resolve, often delivered via email-based scams and compromised load boards. Once inside, attackers conduct reconnaissance, harvest credentials, and take control of dispatch communications to hijack shipments. The use of trusted IT tools allows these operations to evade detection.

US sanctions North Korean bankers linked to cybercrime, IT worker fraud – Bleeping Computer – 5 November 2025

The US Treasury Department has imposed sanctions on two North Korean financial institutions and eight individuals for laundering cryptocurrency stolen through cybercrime and fraudulent IT worker schemes. Ryujong Credit Bank and Korea Mangyongdae Computer Technology Company, along with their executives and financial representatives in China and Russia, were designated for facilitating money laundering and sanctions evasion. US officials report that North Korean cybercriminals have stolen over $3 billion in cryptocurrency in the past three years, using advanced malware and social engineering. The sanctions freeze assets under US jurisdiction and warn financial institutions against transacting with the designated entities, aiming to disrupt North Korea's revenue streams for its weapons programs.

Yanluowang initial access broker pleaded guilty to ransomware attacks – Bleeping Computer – 10 November 2025

A Russian national, Aleksey Olegovich Volkov, has pleaded guilty to acting as an initial access broker for the Yanluowang ransomware group, facilitating attacks on at least eight US companies between July 2021 and November 2022. Volkov, using the aliases 'chubaka.kor' and 'nets,' breached corporate networks and sold access to the ransomware gang, which then demanded ransoms ranging from $300,000 to $15 million. Investigators linked Volkov to the crimes through digital evidence, including chat logs, cryptocurrency records, and social media accounts. He faces up to 53 years in prison and must pay over $9.1 million in restitution.

Chinese Cybersecurity Firm Data Breach Exposes State-Sponsored Hackers Cyber Weapons and Target List – Cyber Security News – 10 November 2025

A major data breach at Chinese cybersecurity firm Knownsec has exposed over 12,000 classified documents, revealing the scale and sophistication of China's state-sponsored cyber operations. The leaked files include technical details of cyber weapons, internal hacking tools, and a global target list, with evidence of compromised systems in countries such as Japan, India, Vietnam, and the UK. The breach also uncovered large stolen data sets, including immigration records from India and call records from South Korea. Analysts found advanced malware and hardware-based attack tools among the leaked materials. The Chinese government denied knowledge of the incident but did not refute the firm's intelligence activities.

Washington Post data breach impacts almost 10,000 staff –Bleeping Computer– 13 November 2025

The Washington Post suffered a data breach impacting nearly 10,000 employees and contractors as a result of the Oracle E‑Business Suite breach. Linked to the Clop ransomware group, the intrusion exposed sensitive financial and personal data, including bank details and Social Security numbers. The attack, part of a wider campaign against Oracle EBS users, highlights the systemic risks of enterprise software vulnerabilities and reinforces the need for rapid patching, stronger vendor oversight, and proactive incident response.

Europol-led Operation Endgame 3.0 takes down more than 1k malicious servers – Cyber Daily – 17 November 2025

Europol, in collaboration with law enforcement agencies from around the world, has dismantled more than 1,000 malicious servers as part of Operation Endgame 3.0, a major crackdown on cybercrime infrastructure. The operation targeted the Rhadamanthys info stealer, VenomRAT remote access trojan, and the Elysium botnet, leading to the arrest of one individual in Greece and the seizure of 20 domains. Authorities searched 11 locations across Europe and uncovered millions of stolen credentials, including access to over 100,000 crypto wallets. The operation involved partners such as CrowdStrike and HaveIBeenPwned and highlights the importance of public-private cooperation in disrupting the ransomware ecosystem.

London councils suffer major cyber disruption –Bleeping Computer– 26 November 2025

The Royal Borough of Kensington and Chelsea and Westminster City Council reported significant IT outages following a cybersecurity incident that disrupted public services, including housing, benefits, and local administration systems. Officials confirmed that recovery efforts could take weeks, with staff forced to revert to manual processes while investigations continue. The incident highlights the resilience gaps in municipal infrastructure, where legacy systems and limited cyber budgets leave councils vulnerable to ransomware and supply chain attacks. Security experts warn that attackers increasingly target local governments due to their reliance on third‑party contractors and sensitive citizen data.

Qilin Ransomware Targets South Korea's Financial Sector –The Hacker News– 26 November 2025

South Korea's financial sector has been hit by a sophisticated supply‑chain attack after the Qilin ransomware‑as‑a‑service group compromised a managed service provider, launching the so‑called "Korean Leaks" campaign that impacted at least 28 victims and led to the theft of more than 2TB of sensitive data. According to Bitdefender, the operation may have involved collaboration with North Korean‑linked actors (Moonstone Sleet), blending ransomware extortion with geopolitical messaging, and marking a sharp departure from typical ransomware trends as South Korea suddenly became the second most‑targeted country worldwide in September 2025, underscoring how MSP compromises can cascade across entire industries and highlighting the growing sophistication of hybrid campaigns that mix cybercrime with state‑aligned objectives.

Spanish airline Iberia confirm data breach – Strait Times– 29 November 2025

Spanish flag carrier Iberia has confirmed a data breach caused by a third‑party supplier compromise, exposing customer information such as names, email addresses, and loyalty program details. The airline stressed that passwords, banking, and credit card data were not affected, and there is currently no evidence of fraudulent use of the stolen data. The disclosure came shortly after a threat actor claimed on dark web forums to possess 77GB of Iberia data for sale. Iberia says it has activated security protocols, notified law enforcement, and implemented additional protections, including requiring verification codes for account changes.