Attackers compromised a third-party frontend vendor and injected malicious JavaScript into Polymarket's website, tricking users into approving fraudulent transactions and draining about $3 million.
A dormant API credential let attackers compromise competitive-intelligence platform Klue and harvest OAuth tokens for customers' connected apps, exfiltrating Salesforce records from firms including Huntress and Recorded Future in a supply-chain attack later tied to the Icarus extortion group.
Victim
Klue (and customers including Huntress and Recorded Future)
A hijacked contributor account was used to republish 144 packages in the popular @mastra AI-agent npm scope with a malicious typosquatted dependency, easy-day-js, that pulled down a cross-platform remote-access trojan and cryptocurrency stealer onto any developer machine or build system that installed them.
Attackers stole a CDN API key from Awesome Motive and tampered with JavaScript served to the OptinMonster, TrustPulse and PushEngage WordPress plugins, silently creating rogue administrator accounts and planting backdoors on sites whose logged-in admins loaded the malicious code.
Sonatype researchers uncovered 'Atomic Arch,' a supply-chain campaign in which attackers adopted hundreds of orphaned Arch User Repository packages and rewrote their build scripts to install a malicious npm package that drops a Linux credential stealer with optional eBPF rootkit capabilities.
A self-replicating supply-chain worm dubbed Miasma compromised 73 repositories across four Microsoft GitHub organisations, planting configuration files that harvested cloud and developer credentials when the projects were opened in AI coding agents such as Claude Code and Cursor.
Researchers disclosed IronWorm, a Rust-based, self-propagating infostealer that compromised 36 npm packages, stealing developer and CI secrets and republishing trojanized packages using stolen npm publishing credentials.
On 23 May 2026, French digital health insurer Alan warned members that a cyberattack on its third-party claims processor Almerys had exposed their personal data โ names, dates of birth, social security numbers and insurance contract details โ though payment, password and health data were spared.
OpenAI confirmed in May 2026 that two employee devices were compromised through the TanStack npm supply-chain attack, allowing attackers to exfiltrate limited authentication credentials from internal code repositories that contained its software signing certificates.
On 4 May 2026 a hacker using the alias Lagui published a database of roughly 96,000 La Redoute customers โ names, postal addresses, phone numbers, emails and order/delivery histories โ that the retailer traced to a January 2026 breach at its logistics partner Relais Colis.
On 29 April 2026, the City of Saint-รtienne and Saint-รtienne Mรฉtropole disclosed a security incident at their third-party ticketing provider, prompting the precautionary deactivation of user account passwords and a forced reset for online ticketing customers.
On 19 April 2026, cloud platform Vercel (creator of Next.js) confirmed a security incident traced to a compromised third-party AI tool, exposing non-sensitive environment variables and a limited subset of customer accounts.
French online toy retailer JeuJouet.com warned customers in April 2026 that its Magento e-commerce platform was compromised in a mass exploitation campaign, potentially exposing names, email addresses, account credentials and order data; no banking details were affected.
On 15 April 2026 France's National Police (DGPN) confirmed that its e-campus online training platform, run by a third-party provider, was hacked in mid-March; the group HexDex claimed 176,317 agent profiles including names, professional emails, locations and login histories.
The online ticketing data of visitors to the Chรขteau royal de Blois / Maison de la Magie was exposed in the breach of its provider Vivaticket (Tickeasy), leaking names, email and postal addresses, dates of birth, phone and fax numbers and VAT numbers.
In April 2026, alumni of IAE Grenoble were exposed in a breach of AlumnForce, the third-party platform managing its alumni network; the stolen dataset spanned ~2.7M profiles across 49 French institutions and included names, contact details and full professional/education histories.
In April 2026, France's Ardรจche department disclosed a breach in which an attacker exploited a flaw at an external service provider and exfiltrated roughly 26 GB across 88,000+ files of RSA welfare-beneficiary data spanning 2017-2026.
In April 2026, alumni data of Universitรฉ Cรดte d'Azur was exposed as part of a breach of the AlumnForce platform, leaking names, contact details, education and detailed professional/career information for tens of thousands of graduates, within a wider 2.7-million-record leak across 49 institutions.
ENSAI Network alumni data was exposed in the April 2026 breach of its platform provider AlumnForce, which leaked some 2.7 million student and graduate profiles from 49 French institutions โ including names, emails, phone numbers, locations, career history and education details โ now offered for sale on cybercrime forums.
In April 2026, Lilagora โ the University of Lille's alumni network โ saw its members' data exposed in a breach of its third-party platform provider AlumnForce, part of a wider incident affecting 2.7 million profiles across 49 French institutions, with names, contact details and professional histories leaked.
UPPA Alumni, the alumni network of the University of Pau et des Pays de l'Adour, confirmed its members' data was exposed in the April 2026 breach of its provider AlumnForce, leaking names, contacts, education and detailed professional profiles.
French champagne group Vranken-Pommery disclosed on 10 April 2026 that a ransomware attack on its external online-ticketing provider exposed personal data of visitors to its Reims tourist sites, including names, dates of birth, contact details and reservation records, though banking data was not affected.
On 8 April 2026, the alumni network of the University of Strasbourg was exposed as part of a wider compromise of the AlumnForce platform, leaking members' names, contact details, education history and professional career data across 49 French institutions (~2.7M profiles in total).
France's OFII immigration agency notified signatories of the Contrat d'intรฉgration rรฉpublicaine that a January 2026 breach via a compromised subcontractor exposed the names, emails, phone numbers and postal addresses of roughly 2.1 million people.
In April 2026, a database of roughly 105,000 French Ledger customers โ stolen in the January 2026 breach of its e-commerce provider Global-e and exposing names, postal addresses, emails and phone numbers โ was put back up for sale on a cybercrime forum.
OFII, France's immigration and integration agency, confirmed in April 2026 that a compromised subcontractor exposed personal data of foreigners enrolled in the Republican Integration Contract, with roughly 2.1 million records offered for sale on BreachForums.
Champagne house Veuve Clicquot disclosed in April 2026 that a ransomware attack on its third-party visit-booking provider exposed personal data of people who reserved cellar tours since at least July 2024, including names, dates of birth, phone numbers and emails.
On 31 March 2026, French camping and holiday-village operator Homair disclosed a data breach traced to a compromised third-party technical provider, exposing customers' names, email addresses, phone numbers and booking details (destination, stay dates, amount paid), while bank data, passwords and postal addresses were said to be unaffected.
On 31 March 2026, French tourist attraction La Mine Bleue notified customers that their personal data โ names, postal code/country, email and purchase history โ was exposed in the ransomware breach of its ticketing provider Vivaticket; no banking data was affected.
French holiday-club operator Belambra disclosed in March 2026 that a cyberattack on a shared reservation-system provider exposed personal data of roughly 400,000 customers, including names, emails, phone numbers and booking details, though no banking data or passwords.
On 25 March 2026, French medical-laboratory network Cerballiance disclosed a breach traced to a compromised external IT provider that exposed patient identities, portal credentials, medical test reports and social security numbers.
On 24 March 2026, anime streaming service Crunchyroll confirmed a data breach traced to a compromised third-party support vendor (Telus), exposing customer support-ticket data โ names, emails, IP addresses and partial payment-card details โ with a hacker claiming ~8M ticket records and ~6.8M unique email addresses.
In March 2026, the European Commission's Europa.eu web-hosting infrastructure was breached via a stolen AWS key (Trivy supply-chain compromise); ~91.7 GB of data covering 30+ EU entities โ names, emails, email content and documents โ was exfiltrated and leaked by ShinyHunters.
On 24 March 2026, the Mรฉtropole Aix-Marseille-Provence disclosed a data leak stemming from a compromised subcontractor, potentially exposing around 19,728 user accounts, including email addresses, names and passwords.
French customers of luxury outerwear brand Canada Goose were caught up in a data leak by the ShinyHunters extortion group, with 10,816 records in the France-related subset of a broader corpus of roughly 600,000 customer records traced to a third-party payment processor.
Disclosed on 18 March 2026, the Musรฉe des Arts et Mรฉtiers was caught up in the Vivaticket supply-chain ransomware breach, exposing online shop and ticketing customers' names, email addresses, account details and order history.
A March 2026 ransomware attack on the Bibliothรจque Nationale de France's third-party online ticketing provider exposed the names and email addresses of users who had booked cultural events; banking data, handled by a separate vendor, was not affected.
In March 2026, France's Rรฉgion Occitanie disclosed a breach of its Carte Jeune Rรฉgion scheme after a technical service provider was compromised, exposing the personal data of about 310,000 young beneficiaries โ including some 270,000 ID photos of minors โ which the DumpSec group put up for sale on the dark web.
In early March 2026, France's Centre des Monuments Nationaux disclosed a data leak stemming from a ransomware attack on its online ticketing provider, exposing visitors' emails, names, postal addresses, purchase history and hashed passwords, but no banking data.
Customer data of the Oceanographic Museum of Monaco was exposed via a ransomware attack on its ticketing provider Vivaticket (subsidiary Irec SAS), disclosed 2 March 2026 and claimed by RansomHouse, leaking names, emails, phone numbers, postal locations and order/booking history.
On 2 March 2026, the Palais de la Porte Dorรฉe was among 40+ French cultural institutions affected by a ransomware attack on shared ticketing provider Vivaticket, potentially exposing visitors' names, contact details, dates of birth, purchase histories and encrypted passwords.
On 2 March 2026, Orlรฉans city hall warned ticket buyers that its online booking provider Vivaticket was hit by a RansomHouse ransomware attack; exposed customer data may include names, emails, country, postal code and purchase history, but no banking details.
On 25 February 2026, the LAPSUS$ group claimed a breach of NextSend, the file-transfer platform (edited by Hegyd) used internally by French construction group Eiffage, publishing 77 files exposing 175,942 employees and external contacts.
The Sports and Cultural Federation of France (FSCF) had the personal data of roughly 1.33 million members exposed after a third-party licence-management provider was compromised, leaking names, dates of birth, postal addresses, contact details and licence/membership records.
In late February 2026, France's family-allowance fund CAF disclosed that around 70,000 RSA welfare recipients' dossiers were exposed after the HubEE inter-agency document platform was breached, leaking names, social-security numbers and contact details.
Disclosed in late February 2026, a compromise of HubEE โ the inter-administrative document-exchange platform operated by France's DINUM โ exposed personal data of RSA welfare claimants, with roughly 70,000 dossiers (about 160,000 documents) affected; no banking data or passwords were exposed.
On 24 February 2026, a threat actor claimed to be selling a database of 728,732 members of the French Motor Sport Federation (FFSA), exposing names, dates of birth, postal and email addresses, phone numbers and licence details after a third-party provider was compromised.
On 22 February 2026, a hacker known as "84City" claimed to have breached MaSalleDeSport, a CRM and management provider for 2,000+ French gyms (Basic-Fit, Fitness Park, ON AIR Fitness, L'Orange Bleue), exposing member names, phone numbers, SMS and addresses for a potential 1M+ people.
French family-clothing retailer Cyrillus reported a customer data leak originating from one of its third-party providers, detected on 13 February 2026 and confirmed from publicly disclosed elements; the full number of affected customers was not made public.
On 18 February 2026, Rรฉglo Mobile โ the E.Leclerc/SFR-backed mobile virtual operator โ disclosed that a subcontractor breached from 13 February exposed data on about 358,000 customers, including identity, contact details, dates of birth, PUK codes, call records and partial banking data, with the database offered for sale by actor "84City".
Voyage Privรฉ, the French flash-sale travel platform, confirmed in February 2026 that a compromised third-party partner exposed reservation data for customers with upcoming trips โ including names, country of residence, emails, phone numbers and, in some cases, passport numbers โ fuelling a wave of WhatsApp phishing.
Customer data of French womenswear retailer Grain de Malice was exposed in February 2026 through a breach of its omnichannel retail provider Socloz, leaking names, email addresses and phone numbers as part of a dataset of up to ~31 million records.
In February 2026, a database tied to French aerospace and defense group Safran surfaced on a hacking forum, exposing roughly 718,716 order records โ names, emails, phone numbers, ERP references and logistics data โ leaked through a third-party provider rather than Safran's own systems.
On 4 February 2026, French equipment-rental group Loxam disclosed a breach of a third-party delivery-planning system that exposed roughly 60 GB of logistics data โ 94,735 delivery routes and about 828,000 geolocated stop-points covering 2020-2026, plus customer, driver and vehicle details.
A compromise of a third-party appointment-scheduling tool used by Darty's kitchen design service exposed personal and project data on 79,164 French customers, including names, postal addresses, emails, phone numbers and kitchen budgets, with no passwords or banking data affected.
On 28 January 2026, a data leak affecting Wemind, the French neo-insurer for freelancers and small businesses, exposed members' contact details โ names, postal addresses, email addresses and phone numbers โ through its Allianz insurance/back-office channel.
On 23 January 2026, the French Fencing Federation (FFE) had its licensee database leaked as part of a wave of attacks on French sports federations, exposing members' names, contact details, postal addresses, nationality and licence/club information.
On 19 January 2026, France's Urssaf disclosed fraudulent access to its DPAE pre-hire declaration API via a compromised partner account, exposing the names, dates of birth, employer SIRET and hire dates of around 12 million employees hired in the past three years.
Breach of the MonLogicielMedical (MLM) practice software by Cegedim Santรฉ, disclosed to affected doctors in early January 2026, exposing patient administrative records โ name, date of birth, address, social-security scheme โ for up to 11โ15 million patients via compromised doctor accounts.
On 8 January 2026, a database of 262,925 licensed members of the French Bridge Federation (FFB) was claimed on a hacker forum, exposing names, dates of birth, postal and email addresses and phone numbers as part of a wider wave of attacks on French federations via a shared IT provider.
Roughly 600,000 licence holders of France's Roller and Skateboard Federation (FFRS) had their personal data exposed after the Rolskanet membership-management platform run by a shared third-party provider was breached, leaking names, contact details, and birth information.
In early January 2026, a member database of the Fondation des Lions de France (Lions Clubs of France) was published on BreachForums, exposing 133,297 deduplicated individuals โ including full civil status, home addresses, phone numbers and profile photos โ in a leak traced to the MyAssoc club-management platform.
Victim
Lions de France Foundation (Lions Clubs of France)
In early January 2026, France's immigration and integration agency OFII disclosed a breach traced to a subcontractor handling integration-contract language courses; attackers exposed identity, contact and immigration-status data on foreign residents and advertised 2.1 million records for sale.
On 1 January 2026, a database of around 2.1 million records belonging to France's OFII / ANEF "รtrangers en France" immigration portal was put up for sale on BreachForums, exposing foreign nationals' identities, contact details, family situation and residence-permit data after a subcontractor was compromised.
Victim
OFII / ANEF ("รtrangers en France" portal โ French Ministry of the Interior)
On 27 December 2025, data on roughly 200 members of Club de natation 95 was exposed after its service provider ACRV was compromised, leaking names, postal and email addresses, phone numbers and IP addresses.
On 16 December 2025, adult-content platform Pornhub disclosed that historical analytics data on select Premium users โ including email addresses and search/viewing history โ was stolen via third-party provider Mixpanel; ShinyHunters claimed ~200 million records and demanded a ransom.
On 10 December 2025, UFOLEP โ the French multi-sport federation โ disclosed that a compromised account on its third-party licence-management provider Exalto exposed at least 3,624 member records, including identity, contact and legal-guardian details.
Members of insurer ASAF & AFPS had personal data exposed after a breach at Itelis, the optical-care network processing their claims; names, dates of birth, social security numbers, claim records and vision-correction data from 2020-2022 were affected.
Personal data of 394 La Rochelle residents who booked civil-status appointments was exposed after an attacker exploited a flaw in Synbird, the town hall's third-party appointment-scheduling provider, which serves roughly 1,300 French communes.
Patient data held by the Givors Presqu'รle multidisciplinary health centre was exposed through the November 2025 cyberattack on its medical-software provider Weda, including identity, contact details and sensitive health data.
Disclosed in November 2025, a cyberattack on Itelis โ the optical-care third-party network used by insurer AG2R la Mondiale โ exposed beneficiaries' names, dates of birth, social security numbers, reimbursement records and vision-correction data for optical coverage handled between 2020 and early 2022.
Clinique du Millรฉnaire in Montpellier was exposed when its medical-records software vendor Weda was breached in November 2025, putting patient identity, contact details and health data at risk among the millions of records handled across Weda's ~23,000 affected practitioners.
MSP du Prรฉ Vicinal, a French multidisciplinary health centre, had patient data exposed via the November 2025 cyberattack on its medical-software provider Weda, including names, postal and email addresses, phone numbers and health data.
APRS members were exposed in the November 2025 breach of Itelis, AXA's third-party optical-care platform, after an attacker posed as a partner optician; leaked data included names, dates of birth, social security numbers, optical reimbursement records and vision-correction details.
Personal data of residents who booked identity-document appointments through the RDV360 platform was exposed when the third-party provider was breached in late 2025, affecting Chatou town hall among roughly 1,300 French municipalities.
In November 2025, the city of Quimper (France) was caught in a supply-chain breach of appointment-booking provider RDV360, exposing roughly 12,000 contact records (name, postal code, email, phone) of residents who booked ID-card or passport renewals since April 2024.
Saint-Aubin d'Aubignรฉ town hall disclosed on 24 November 2025 that residents' contact details were exposed through its appointment-booking provider RDV360, one of ~1,300 French municipalities hit in a third-party breach of ID/passport booking data.
In November 2025, optical-care platform Itelis was breached via the impersonation of a partner optician, exposing health and identity data of Malakoff Humanis (and AXA) members from optical reimbursement claims processed between 2020 and 2022.
Suzuki France disclosed that a cyberattack on one of its third-party partner systems exposed a customer file containing names, email addresses, postal addresses and phone numbers; no financial data or passwords were affected.
On 19 Nov 2025, Alfortville town hall notified residents that their contact details were exposed in a breach of its appointment-booking provider RDV360, part of a supply-chain attack hitting ~1,300 French municipalities and ~14M records.
In November 2025, Synbird โ the SaaS provider handling municipal appointment bookings for around 1,300 French communes โ disclosed a breach in which an attacker abused a weakly-secured PDF export to exfiltrate residents' contact details and appointment information.
Around 50,000 residents who booked ID-card or passport appointments in Brest had personal contact details exposed after a supply-chain breach of the RDV360 appointment-booking platform used by the town hall.
In October 2025, Spanish fashion retailer Mango disclosed that an external marketing service provider was breached, exposing customers' first name, country, postal code, email address and phone number; no passwords or banking data were affected.
On 4 October 2025 Discord disclosed a breach of a third-party customer-support provider that exposed support-ticket data and roughly 70,000 government-ID photos (submitted for age-verification appeals), plus names, emails, IP addresses and partial billing details.
In September 2025, French ethical cooperative bank La Nef notified shareholders that their email addresses were exposed after a cyberattack on third-party voting provider SLIB; only email addresses were affected, with no banking data, IDs or passwords compromised.
On 23 September 2025, French medical-lab group Inovie Labosud disclosed a breach exposing administrative and medical data of an estimated 3.2 million patients after attackers used a third-party provider's stolen credentials.
In August 2025, French online cycling and sports retailer Alltricks had its Sendinblue/Brevo email-marketing system compromised; attackers sent customers convincing phishing emails from the brand's own infrastructure, exposing names, email addresses and purchase history.
In August 2025, Air France-KLM disclosed that attackers accessed customer data โ names, contact details, Flying Blue loyalty numbers and status, and customer-service request subjects โ via a compromised third-party customer-service platform.
In August 2025, Danish jewelry maker Pandora disclosed a breach of a third-party CRM platform (Salesforce) in which attackers stole customer contact data โ names, email addresses and birth dates โ while stating no passwords or payment data were taken.
France Travail disclosed on 22 July 2025 that an intrusion via its Kairos platform exposed the personal data of around 340,000 job seekers, including names, postal and email addresses, phone numbers, France Travail IDs and jobseeker status; passwords and bank details were not affected.
In April 2025, French optical and hearing-aid retailer Alain Afflelou disclosed a breach caused by a vulnerability at a third-party CRM provider, exposing the personal and commercial data of thousands of customers and prospects.
On 15 April 2025, car-rental company Hertz disclosed a data breach stemming from the late-2024 zero-day exploitation of Cleo's file-transfer software by the CL0P group, exposing customer names, contact details, dates of birth, driver's licences, credit-card and passport data.
A ransomware attack on French wealth-management software vendor Harvest (Run Some Wares group, detected 27 Feb 2025) exposed personal and financial data of customers of insurer MAIF and banking group BPCE (Banque Populaire / Caisse d'รpargne) in a supply-chain breach.
In March 2025, French direct insurer Direct Assurance (an AXA subsidiary) suffered a breach via its partner Run Assurance: attackers exploited a flaw in the data exchanges between the two firms to access customer personal data, raising identity-theft and phishing risks.
Lazarus operators substituted the implementation contract during a routine Safe multisig transaction, draining ~$1.5 billion in ETH and staked-ETH derivatives from Bybit's Ethereum cold wallet โ the largest single cryptocurrency theft in history.
In early February 2025, Vorwerk's Thermomix recipe community Espace-Recettes.fr (Rezeptwelt) was breached via a compromised third-party server, exposing names, postal addresses, emails, phone numbers, dates of birth and cooking preferences of roughly 3.3 million users across several countries.
On 20 January 2025 the French Archery Federation (FFTA) disclosed a breach stemming from a flaw at its shared license-management provider; a dataset of 625,434 accounts (names, dates of birth, postal addresses, phones, emails, profile photos) was offered for sale online.
In January 2025, the Fรฉdรฉration Franรงaise de Force (FFForce) had personal data of 64,512 members exposed via a compromised shared sports-licensing IT provider; records (names, dates of birth, emails, postal addresses, phone numbers) were later sold on BreachForums.
In January 2025, the Fรฉdรฉration Franรงaise de Roller et Skateboard had the personal data of roughly 577,000 members exposed after a shared sports-federation IT provider was compromised; names, dates of birth, email/postal addresses and phone numbers were leaked.
On 25 Dec 2024, data-security firm Cyberhaven's Chrome extension was hijacked via a phishing attack and pushed a malicious update that exfiltrated cookies and session tokens from roughly 400,000 users over a 24-hour window.
On 18 November 2024, French news magazine Le Point disclosed a breach traced to a compromised subscriber-management subcontractor, exposing the names, postal/email addresses and phone numbers of an estimated 900,000 current and former readers.
On 12 September 2024, French computer-hardware retailer Cybertek disclosed a customer data breach stemming from a compromised shared IT provider, exposing names, email and postal addresses and phone numbers; passwords and payment data were not affected.
On 10 September 2024, French cultural-goods retailer Cultura disclosed that a breach at a shared third-party IT provider exposed the personal data of about 1.5 million customers, including names, contact details and order history; passwords and bank data were not affected.
On the night of 6-7 September 2024, French electronics retailer Boulanger suffered a data breach traced to a shared third-party delivery/IT provider, exposing the names, postal and email addresses and phone numbers of several hundred thousand customers; no banking data was affected.
In 2024, ticketing giant Ticketmaster (Live Nation) suffered a breach of a third-party Snowflake cloud database; data on up to 560 million customers โ names, contact details, order history and partial payment-card data โ was stolen and offered for sale by ShinyHunters.
A multi-year social-engineering campaign by a maintainer persona named 'Jia Tan' planted a hidden SSH backdoor in the XZ Utils compression library (liblzma) versions 5.6.0 and 5.6.1, scoring CVSS 10.0 โ caught by chance days before it could reach stable Linux releases worldwide.
North Korea-linked actors trojanized the 3CXDesktopApp softphone client, distributing the SmoothOperator malware through a legitimately-signed update to a customer base of over 600,000 organizations โ the first documented cascading software supply-chain compromise, itself enabled by a prior breach of trading software X_TRADER.
A cyberattack on subcontractor Supeo forced it to shut down its servers, disabling a mobile app train drivers rely on for operational data and halting all DSB trains across Denmark for several hours โ a textbook supply-chain disruption of critical transport.
REvil's ransomware attack on Kaseya VSA cascaded through an MSP to Coop Sweden's checkout systems, forcing the supermarket cooperative to close around 800 stores nationwide for days.
REvil affiliates exploited a SQL injection zero-day in Kaseya's VSA remote-management platform to push ransomware to ~60 MSPs and through them to ~1,500 downstream organisations. The largest supply-chain ransomware attack on record.
Victim
Kaseya VSA customers (~60 MSPs, ~1,500 downstream organisations)
A supply-chain compromise of aviation IT provider SITA exposed roughly 4.5 million Air India passengers' names, passport details, ticket data, frequent-flyer numbers, and payment card information collected over nearly a decade of bookings.
Malaysia Airlines disclosed a nine-year data security incident at a third-party IT provider running its Enrich loyalty programme, exposing member names, contact details, dates of birth and frequent-flyer data.
Russian SVR operators trojanized SolarWinds Orion build infrastructure, distributing a backdoored update to 18,000 customers including the U.S. Treasury, Commerce, DHS, State, and Energy departments. The defining state cyberespionage operation of the decade.
Victim
SolarWinds (Orion customers โ ~18,000 organisations including 9 U.S. federal agencies and Microsoft, FireEye, Mimecast)
Magecart operators injected card-skimming JavaScript into British Airways' payment page, stealing card details on 380,000 transactions over 15 days. UK ICO initially proposed a ยฃ183.4M GDPR fine โ later reduced to ยฃ20M after Covid-impact mitigation arguments.
Attackers entered Target via stolen credentials from an HVAC contractor, pivoted to the payment network, and stole magstripe data on 40 million credit and debit cards plus PII on 70 million customers.
Hackers using a poisoned software-update channel stole the personal data of about 35 million Nate and Cyworld users โ names, resident-registration numbers, phone numbers and encrypted passwords โ in what was then South Korea's largest data breach.