Data breaches

A data breach in New York City's affordable housing lottery program exposed personal information for about 38,000 applicants, including names, incomes, phone numbers, and in some cases Social Security numbers. The breach occurred between May and July when applications became publicly searchable online due to a "system misconfiguration" by Reside New York, a company that reviews applications for the city.

City Council Housing Committee Chair Pierina Sanchez demanded answers after CBS News New York uncovered the breach. Reside CEO Martin Joseph blamed a third-party company called LogicFold for the mistake and says the portal was fixed immediately after being notified.

No identity theft or fraud has been reported so far. The city assures applicants that Housing Connect remains safe, and affected individuals are being offered credit monitoring services.

Source: CBS News New York

Texas Attorney General Ken Paxton filed a lawsuit against California-based PowerSchool after hackers breached the company's systems in December 2024, exposing personal information of over 880,000 Texas students and teachers. The stolen data included Social Security numbers, medical records, disability information, and even bus stop locations.

A hacker used a subcontractor's account to transfer massive amounts of unencrypted data to a foreign server. PowerSchool, which serves over 90 of America's 100 largest school districts including Dallas ISD, allegedly failed to implement basic security measures like multi-factor authentication despite advertising "state-of-the-art" protection.

Paxton seeks fines and stronger security requirements, warning that children's credit could be compromised for years.

Source: CBS News Texas

AT&T will pay $177 million to settle lawsuits over two massive data breaches that exposed personal information of nearly 181 million customers. The 2019 breach affected 73 million people, exposing Social Security numbers and birth dates. The 2024 breach compromised phone records of 109 million customers through cloud provider Snowflake.

Customers affected by the 2019 breach can claim up to $5,000 with documented losses, while 2024 breach victims can receive up to $2,500. Those without proof of losses will receive smaller payments from the settlement pools. People hit by both breaches can file separate claims.

The deadline to file claims is November 18, 2025. Payments should begin early next year once the settlement receives final court approval.

Source: CNET

Credit bureau TransUnion suffered a major data breach on July 28 that exposed sensitive information of 4.4 million customers. The breach compromised names, Social Security numbers, and birthdates through unauthorized access to a third-party application storing customer data.

State filings reveal conflicting details about what information was accessed, but the most serious filing from Texas confirms Social Security numbers were exposed. Since the breach occurred months ago, experts warn the stolen data may already be circulating on the dark web.

TransUnion is offering affected customers 24 months of free credit monitoring and notifying those impacted. Consumer rights firm Wolf Haldenstein advises people to watch for unusual credit report activity and consider freezing their credit.

Source: CNET

AT&T has reached a massive $177 million settlement for two major data breaches that exposed millions of customers' personal information. The 2019 breach affected 73 million people, exposing Social Security numbers and birth dates. A separate 2024 hack accessed phone records of 109 million customers through cloud provider Snowflake.

Customers can now file claims through November 18, 2025. Those who can prove documented losses may receive up to $5,000 for the 2019 breach and $2,500 for the 2024 incident. People affected by both breaches can claim compensation from each settlement. Even without proof of loss, eligible customers will receive cash payments based on which breach affected them.

Source: CNET

Healthcare Services Group, a major provider of housekeeping and food services to healthcare facilities, suffered a significant data breach affecting 624,000 individuals. The Pennsylvania-based company discovered unauthorized access to its systems containing sensitive personal information including names, Social Security numbers, and medical data.

The breach occurred earlier this year, though the company has not disclosed specific details about how attackers gained access or the exact timeline of the incident. Healthcare Services Group has notified affected individuals and is providing credit monitoring services.

This breach adds to the growing list of healthcare-related cyberattacks in 2025, highlighting ongoing vulnerabilities in the sector's digital infrastructure.

Source: Security Week

Cybercriminals are selling access to a massive trove of scraped Discord data, including 1.8 billion messages from 35 million users across 6,000 servers.

This follows Discord's 2024 shutdown of similar service Spy.Pet, which had scraped data from 620 million users. The new operation targets people willing to pay for others' private conversations and those who'll pay to have their data removed.

Researchers warn the service is designed to facilitate online harassment and stalking, making it easier for bad actors to dig up personal information for malicious purposes.

Source: Cybernews

Aspire Rural Health System, which operates over 70 healthcare facilities across Michigan, disclosed a massive data breach that compromised personal information of 138,386 people. Hackers accessed the network from November 4, 2024, to January 6, 2025, stealing files containing patient data, financial records, HR documents, and email communications.

The BianLian ransomware group claimed responsibility for the attack in mid-February, but the gang went silent in late March, leaving the fate of the stolen data unclear. An investigation wrapped up in mid-July, prompting notifications to affected individuals and state authorities including Maine's Attorney General.

Source: Security Week

Google confirmed a major data breach on August 5, 2025, after cybercriminal group ShinyHunters compromised its corporate Salesforce database in June. The attackers used sophisticated voice phishing, impersonating IT support to trick Google employees into granting system access through a malicious Data Loader app.

The breach exposed contact information for small and medium businesses, with ShinyHunters claiming to have stolen 2.55 million records. Google completed email notifications to all affected users by August 8, emphasizing that payment data and advertising products remained secure.

ShinyHunters demanded 20 Bitcoins ($2.3 million) from Google, though they later claimed this was done "for the lulz." The group has targeted major companies including Cisco, Qantas, and LVMH brands throughout 2025, typically using delayed extortion tactics.

Source: Cybersecurity News

Air France and KLM disclosed yesterday that hackers breached their customer service platform, stealing personal data including names, email addresses, phone numbers, and rewards program details. The airlines quickly cut off the attackers' access and stressed that sensitive information like passwords, credit card details, and passport data remained secure.

Both airlines reported the incident to their respective data protection authorities and are notifying affected customers. Security experts suspect the breach may be linked to the ShinyHunters group, which has targeted Salesforce platforms to attack major brands like Chanel and Dior. The incident highlights how cybercriminals increasingly focus on software-as-a-service platforms that store vast amounts of customer data.

Source: Dark Reading