The State of Ransomware: January 2026

2026 opened with 91 publicly disclosed ransomware attacks. Healthcare was the most targeted sector with 27 incidents, followed by government with 11 and manufacturing with 10. Notably, 49% of the attacks recorded this month have not yet been publicly claimed by a known ransomware group. Among the claimed attacks, Qilin once again led activity with eight incidents, while 19 other groups were also linked to ransomware activity. The USA accounted for 58% of disclosed attacks, with organizations across 22 other countries also impacted, highlighting the truly global reach of ransomware.

Keep reading to find out who made ransomware headlines in January.

1. Kid’s footwear operator Esquire Brands was reportedly targeted by the Play ransomware group, which claims to have stolen sensitive company data. The group listed Esquire Brands on its dark web leak site and threatened to publish the data on January 3, 2026, if no contact was made. According to the post, the alleged data includes client documents, payroll records, financial information, and other confidential materials. Esquire Brands has not publicly acknowledged or commented on these claims.

2. Claims administration firm Sedgwick confirmed a cybersecurity incident at its government-focused subsidiary after the TridentLocker ransomware group publicly claimed responsibility for stealing approximately 3.4 GB of sensitive data. The affiliate, Sedgwick Government Solutions, which provides risk management and claims services to several U.S. federal agencies, was listed on TridentLocker’s dark web leak site on December 31, 2025, with the attackers threatening to expose the stolen information. Sedgwick said it activated incident response protocols, engaged external cybersecurity experts and notified law enforcement, emphasising that the breach was limited to an isolated file transfer system with no evidence of impact on broader systems or its ability to serve clients. 

3. U.S. hot sauce and food products manufacturer Garner Foods, known for brands like Texas Pete, was claimed as a victim by Play, which posted the company on its dark web leak site in early January 2026, warning it would publish allegedly stolen data if contact was not made by January 7. According to the Play dark web post, the alleged data includes confidential information, client records, budget and payroll details, though the extent of the compromise and volume of data taken has not been publicly verified. Garner Foods has not yet issued a public statement confirming or addressing the ransomware group’s claims.

4. New Zealand–based patient portal ManageMyHealth was the target of a significant ransomware attack, during which Kazu reportedly breached the platform, exfiltrating hundreds of thousands of sensitive medical records affecting over 120,000 users. The attackers demanded a ransom, reportedly around $60,000, and threatened to publicly release the stolen data. ManageMyHealth secured its systems, notified authorities and sought a High Court injunction to block dissemination of the files. ManageMyHealth publicly confirmed the cybersecurity incident, acknowledging the breach’s impact on a portion of its user base, and is working with law enforcement and regulators while notifying affected patients, although questions remain about the full scope and response to the compromise.

5. In Canada, Leduc County became aware of a ransomware incident that had taken place on December 25,2025. The attack disabled some of the county’s IT systems, including its email platform and website form submissions. Some other IT systems were proactively disabled during an ongoing forensic investigation. No known ransomware group has claimed the attack.

6. Florida-based engineering firm Pickett and Associates was reportedly the subject of a significant cyberattack in early January, with an unknown threat actor claiming to have stolen approximately 139 GB of sensitive engineering and infrastructure data tied to major U.S. utilities such as Tampa Electric Company, Duke Energy Florida, and American Electric Power. The group is offering the data for sale on a dark web forum for around 6.5 BTC (about $580,000). The alleged haul includes raw LiDAR point cloud files, orthophotos, design files and other operational project data believed to relate to active utility infrastructure work. Pickett and Associates has not publicly confirmed the breach, and investigations into the claim are reportedly underway by affected clients.

7. A recent cyberattack on third-party payment processor Global-e exposed personal data for customers of companies using its services, including hardware wallet maker Ledger. Hackers accessed names and contact information stored in Global-e’s systems for order processing, although neither Ledger’s internal systems nor sensitive wallet security details like recovery phrases or private keys were compromised. Affected customers have been notified. It is not yet known who is responsible for this attack. 

8. More than one year after a ransomware attack, Denton County MHMR Center, reported a major data breach that involved the unauthorized access to PHI of 108,967 current and former patients. Potentially compromised information includes medical history information, treatment information, insurance data and biometric identifiers.

9. U.S. fiber broadband provider Brightspeed is investigating claims by the cybercriminal group Crimson Collective that it accessed and exfiltrated sensitive data for over 1 million customers, including names, contact details, billing information and partial payment card data. The group announced the alleged breach via its Telegram channel in early January with a threat to release or sell the information publicly, posting sample records as purported proof. Brightspeed has not confirmed a breach of its systems or the extent of any data exposure and says it is actively reviewing the situation and keeping customers and authorities informed as its internal investigation continues.

10. Everest claimed that it had exfiltrated approximately 186 GB of sensitive data from global insurtech platform Bolttech, threatening to publish the information if its demands were not met. The group posted alleged proof on its dark web leak site, stating the data includes employee and agent account details, customer contact information, insurance policy records, mortgage-related files and other operational materials. Bolttech has not publicly confirmed or commented on the claims.

11. Australian car rental excess insurer Prosura disclosed a significant data breach and cyber incident after unauthorized access to parts of its internal IT systems was detected on January 3. The threat actor responsible for the incident obtained customer personal and policy information and began contacting customers with fraudulent communications. The compromised data is reported to include names, email addresses, phone numbers, travel and policy details, and, for some claimants, driver’s licence images, with attackers subsequently posting samples of the stolen records on criminal forums and attempting to sell them. Prosura took key online services offline, notified regulators and external cybersecurity experts, advised customers to be cautious of phishing attempts, and said it is investigating and securing its systems, emphasizing there is no evidence that payment card details were accessed.

12. Gulshan Management Services confirmed that it had notified 377,082 people about a September 2025 data breach that compromised personal information. The gas station operator informed victims that a successful phishing attack allowed unauthorized access to its systems. The unknown attackers also encrypted portions of GMS’s network. Compromised information includes names, SSNs, credit and debit card numbers, driver’s license numbers, and contact info. 

13. ASX-listed gold producer Regis Resources confirmed it had experienced a cybersecurity incident after the Lynx group claimed responsibility for an attack and listed a subsidiary, McPhillamys Gold, on its dark web site. Regis stated the activity was detected in November 2025 and that its security controls responded as designed, with a subsequent forensic investigation finding no evidence of data exfiltration and no ransom demand. The company said relevant authorities were notified and confirmed the incident had no material impact on operations or commercial activities.

14. Anubis ransomware group claimed that it had breached the systems of Australian medical clinic Laidley Family Doctors, listing the practice on its dark web leak site and alleging exposure of sensitive information. According to the group, data such as names, gender, Medicare details, and medica history, was compromised during the incident. Data samples were also shared on the dark web as proof of claims. Laidley Family Doctors has not publicly confirmed or commented on the ransomware claims.

15. Lynx claimed responsibility for a cyberattack on St Joseph’s College Echuca, posting the Australian Catholic co-educational school on its dark web leak site and asserting it had encrypted or breached the college’s network and obtained data. According to the group’s listing, the incident was disclosed on January 5, though no proof was provided and the full details of any data compromise remain unclear. St Joseph’s College Echuca has not publicly responded to or confirmed the ransomware claims.

16. Bosch Choice Welfare Benefit Plan disclosed a data breach after unauthorized access to its systems exposed sensitive personal and health information of approximately 55,000 individuals. Compromised information included names, SSNs, DOBs, health insurance details, medical claims data and information related to medical conditions. 

17. Pearlman Aesthetic Surgery reported a breach of protected health information of 11,764 individuals. The specifics of the breach have not yet been disclosed, other than it being a hacking/IT incident.

18. Associated Radiologists of the Finger Lakes announced that it had identified unauthorized access to its computer network in October 2025. An investigation confirmed unauthorized access led to patient data being viewed or copied. The file review is currently ongoing but at this stage it is believed that both PII and PHI were compromised as a result of the incident.

19. Andover Eye Associates in Massachusetts announced that it experienced an email security incident that exposed the data of 1,638. An investigation confirmed that an unauthorized third party had accessed the accounts in May, leading to the exposure of sensitive information. The accounts contained patient names and social security numbers. It is not clear who is responsible for the attack.

20. Legal firm Gorlick, Kravitz & Listhaus announced that a September 2025 data breach had compromised sensitive personal information belonging to its clients. Information impacted varies depending on the individual, but names and SSNs were among the data types stolen. Akira claimed responsibility, allegedly exfiltrating 22 GB of data from the organization. 

21. Qilin claimed responsibility for a cyberattack on Italian water-sports equipment manufacturer Cressi, posting the company on its dark web leak site on January 8, 2026 and threatening to release sensitive data unless contact was made. According to the public listing, Qilin alleges it breached the organization’s systems, though it has not published data samples or detailed what information may have been accessed, and the extent of any exfiltration remains unclear. Cressi has not publicly confirmed or addressed these claims.

22. Details of a November attack on Royal Borough of Kensington and Chelsea Council in London emerged detailing an attack that affected shared IT systems with neighbouring councils, leading to widespread disruption of services and confirmed unauthorized data copying by the attackers. The council acknowledged that some sensitive information was copied and taken from its network, with investigations ongoing to determine the full scope of the breach and whether personal or financial details were involved. Residents were warned to be vigilant against potential scams using the compromised information. The incident prompted notification of the Information Commissioner’s Office, involvement of the National Cyber Security Centre and Metropolitan Police, and communication to more than 100,000 households about possible risks stemming from the breach.

23. The Pell City School System informed parents of a data breach stemming from a ransomware attack in late 2025. The superintendent said the district’s student information system was not impacted, though a third-party vendor experienced a security incident that resulted in data theft. While the district has not provided further details about the information involved, it confirmed in its parent notification that it will not pay the ransom. The Safepay ransomware group claimed responsibility for the attack in December 2025 but did not release additional details about the breach.

24. Hale Makua Health Services, a non-profit healthcare provider based in Maui, Hawaii, reported a ransomware related data breach to the U.S. Department of Health and Human Services after the Qilin ransomware group claimed responsibility. The group alleged it had accessed the organization’s systems and posted sample screenshots on its dark web portal as proof of access. The specific types of information exposed have not been publicly detailed. The HHS breach listing currently reflects a provisional figure of 500 affected individuals, which is expected to be updated following the completion of an internal investigation.

25.  Anubis ransomware group publicly claimed responsibility for a cyberattack against Chilean energy and resources company Copec S.A., alleging it exfiltrated a substantial volume of corporate data, threatening to release the information unless negotiations occurred. According to the group’s posts, roughly 6 TB of sensitive data was taken and included internal documents, communications and employee-related files, though these claims have not been independently verified. Copec acknowledged the incident and said it detected and contained the activity without impacting operations or customer personal data, but details about the scope of the alleged data compromise remain unclear as the situation continues to be investigated.

26. The City of Midway, Florida, confirmed that its police department’s SmartCOP cloud-based records system was compromised in a ransomware incident, disrupting access to police documents and public records and prompting an ongoing investigation by local law enforcement. Officials said the breach may have affected sensitive public records and warned residents to be cautious of suspicious communications that could be tied to the incident, though details about what specific data was impacted have not been disclosed. The situation came to light after community members reported difficulties obtaining records, and authorities are urging vigilance while the investigation continues.

27. A class-action lawsuit alleges that premier Manhattan plastic surgeon Dr Richard Swift’s office was compromised in an apparent malware attack that resulted in the theft and public posting of highly sensitive patient information, including nude images, Social Security numbers, medical and financial records, and other personal data for at least 22 individuals on a Russian-hosted website. According to court filings, some patients only discovered their private images had been published after the hackers contacted them directly, and the suit claims the surgeon’s office failed to notify patients or authorities about the breach as required by law, leaving victims exposed to risks of identity theft, fraud and emotional distress. Plaintiffs allege the practice’s computer systems were inadequately protected, that multiple requests for information were ignored, and that the website remained active for months before it went offline, with the surgeon’s office declining to comment when contacted for a response.

28.  Everest ransomware group claimed responsibility for a major cyberattack on Japanese automaker Nissan Motor Corporation, alleging it exfiltrated approximately 900 GB of internal data from the company’s systems and posting sample screenshots on its dark web leak site to support the claim. According to analysis of the shared samples, the alleged data includes internal documents such as dealership records, program files, and operational folders, and the group has reportedly given Nissan a deadline to respond before publishing the full dataset publicly. Nissan has not publicly confirmed or denied the breach claim.

29. The nonprofit behavioural healthcare organization The Devereux Foundation was reportedly targeted by The Gentlemen ransomware group, which claimed to have breached its systems, posting an extortion notice on a dark web forum, warning that sensitive organizational data could be leaked unless contact was made. According to public breach notifications, the foundation detected suspicious activity and moved quickly to isolate affected systems and engage cybersecurity specialists, and it acknowledged that information related to employees, clients, donors, payors and partners may have been involved, including names, demographic, clinical and financial details. The investigation into the scope of the incident is ongoing. 

30. The University of Hawaii Cancer Center suffered a ransomware attack that compromised servers supporting its research operations, resulting in the encryption of files and unauthorized access to sensitive research data, including documents containing Social Security numbers and other personal information of study participants. The centre said the breach did not affect clinical operations or medical treatment systems, and it engaged external cybersecurity experts to isolate affected systems, obtain decryption tools and work toward securing the destruction of data accessed by the attackers. 

31. Six months after the initial attack, Canopy Health notified some patients of a cyberattack which led to patient details being compromised. A statement from the healthcare provider confirmed that in mid-July unauthorized individuals gained access to part of its systems used by the administration team. While an investigation remains ongoing, Canopy noted that the threat actors may have accessed a small number of bank account numbers. 

32. South Korean conglomerate Kyowon Group, which operates across education, publishing and consumer services, confirmed it was hit by a ransomware attack that disrupted operations and may have exposed customer data, prompting an ongoing investigation with national authorities and external cybersecurity experts. Government investigators estimate that the incident could potentially affect up to 9.6 million user accounts, with abnormal activity detected across a large portion of the company’s servers and signs of a possible data leak under review. Kyowon has stated it is assessing the scope of the breach and has not yet confirmed whether personal data was actually accessed, and it plans to notify users transparently if a leak is verified. 

33. Avosina Healthcare Solutions confirmed that it notified 44,425 people of a July 2025 data breach that compromised names, addresses, medical info, and health insurance info. Qilin took credit for the incident in August, posting sample images as proof of claims on its dark web leak site. These images included an employee payslip, a medical intake form, a business contract, an invoice, and a medical report. 

34. Dublin Medical Center in Georgia recently started notifying individuals affected by an October 2025 cybersecurity incident. Suspicious activity was identified within its computer network, but it has not been confirmed when the unauthorized access started. The review of files confirmed that patient data was compromised in the incident, and that data types varied from individual to individual. The incident has impacted 32,090 patients. 

35. Vida Y Salud-Health Systems reported a data breach involving the unauthorized access to protected health information of 34,504 Texas residents. An investigation into the October attack has concluded and confirmed that names, addresses, dates of birth, SSNS, driver’s license numbers, account numbers and claims numbers had been stolen. 

36. An unknown threat actor posted claims on dark web forums that they had obtained and were offering for sale internal data from U.S. retail giant Target, including an estimated 860 GB of source code, system configuration files and developer documentation tied to critical internal projects such as digital wallet services, networking tools and identity systems. Sample data was briefly made available in public repositories to demonstrate access before those resources were taken offline, and Target reportedly restricted access to its internal development infrastructure in response. The company has not publicly confirmed a breach or addressed the claims directly.

37. Appalachian Community Federal Credit Union notified 30,797 individuals about an October 2025 data breach. The breach compromised names, SSNs, and financial account info. Qilin took credit for the incident and claimed to have stolen 75 GB of data.

38. The Department of Education in Victoria, Australia confirmed that an unauthorized third party gained access to its education network, exposing personal information for current and former government school students across the state’s system. Attackers accessed student names, school-issued email addresses, year levels, school names and encrypted passwords stored in a central database, prompting the department to implement safeguards, temporarily disable affected systems and reset all student passwords as a precaution. The department said there is no evidence the accessed data has been publicly released or shared. Authorities, including the Office of the Victorian Information Commissioner, are now investigating the breach.

39. European travel company Eurail B.V., which operates the Interrail and Eurail pass systems, disclosed a data security breach in which unauthorized access to its customer database resulted in the exposure of sensitive personal and travel information. The compromised information is reported to include names, contact details, home addresses, dates of birth and, for some travellers, particularly participants in the EU’s DiscoverEU programme, passport details, bank account references and health data. The total number of affected individuals has not been disclosed and there is currently no evidence the data has been publicly misused. Eurail said it secured the affected systems, engaged external cybersecurity specialists and notified relevant data protection authorities while continuing its investigation and directly informing impacted customers.

40. Belgian hospital network AZ Monica was hit by a ransomware attack that forced the proactive shutdown of its IT servers, disrupting access to electronic medical records and leading to the cancellation of scheduled procedures and the transfer of critical patients to other hospitals as a precaution. With emergency departments operating at reduced capacity and paper-based processes in place, hospital leadership emphasised that patient safety and continuity of care remained the top priority while authorities and cybersecurity teams investigate the incident. There is no confirmed public disclosure that patient data was exfiltrated, and unverified reports of a ransom demand have not been confirmed by officials.

41. In Texas, Spindletop Center notified victims of a September 2025 ransomware attack which led to personal information being compromised. The attack rendered systems and servers inoperable for a limited time. Rhysida claimed to have stolen personal records belonging to 100,000 people, posting images on its dark web site as proof of claims, and demanding a ransom of 15 BTC (around $1.65 million). 

42. The Land and Agricultural Development Bank of South Africa (Land Bank) experienced a major IT systems disruption that took key services and internal systems offline as the organization investigated a suspected cyber incident affecting its operations. The bank said affected systems were taken offline as a precaution to protect its infrastructure and that internal teams, supported by external specialists, were working to restore full functionality and assess the cause of the outage. It is not yet clear if any information has been stolen during the incident. 

43. Ju Teng International Holdings Limited disclosed a data security incident after discovering a post on a dark web forum offering access to sensitive information reportedly obtained through a cyberattack targeting certain company laptops. Compromised data is said to include client names, project details, customer and supplier contact lists, and product information, and the company has launched an investigation and engaged cybersecurity specialists to assess the full scope and strengthen its security posture. INC was responsible for the attack, claiming to have stolen 200 GB of data. 

44. The Irish agri-trading company J Grennan & Sons was listed as a victim by the Akira ransomware group, with the threat actors claiming on a dark web leak site that it had targeted the business, threatening to publish sensitive financial and personal information, including invoices and employee and customer records. J Grennan & Sons confirmed it was the victim of a cyberattack that significantly disrupted operations and engaged external cybersecurity experts, and said it is “reasonably confident” that data held on its systems had not been accessed.

45. Spanish energy provider Endesa, one of the country’s largest electricity and gas companies, confirmed that it detected unauthorized access to its commercial platform, resulting in the exposure of customer personal and contract-related information and triggering an ongoing cybersecurity investigation. A threat actor on dark web forums claimed to have obtained a large database, allegedly over 1 TB of data tied to more than 20 million individuals, including names, contact details, national identity numbers, energy contract information and, in some cases, bank IBANs. 

46. Genesis claimed responsibility for a December 2025 ransomware attack on Upper Township, New Jersey. Genesis claimed to have stolen 100 GB of data from official servers, threatening to publish it if an undisclosed ransom was not paid. The data is said to include financial and personal information. Township officials claim that an investigation into the incident is ongoing, but that they are aware of the data posted on the dark web. 

47. U.S. food delivery platform Grubhub confirmed that hackers gained unauthorized access to certain internal systems and stole company data, prompting an ongoing investigation and involvement of law enforcement and external cybersecurity specialists. The company said that while financial information and order histories were not affected, attackers did extract data from some systems.  Sources have indicated the ShinyHunters group is attempting to extort Grubhub by threatening to leak Salesforce and Zendesk-related information unless they are paid a ransom. Grubhub responded by stopping the activity, strengthening its security posture and working to contain the incident, but has not disclosed the full extent or specific nature of the compromised data.

48. The Port System Authority of the Central Adriatic Sea (Ancona) was hit by a cyberattack that resulted in data theft and publication on the dark web. The Anubis ransomware group exfiltrated approximately 56,000 files across 8,000+ folders, including internal administrative documents and employee-related data (potentially HR and sensitive records). The Authority stated the stolen material represented roughly 2% of its overall data, and the incident occurred during a broader IT migration to Italy’s national strategic infrastructure.

49. Qilin ransomware group publicly claimed responsibility for a cyberattack on Moen, the U.S.-based manufacturer of faucets and plumbing fixtures, posting the company on its dark web leak site and warning that sensitive data would be released unless contact was made. Qilin has not disclosed how much data it may have exfiltrated nor released any sample files alongside its listing. Moen has not publicly addressed the claims. 

50. NightSpire ransomware group claimed it breached systems at the Hyatt Place Chelsea New York hotel, alleging it exfiltrated roughly 48.5 GB of sensitive data and posting samples on a dark web leak site to support its claim. Stolen files reportedly include internal documents such as invoices, expense reports with employee names and contact information, signatures, partner company data and potentially employee login credentials. 

51. Chinese electronics manufacturer Luxshare, a key assembler for major tech companies including Apple, Nvidia and Tesla, was reportedly the target of a ransomware attack orchestrated by RansomHouse. The ransomware group claimed to have infiltrated its systems, stealing more than 1 TB of confidential data, including engineering files such as 3D CAD models, circuit board designs, internal product documentation and employee personal information. According to threat actor posts on dark web leak sites, the stolen data spans projects tied to multiple high-profile clients and could enable reverse-engineering, production of counterfeit products or targeted attacks. Neither Luxshare nor affected partners have publicly confirmed the breach or commented on the claims.

52. TotalEnergies is investigating claims of a large-scale data breach after a hacking group began posting samples of what it says is a database of nearly 184 million customer records on social media and cybercrime forums. The attackers assert the exposed information includes email addresses, client IDs, bank account numbers, home addresses, phone numbers and other personal details tied to customers of the French energy giant’s services. TotalEnergies has not confirmed a breach or validated the data, and the full scope and authenticity of the alleged incident remain under review.

53. A serious cyberattack caused an extended closure at Higham Lane School in the UK and, while the school has since reopened, staff continued to face significant limitations in accessing IT systems. The incident disabled core digital infrastructure, preventing the school from operating essential safety and administrative systems. It was also confirmed that data was removed during the attack, although the school has not disclosed what types of information may have been impacted.

54. Imperial Beach Community Clinic recently disclosed a cybersecurity incident and data breach that was identified almost one year ago. Unusual activity was detected within the healthcare provider’s email environment in mid-April 2025. An investigation determined that an unauthorized individual had access to certain email accounts, and certain information had been acquired. Compromised data includes both PII and PHI of an undisclosed number of individuals. 

55. In Wisconsin, Valley Eye Associates announced that it fell victim to a ransomware attack in early October 2025. An investigation determined that a ransomware group had access to its network for a one-day period, during which time files were exfiltrated from its network. Qilin claimed responsibility for the attack and published the stolen data which they claimed to be 139 GB. 

56. The Canadian Investment Regulatory Organization (CIRO), Canada’s national self-regulatory body for investment dealers and market activity, confirmed that a sophisticated phishing attack led to a significant data breach affecting approximately 750,000 Canadian investors, with threat actors accessing and copying sensitive personal and financial information. Stolen data includes dates of birth, phone numbers, annual income, social insurance and government-issued ID numbers, investment account numbers and account statements. CIRO said it contained the incident, engaged external forensic experts, found no evidence the stolen data has been misused or appeared on the dark web.

57. The Ayuntamiento de Beniel (Beniel Town Hall) in Spain experienced a serious cybersecurity incident that temporarily knocked its municipal IT systems offline, disrupting regular administrative operations and forcing staff to work manually while services were restored. Local officials activated security protocols and are working with regional and national cyber authorities to investigate the extent and impact of the breach, though details about any specific data compromise have not been disclosed. The Gentlemen ransomware group claimed responsibility and threatened to publish sensitive information unless contact was made.

58.  Everest claimed responsibility for a cyberattack on ASRock Rack, a major server and datacenter hardware manufacturer, alleging it exfiltrated approximately 509 GB of sensitive data including technical documentation, firmware, software, BIOS files, diagnostic tools and baseboard management controller (BMC) firmware. The listing on Everest’s dark web leak site also included screenshots posted as proof of claims. ASRock Rack has not issued a public confirmation or detailed response to the claims.

59. Reproductive Medicine Associates of Michigan (RMAM) informed patients of a recent cyberattack in which unauthorized threat actors accessed its network and stole sensitive data. The organization identified suspicious activity and took immediate steps to secure its IT environment. The specific types of information affected have not yet been confirmed, and the investigation into the scope of the incident is ongoing.

60. Indian music streaming platform Raaga confirmed a major data breach in which unauthorized access to its systems resulted in the exposure of personal information for approximately 10.2 million users, with the stolen dataset subsequently offered for sale on underground cybercrime forums. The compromised information reportedly includes email addresses, names, gender and age details, geographic location data and passwords hashed using unsalted MD5. Raaga has not released detailed disclosures about how the breach occurred or what specific systems were affected.

61. The Minnesota Department of Human Services started notifying nearly 304,000 individuals after unauthorized access was identified within its MnCHOICES system. An investigation determined that for most of the individuals affected, stolen information was limited to demographic data.  For 1,206 individuals, additional information was accessed, including some medical details. No known threat actors have stepped forward to claim responsibility for the incident. 

62. Genesis added Advanced Family Surgery Center (AFSC) to its dark web leak site, claiming to have exfiltrated 100 GB of data. Compromised data allegedly includes healthcare data, financial data, operational data and personal information. A file tree was also added to the dark web post, listing files in the exfiltrated data. According to the threat actors, AFSC was made aware of the incident in late November, with a spokesperson even showing up to negotiate at one point. AFSC has not publicly addressed these claims. 

63. Dermatology Associates in Kentucky announced that an August 2025 security incident may have resulted in unauthorized access to patient data. An investigation into the incident confirmed that the unauthorized access over a two-month period resulted in the exposure of confidential information. It is not known who is responsible for the attack. 

64. Everest ransomware group claimed responsibility for a major breach targeting McDonald’s India, alleging the exfiltration of approximately 861 GB of sensitive data, including internal company documents and personal customer information such as contact details and business records. The attackers published samples on a dark web leak site and set a deadline for a response before threatening wider data release. McDonald’s India has not yet publicly confirmed the incident.

65. Technology company Paylogix announced it had experienced a data breach in which sensitive personal information may have been compromised. The organization experienced network disruption involving certain computer systems. Akira claimed responsibility for the attack, allegedly exfiltrating 185 GB of data. 

66. French authorities launched a preliminary investigation after a cyberattack on Waltio, a cryptocurrency tax reporting platform used by thousands of investors. Hackers believed to be the group Shiny Hunters accessed and attempted to extort data tied to approximately 50,000 users, including email addresses and summary information from 2024 tax reports such as crypto holdings and balances, although Waltio says sensitive credentials and funds were not compromised.

67. Dresden State Art Collections suffered a targeted cyberattack that disrupted large parts of its digital infrastructure, severely limiting online services like ticketing, visitor support and the museum shop. While physical security systems and museum operations remained intact, digital and telephone systems were largely offline as IT and forensic teams worked to restore services, and investigations continue in coordination with police and state authorities. Details on data theft or specific exfiltrated information have not been disclosed, and the identity of the attackers remains unknown.

68. Rogers Capital Credit, a financial services firm in Mauritius, suffered a data breach during which customer information was obtained and published on the dark web. The exposed records, primarily dating up to December 2022, include highly sensitive personal data such as copies of passports and national ID cards, proof of address, income documentation, and for some clients, banking, credit and civil status information. The Bank of Mauritius has warned the public to exercise vigilance, monitor financial accounts closely, and be alert for potential fraud and phishing attempts as the full scope of the incident continues to be assessed. The Gentlemen ransomware group claimed responsibility for this attack.

69. Nike is investigating a potential data breach after the cybercrime group WorldLeaks publicly claimed to have stolen and leaked approximately 1.4 TB of internal data from the company, including more than 188,000 files related to product design, manufacturing, supply chain and operational information. While Nike has confirmed it is assessing the situation, emphasizing its commitment to data security, it has not yet verified the full scope or confirmed whether customer or employee personal data was exposed.

70. The New York-based Civil Service Employees Association confirmed that a data security incident it experienced last year compromised the sensitive personal information of 47,352 individuals. Upon discovering the unauthorized activity, CSEA took immediate action to secure the network, while notifying relevant law enforcement authorities. The compromised data includes names and other personal identifiers such as SSNs. No known hacker group has claimed responsibility for the attack. 

71. Columbia Medical Practice confirmed that patient information was compromised during a ransomware attack in November 2025, exposing the sensitive personal and medical data of up to 3,000 individuals. Threat actors exfiltrated data before deploying malware that encrypted files on certain systems. Columbia Medical Practice stated that its electronic medical record system was not accessed during the incident. Qilin took credit for the attack. 

72. MACT Health Board notified individuals affected by a November 2025 security incident which caused disruption to its IT systems. An investigation confirmed that an unauthorized third party had accessed its computer network and exfiltrated sensitive patient information. Rhysida claimed responsibility for the attack and uploaded samples of identity documents to its leak site as proof of claims, demanding a ransom of 8BTC ($622,000). 

73. TriCity Family Services started notifying 2,511 patients about a data security incident which took place in Spring 2025. An investigation revealed that an unauthorized threat actor had access to its computer systems for around 6 months, during which time sensitive data was exfiltrated. INC took credit for the attack, claiming to have exfiltrated 22 GB of data from the healthcare provider. 

74. Enviro-Hub Holdings Ltd. disclosed that it was the victim of a ransomware attack, during which an unauthorized party gained access to its group servers. The company implemented containment and remediation measures and engaged external experts to investigate the incident, which has not yet been determined to have materially impacted operations, and is still assessing the scope of any data accessed or exfiltrated. Enviro-Hub has also reported the incident to Singapore’s Personal Data Protection Commission as part of its ongoing response.

75. Laurel Health Centers confirmed that an unauthorized third party accessed portions of its email environment in July 2025, potentially exposing sensitive patient information. An examination of affected email accounts found that data, including both PII and PHI, were viewed. The data involved varies by individual.  At this time, no ransomware group has claimed responsibility for the attack. 

76. Rhysida took credit for a November 2025 ransomware attack on Cytek Biosciences in California. The organization sent data breach notices to 331 people in November, alerting them to the fact that personal information was exposed during the incident. Rhysida added Cytek to its leak site, with a number of images posted as proof of claims. The dark web post now states that all of the data taken during this attack has been sold. 

77. Apparel company FullBeauty Brands confirmed that it notified at least 1,191 people of an October 2025 data breach that compromised names and SSNs. Everest took responsibility for the incident in mid-November and intentionally leaked all of the supposedly stolen data on its dark web site after FullBeauty failed to respond to the ransom deadline. 

78. Clop ransomware group claimed responsibility for a cyberattack targeting Hilton Hotels, posting the hospitality giant on its dark web leak site. Clop has not backed up the claim with evidence such as data samples and has not disclosed how much data was allegedly exfiltrated. Hilton has stated it has no evidence that its systems or data were compromised. The situation remains under investigation, and Hilton continues to assess any potential impact.

79. Nova ransomware group has claimed responsibility for a cyberattack on KPMG Netherlands, listing the firm on its dark web leak site and threatening to publish up to 500 GB of allegedly stolen data if ransom demands are not met. The group reportedly posted the claim on 23 January 2026, stating it had exfiltrated sensitive information and issuing a 10-day ultimatum for negotiations. KPMG has denied that its systems were compromised and says it is monitoring the situation, meaning the scope and authenticity of the alleged breach remains unverified while investigations continue.

80. It was revealed that individuals who received services from Mitchell County Department of Social Services have had their sensitive information stolen in an October ransomware attack. The attack encrypted files and caused email and phone outages for a number of days. A forensic investigation revealed that there had been unauthorized network access for four days in October, during which time files were exfiltrated. The data review and investigation remain ongoing to determine the types of information involved and the individuals affected.

81. Sanxenxo City Council in Spain has been hit by a cyberattack that encrypted data and compromised thousands of administrative documents, disrupting municipal operations. The attackers reportedly demanded a ransom of $5,000 in Bitcoin in exchange for releasing the encrypted files, but the city has indicated it plans to recover without paying.

82. Crunchbase has confirmed a data breach after the ShinyHunters hacking group leaked millions of records online. The exposed information included usernames, email addresses, hashed passwords and API keys, and was first posted on cybercrime forums before being shared more widely. Crunchbase says it has reset compromised credentials, notified affected users, and implemented additional security measures.

83. Russian security systems provider Delta, which manages alarm and vehicle security services, was hit by a large-scale cyberattack that caused widespread service outages across its home, business and car alarm platforms. Delta acknowledged the incident as a “large-scale, coordinated and well-organized” external attack and said its technical teams are working to restore systems after phone lines and its website went offline. Customers reported being unable to deactivate alarms or unlock vehicles, and some experienced vehicle systems malfunctioning due to the disruption. While Delta maintains no customer personal data has been confirmed leaked, an anonymous Telegram channel claiming to be linked to the attackers published an alleged stolen data archive. 

84. 360 Dental in Philadelphia reported a data breach that affected 11,273 individuals. A ransomware attack in November led to the encryption of files and the exposure of sensitive patient data. The types of data involved varies from individual to individual and includes names in combination with other PII and PHI. 

85. Langley Twigg Law, a New Zealand law firm, is investigating a cyberattack attributed to Anubis after the hackers posted employee and client passport scans and other sensitive documents on an underground forum. The breach involved unauthorized access to its systems and theft of personal identity information, prompting the firm to engage forensic experts, notify authorities and affected individuals, and take systems offline while it works to contain the impact.

86. Auckland-based Brinks Poultry Ltd has allegedly been hacked by the Clop ransomware group, with the threat actors claiming to have stolen internal company data and listing the business on Cl0p’s dark web leak site. The incident reportedly involved unauthorized access and exfiltration of internal documents, and attackers are using extortion tactics to pressure the company into contacting them. Brinks Poultry is currently assessing the scope of the breach, engaging cybersecurity experts, and working to contain and remediate the incident.

87. Winona County, Minnesota, experienced a ransomware attack that disrupted several county systems, forcing the IT department to take multiple networks offline to contain the incident. The breach affected services including tax and motor vehicle systems, and the county confirmed it was working with law enforcement and cybersecurity partners to investigate the attack and restore operations. Officials have not disclosed whether any data was exfiltrated or if a ransom demand was made, but precautionary steps and extended service delays reflect the significant operational impact on local government systems.

88. The Vladimir Bread Factory, one of the largest bakery producers in its region of Russia, recently suffered a cyberattack that knocked out its internal digital systems, including office computers, servers and electronic document management tools. The disruption didn’t stop production itself, but it complicated order processing and deliveries, leading to temporary supply challenges for retailers and customers as the company reverted to manual processing while it works to restore systems.

99. The City of New Britain, Connecticut, was hit by a ransomware attack that disrupted internet, phone, and internal systems for more than 48 hours, forcing city officials to activate incident response protocols and work with state and federal authorities, including the FBI, to assess the impact and restore operations. Despite the disruption, emergency services and essential functions continued, and additional cybersecurity resources were brought in to investigate the incident, although it remains unclear if resident data was compromised.

90. The Tulsa International Airport in Oklahoma was reportedly hit by a Qilin ransomware attack, with the cybercriminal group posting leaked internal documents, including financial records, internal emails, and employee ID information, on its dark web leak site. It is not yet clear whether airport operations or customer data were directly affected.

91. In Slovenia, gas supplier Geoplin was hit by a ransomware attack orchestrated by Sinobi. The ransomware group demanded $8.2 million in exchange for an undisclosed amount of stolen data. The company and its owner confirmed that they had detected a cybersecurity incident and are taking the necessary measures in response. It is not clear what types of data were exfiltrated during the attack.