The State of Ransomware: December 2025

We ended 2025 with 78 publicly disclosed ransomware attacks recorded in December, marking a 13% increase year over year. Healthcare was the most targeted sector, accounting for 14 attacks, followed by retail with nine. Qilin once again emerged as the most active ransomware variant among the 25 groups that claimed attacks during the month. US-based organizations comprised 46% of December’s disclosed victims, with Australia ranking second at 14%. In addition, eight EU countries reported ransomware incidents. Keep reading to find out who made ransomware headlines in December.

1. Legal counsel for Cache Valley Ear, Nose and Throat notified the state attorneys general about a February 2025 cyberattack that led to the compromise of patient data. Suspicious activity was identified in early February, and an investigation was launched to determine the nature and scope of the incident. A review into exposed data was recently completed and confirmed that both PII and PHI was involved.  Medusa claimed the attack, posting a ransom of $150,000.

2. Devman listed New Horizons Medical as a victim on its dark web leak site. The listing did not include any screenshots of proof of claims but does suggest that 236GB of data had been acquired by the ransomware group. The post also hinted at a ransom demand of $90,000.

3. The Araneta Group of Companies announced that a cybersecurity breach, detected in late November, affected three of its business units. The organization launched an investigation, with the help of international cybersecurity experts, to better understand the scope of the incident. A ransomware group named OSIRIS claimed responsibility, adding images as proof of claims to its dark web leak site.

4. A threat actor using the alias “zestix” claimed responsibility for an extensive data breach involving Mercedes-Benz USA. The group posted 18.3 GB of alleged legal and customer information for sale on a dark web forum. The full dataset was priced at $5,000, with the group stating that the stolen data contains internal documents tied to active and closed litigation across 48 U.S. states. No official confirmation of the breach has been issued by Mercedes-Benz USA.

5. ADC Aerospace, a U.S. engineering component manufacturer, was added to Play’s dark web site, where the group claimed to have accessed a range of internal and client-related documents. Compromised data allegedly includes client documents, budget and financial files, payroll data, identification records, and other confidential information.

6. Mobilelink US was claimed by DragonForce, with the group claiming to have siphoned over 5 TB of data from the retailer. The group’s dark web post displayed a countdown, giving the retailer roughly 6 days to meet ransom demands before the data would be published on the leak site.

7. Belgium’s national postal operator bpost was hit by a ransomware attack claimed by TridentLocker, which resulted in the publication of around 30 GB of data on the attackers’ leak site and the apparent exfiltration of 5,140 files potentially containing personal and business information. Bpost confirmed that the incident was a cybersecurity breach affecting a limited set of data from a third-party software platform, noting that the compromised information related to a specific department not involved in letter or parcel delivery and that its core operations were not disrupted. The company stated that it had taken immediate containment measures, engaged cybersecurity experts, informed relevant authorities, and would notify affected customers, but it has not detailed exactly what types of data were exposed.

8. The French Football Federation (FFF) recently disclosed that it suffered a cyberattack resulting in a significant data breach, in which attackers gained unauthorized access to the administrative management software used for club and member data. Threat actors exploited a compromised account to infiltrate the system, allowing them to copy and exfiltrate personal information such as names, birth details, nationality, postal and email addresses, phone numbers, and license numbers of federation members before the intrusion was detected and access was revoked.

9. Software company Enea announced that it had successfully stopped a minor data breach involving non-production data accessed through third-party software. According to a press release, fewer than 20 of the company’s customers were affected. No operational systems or product security were impacted. INC claimed responsibility for the attack.

10. In New York, Southold Town suffered a ransomware attack impacting its servers. The incident caused disruption to various services across the area, including the local police force. The town’s IT department worked to keep the town operational with officials confirming that a ransom note had been received from those responsible for the attack. No known ransomware group has yet claimed the attack.

11. B dynamic Logistics, an Australian logistics provider, is investigating a suspected ransomware incident after the Qilin ransomware group claimed responsibility for compromising its systems and issued an extortion threat on its leak site. While the attackers allege data theft, the company has not confirmed the scope of the breach, stating that an internal investigation and incident-response process are underway.

12. Everest claimed a successful hack of Taiwanese technology company ASUS. The hackers added the company to its leak site in early December, claiming to have acquired more than 1 TB of data. Everest shared details on how ASUS can contact the group, alongside a countdown ending December 4, 2025. The ransomware group did not share any sample data, nor its ransom demand. ASUS confirmed that the breach stemmed from a third-party supplier compromised rather than an intrusion into its own core systems.

13. A ransomware attack linked to TrueNorth Corporation impacted several Puerto Rico government agencies during the Thanksgiving week, after attackers gained access to systems using compromised credentials. The disruption affected the Department of Education, the Puerto Rico Health Insurance Administration (ASES), and the State Insurance Fund Corporation (CFSE), though officials said no citizen data was confirmed as stolen and services were gradually restored.

14. Multinational home improvement and gardening retailer Leroy Merlin started to notify customers in France that a cyberattack resulted in the exposure of personal data. The company detected the intrusion and moved to block unauthorized access and contain the incident. The breach involved only customers in France and includes full names, phone numbers, email addresses, and loyalty program information. No known ransomware group has stepped forward to claim the attack.

15. In South Korea, leading e-commerce platform Coupang acknowledged a significant cybersecurity incident that compromised the sensitive data of close to 34 million users. In a statement, a Coupang spokesperson said that on November 18 it identified unauthorized access to its internal network. An investigation was immediately launched to determine the nature and scope of the incident. The affected data included PII, but no credit card information or login credentials were accessed.

16. A major customer data breach at UK broadband provider Brsk came to light when a threat actor began advertising a database of about 230,000 customer records on a cybercrime forum. The exposed information reportedly includes names, email and home addresses, phone numbers, installation details and other contact data, though financial information, passwords and account credentials were not affected according to the company’s statement. Brsk said the incident involved unauthorised access to one of its customer database systems, has secured the affected system, and is offering affected customers 12 months of free identity-monitoring services while regulators and law enforcement are notified and an investigation continues. The firm also stressed that its core network operations and broadband services were unaffected by the breach.

17. Qilin claimed responsibility for an attack on West Quay, a major UK retail and leisure shopping center operator, with the group threatening to post stolen data on its leak site. West Quay publicly acknowledged that its systems were impacted by a ransomware incident in late November, stating that threat actors unlawfully accessed and encrypted IT systems and that forensic and remediation efforts had since restored operations, though the exact nature and extent of any data exfiltration remain under investigation.

18. INC listed popular Australian fashion outlet Oxford as a victim on its darknet leak site. The hackers initial leak post shared very little about the alleged incident, other than some basic information about the victim. INC later shared more details of the hack, claiming to have exfiltrated 111 GB of data including contracts, financial documents, and customer and HR data. Oxford has not publicly acknowledged these claims.

19. In Germany, Gerd Bär GmbH disclosed that it had fallen victim to a ransomware attack on November 28, 2025. After a number of days offline, services resumed and customers were sent information on further steps to take. An investigation was launched to determine what and how much data the cybercriminals stole from the IT systems. Payouts King claimed responsibility for the attack.

20. A significant data breach was reported in December 2025 affecting Rameder Anhängerkupplungen und Autoteile GmbH, a German automotive parts supplier, after Payouts King allegedly posted about a breach and leak of roughly 1.4 TB of internal data on underground forums. The company’s systems were compromised, leading to the exposure of a large volume of potentially sensitive information, though detailed confirmation from Rameder about exactly what was taken or how operations were impacted has been limited.

21. The Fargo Park District announced that it had suffered a cyberattack that caused temporary disruption to phone, email and internal systems. The public statement gave few details on the incident, other than to say it was discovered in late October and staff acted quickly to secure its systems. Interlock claimed responsibility, allegedly stealing 892 GB of data from the district.

22. INC allegedly hacked Australia-based textile wholesale Instyle. The group claimed to have stolen 62 GB of data from the organization. According to the dark web post, stolen data includes customer information, HR data and financial details. Instyle has not yet publicly acknowledged these claims.

23. A data breach claim by the Qilin ransomware group has emerged on a dark-web extortion site, where the actors posted 22 screenshots as supposed proof of access to internal systems associated with the Church of Scientology’s UK operations. The leaked snippets appear to show internal visa processing records, financial documents, operational budgets, and member-related data, though the exact amount of data stolen and the method of the breach remain unverified, and the Church has not publicly confirmed the incident.

24. Benchmark Electronics, a US-based technology and manufacturing services provider, was recently named on the Everest ransomware group’s leak site, where attackers claimed to have accessed more than 100,000 files containing internal engineering and manufacturing data and threatened to publish it unless engaged. The full scope of the incident has not been independently confirmed.

25. SafePay ransomware group targeted BECKS Group Australia, a family-owned jewellery manufacturer, listing the company on its leak site.  BECKS who did confirm it was targeted by a cyberattack, took immediate steps to contain the impact, notify customers, stakeholders and authorities including the Australian Cyber Security Centre and Office of the Australian Information Commissioner, while investigations into the full extent of the breach continue. Initial analysis suggests that some personal and internal business information may have been compromised, though the exact scope is still being assessed as the company works to secure its systems and advise those affected.

26. Space Bears claimed to have obtained internal Comcast materials by exploiting a breach at Quasar Inc, a telecommunications engineering contractor. The group claimed that compromised files include city design documentation and detailed utility plans for multiple locations.

27. The City of Fürth stated that a cyberattack targeted the IT infrastructure of its municipal drainage authority. While the attack was serious, there was no immediate risk to the public. Officials stated that while services were not disrupted it cannot rule out the possibility that some files were viewed or copied during the incident. Qilin took credit for the attack but did not post information on the volume or types of data stolen from the city.

28. Prosper Inc announced that notification letters were mailed to individuals whose data was impacted by a cybersecurity incident in September. The organization discovered unauthorized activity on its systems and quickly acted to stop the spread. An investigation revealed that personal information was obtained during the incident. The data included names, SSNs, bank account numbers, and other financial application information.

29. Trumbull County in Ohio was hit by a severe cyberattack orchestrated by Anubis ransomware group. County representatives issued a number of statements denying system compromise, data exfiltration, or any unauthorized access. The group published 350 GB of documents on its leak site. Anubis claims it was still inside the county’s network during incident response and also stated that it purposely waited for the county to announce that systems had not been compromised before announcing the breach, in an attempt to ruin the county’s reputation.

30. BarNet Networks, an Australian communications and network-services provider for the legal sector, was recently named on the SafePay group’s leak site, where threat actors claimed to have accessed and taken sensitive files from its environment. The material allegedly includes financial documents, legal contracts and personal records such as passport copies and contact details, though the full scope of the incident has not been publicly confirmed.

31. INC took credit for a November 2025 cyberattack on Rainbow Communications, allegedly stealing 200 GB from the organization. Rainbow announced in mid-November that a cybersecurity event caused service issues, disrupting customers’ phone and internet services. Stolen data includes accounting, HR, and customer data. To prove its claim, INC added sample screenshots to its dark web post.

32. ThinkMarkets has come under scrutiny following claims by Chaos ransomware group that it accessed and released a substantial volume of internal data. The hackers claim to have stolen 512 GB of data including HR information, details of customer disputes, trading information, legal advice and company policies.  Several passport scans and know-your-customer records were among the data that could be viewed on the dark web.

33. The Center of Association Management (CAMI), a US-based professional association services organization, was listed on a dark web extortion site by the NightSpire ransomware group, which claimed to have accessed and copied portions of its internal data, totalling 250 GB. According to the threat actor’s posts, the purportedly exposed information includes client and operational records, though independent confirmation of what was taken and the overall impact has not been released publicly. CAMI acknowledged the incident, with an investigation revealing that personal and organizational data may have been compromised.

34. 14,095 individuals were impacted by a data security incident involving Millcreek Pediatrics in Delaware. The practice identified suspicious activity in its systems at the end of February and engaged a digital forensics firm to carry out an investigation into the incident. File analysis confirmed that multiple categories of protected health information had been exposed.

35. It was revealed that a data breach earlier this year exposed the sensitive data of Vita Hospice Services’ current and former patients. Vitas disclosed that on October 24 it became of unauthorized accessed to a compromised vendor’s account, leading to access of their systems. An investigation determined that personal information had been accessed or downloaded during the incident. The compromised data included names, addresses, SSNs, medical information, insurance information, and other personal data. This incident impacted 319,177 individuals.

36. MAG Aerospace, a U.S. defense contractor, reported that a data breach in August compromised the personal information of over 4,000 employees. An in-depth investigation, supported by external experts, revealed that an unknown third-party gained unauthorized access to a limited set of electronically stored personal information. No known ransomware group has publicly claimed the attack.

37. New York manufacturer Fieldtex notified 247,363 people of an August 2025 data breach which led to personal information being compromised. The data breach leaked names, addresses, dates of birth, insurance member ID numbers, plan names, effective terms, and genders. Akita took credit for the attack in November, stating that it had stolen 24 GB of data from the organization. Fieldtex confirmed that it had fallen victim to a cyberattack but has not publicly addressed the claims made by Akira.

38. South Africa’s National Credit Regulator (NCR), a government body responsible for overseeing the country’s credit industry, experienced a cyberattack that disrupted some of its IT systems and triggered an ongoing investigation by its security team. The regulator confirmed the incident affected certain systems, prompting containment actions like isolating impacted networks, disabling remote access and notifying relevant authorities while efforts continue to determine the full extent and whether personal data was accessed. DragonForce claimed responsibility for the attack, exfiltrating 42.02 GB of data from the government organization.

39. A new group of threat actors calling themselves MS13-089 hacked Virginia Urology and exfiltrated 927 GB of data. The dark web leak site provided a file tree, and a sample of data was shared. The group claimed that it did not encrypt any of the data so that no harm came to patients. Stolen information appears to include documentation belonging to the medical practice and personal health information of its patients.

40. A cyberattack closed all locations of the Deschutes County Library in early December. External experts were engaged to investigate the incident after staff discovered suspicious activity through antivirus software alerts. An unauthorized actor accessed servers containing PR materials. Although the library director would not make a definitive statement, he believes that customer and staff information were likely not compromised in the breach.

41. A threat actor on a well-known cybercrime forum advertised a large customer database allegedly taken from Volkswagen Mandi, an authorized Volkswagen dealership in Himachal Pradesh, India, claiming the dataset contains over 2.5 million rows of client and vehicle-related information sourced from a CRM backend. The data sample posted with the listing reportedly includes full names, home addresses, phone numbers and email addresses, though only a small preview has been shared, and the dealership has not confirmed the incident publicly.

42. SafePay group has claimed responsibility for an incident involving Hyperdome Doctors and Skin Clinic, a medical centre in Loganholme, Queensland, after listing the organization on its leak site and advertising allegedly stolen internal files. The material is said to relate to clinic operations and practitioner information, although the claims have not been independently verified and the clinic has not publicly confirmed the breach.

43. Madison Healthcare Services disclosed a breach to the U.S. Department of Health and Human Services. After discovering the breach, an investigation was conducted and affected individuals were notified. WorldLeaks claimed the attack but did not disclose the types of data stolen from the healthcare provider.

44. Rockrose Development confirmed it notified 47,392 individuals of a July 2025 data breach that compromised personal information. Play took credit for the breach shortly after it occurred. The group claims to have stolen documents related to clients, budget, payroll, accounting and taxes.

45. American pet retailer Petco announced that it suffered a significant data security incident earlier this year that compromised the personal information of its customers. The organization filed a notice stating that it recently identified a security incident during a routine review and immediately launched an investigation to assess its scope. Although the company has not disclosed specifics about the breach, it stated that the incident involved customers’ sensitive personal information.

46. Rhysida listed Queensland-based medical center Harbour Town Doctors as a victim on its leak site. Several low-quality images of allegedly stolen data were also posted on the leak site. A ransom demand of 5 BTC, roughly $137,000, was set by the threat actors.

47. Petróleos de Venezuela, S.A. (PDVSA), Venezuela’s state-owned oil and gas company, experienced a significant cyberattack that disrupted its administrative systems, leading to cancellations or delays in export cargo coordination while core oil production and refining activities continued. PDVSA acknowledged the breach and said its operations remained unaffected, but external sources reported that key internal systems stayed offline and forced manual workarounds, slowing export logistics and deliveries for several days.

48. 700Credit, a consumer financing services company, began notifying victims of an October data breach which exposed the sensitive data of more than 5.8 million Americans. The company stated that a bad actor gained unauthorized access to some personally identifiable information including names, addresses and SSNs. It is not yet known who is responsible for this incident.

49. Oak Valley Health issued a statement addressing online reports that suggest that Markham Stouffville Hospital and Markham Stouffville Hospital Foundation had fallen victim to a cyberattack. An investigation revealed that MSH and MSHF were falsely identified, with the statement claiming that a partner organization had been the target. Anubis added MSH to its leak site in mid-December, prompting the statement from Oak Valley.

50. In New Zealand, Hopper Developments was added to Qilin’s dark web leak site. Qilin did not disclose any details of the incident; however, one potential buyer for the data had already expressed interest. Hopper Developments has not yet publicly addressed Qilin’s claim.

51. Minersville School District are investigating a ransomware attack that forced it to close schools for three days and left the district unable to access some of its computer data. In response to identifying the incident, the entire computer system was taken offline and relevant experts were contacted.

52. Ireland’s Office of the Ombudsman has been responding to a cybersecurity incident described as a financially motivated ransomware attack that affected its IT systems in December 2025. As a precaution, the organization took key systems offline to contain the issue and launched a forensic investigation with assistance from the National Cyber Security Centre, external specialists, the Data Protection Commissioner, and An Garda Síochána. The office is operating on the basis that data may have been taken, although the Ombudsman has stated there is currently no confirmed evidence that information was exfiltrated, and it has secured a High Court injunction to prevent publication of any potentially stolen data. The disruption has also impacted several other statutory bodies that rely on the Ombudsman’s shared IT services, leading to delays in processing complaints while recovery efforts continue.

53. 113,232 people have been notified of a September 2025 data breach which affected the Richmond Behavioral Health Authority in Virginia. The breach compromised RBHA patients’ names, SSNs, passport numbers, financial account information, and protected health information. Qilin took credit for the breach, claiming that it stole 192 GB of data. To prove its claim, the group posted images of stolen documents on its leak site.

54. DXS International, a UK-based healthcare technology supplier whose software supports around 2,000 NHS GP practices, reported a cybersecurity incident affecting its internal office servers in mid-December 2025. The incident was discovered on 14 December, and in response the company immediately worked to contain with NHS support and external specialists. The company filed a notice about the breach with the London Stock Exchange, saying services continued with minimal impact and front-line clinical care remained operational. Devman claimed on dark-web forums that approximately 300 GB of data was stolen, though the exact scope of any theft and its implications have not been publicly confirmed by DXS as the investigation and regulator engagement continue.

55. Netstar Australia, a vehicle tracking and fleet telematics provider, was recently named on a dark web leak site by the BlackShrantac group, which claimed to have accessed and obtained company data as part of an extortion attempt. The nature and volume of the allegedly affected information have not been publicly confirmed, and Netstar has not released detailed findings on the incident.

56. The University of Sydney disclosed a significant cybersecurity incident after hackers gained unauthorized access to an online code repository, which contained “historical files” alongside development resources. The hackers exfiltrated personal data belonging to over 13,000 individuals, including current and former staff, alumni, donors and students.  The files accessed reportedly included names, birth dates, home addresses, phone numbers and employment details from legacy datasets used for development and testing, though the university confirmed that there is currently no evidence the stolen data has been published or misused.  In response, the institution blocked the unauthorized access, secured the affected environment, engaged cybersecurity partners, notified authorities and began directly informing those affected, while continuing to investigate the full scope and implications of the breach.

57. Avenira Limited, a mining and mineral-project company based in Perth, was listed on a dark web extortion site by affiliates of the INC, which claimed to have exfiltrated approximately 1 TB of internal corporate data including memoranda, mineral exploration reports, confidentiality agreements and other sensitive files. Avenira has not publicly confirmed the breach or released details on whether systems were disrupted, what data was affected or any operational or financial impact.

58. Dom Development S.A., one of Poland’s largest residential real-estate developers, confirmed that it was the target of a significant cyberattack detected on December 4, which involved unauthorized access to its IT systems and a likely data compromise. The company acknowledged there is a high risk that personal information held in its systems, including details of current and former clients, employees, contractors and others connected to the group, may have been taken. Qilin ransomware group claimed the attack.

59. A cybersecurity incident affecting a US healthcare provider came to light in mid-December 2025 after Termite ransomware group claimed it had accessed and removed around 25 GB of internal data from systems associated with MedHelp Clinics. The allegedly exposed material may include healthcare-related files, although the scope and validity of the claims have not been independently confirmed and MedHelp has not publicly detailed the impact.

60. Argentine football and sports organization Club Atlético River Plate was listed on a dark web extortion site by the Qilin ransomware group, who claimed to have gained unauthorized access to internal systems and exfiltrated sensitive documents. The publicly visible index attached by the threat actors reportedly includes thousands of files in formats such as PDFs, Word documents, emails and spreadsheets, covering invoices, contracts, budgets and other operational records dating from 2021 to 2025.  River Plate has not yet publicly acknowledged or confirmed the breach or provided details on the nature and scope of any data accessed.

61. Romania’s national water authority, Administrația Națională Apele Române, confirmed a large-scale ransomware attack had compromised around 1,000 IT systems across its central organization and 10 regional basin administrations. The incident affected administrative servers, databases, GIS systems and workstations. Authorities stated that critical water infrastructure and hydrotechnical operations were not impacted, and national cybersecurity and intelligence teams are continuing remediation and recovery efforts.

62. Chemirol, a Polish agricultural solutions company, detected a cyberattack on its IT infrastructure that resulted in unauthorized access and extraction of data from its servers. The firm subsequently disclosed that the incident may have impacted personal information of current and former clients, contractors, employees and collaborators, including names, contact details and other identifiers, and is fulfilling its data breach notification obligations under GDPR. Payouts King took credit for the attack in mid-December.

63. A ransomware attack targeted Evergreen Printing Co. in Bellmawr, New Jersey, disrupting printing operations, subscriber-fulfilment systems and mailing lists for client publications. The incident, which was discovered around December 19, forced affected customers to rebuild mailing lists and caused delays in press operations while Evergreen activated its incident response plan and engaged outside experts to investigate and remediate the situation. The company has not confirmed evidence of personal data being accessed or removed, and details such as the identity of the threat actors or any ransom demand remain unclear.

64. Atalian Group, a major French facilities management and business services provider, disclosed that it had been the victim of a cyberattack detected on December 6, in which attackers gained access to parts of its IT environment and a limited portion of data was potentially exfiltrated, including identification, banking data, and HR-related information.  The company took immediate containment steps, reported the incident to French authorities including the CNIL, and engaged experts to secure affected systems and assist impacted stakeholders, and says monitoring has not yet shown any public disclosure of the data. Qilin listed the organization on its leak site and claimed roughly 500 GB of internal business data was exfiltrated.

65. The Gentlemen ransomware group claimed responsibility for a cyberattack against Oltenia Energy Complex, Romania’s largest coal-based power producer, after files across parts of the company’s business IT environment were encrypted in late December 2025. The incident disrupted systems such as email, ERP and document management platforms, but did not affect electricity production or the National Energy System, according to the company. Oltenia Energy Complex isolated impacted systems, notified national authorities and law enforcement, and began restoring services from backups while the investigation into the scope of the breach continues.

66. A cyberattack targeting former in-flight catering subsidiary KC&D Service resulted in the theft of personal information belonging to nearly 30,000 Korean Air employees. The compromised data included employee names and bank account numbers, while no customer information was affected. Korean Air said it is treating the incident seriously despite the breach originating from a third-party vendor that was sold five years ago and is working to determine the full scope of the exposure and those impacted, alongside plans to strengthen personal data protection measures.

67. A threat actor using the alias “Lovely” claims to have breached systems tied to Condé Nast, leaking the personal data of more than 2.3 million WIRED magazine subscribers, with the dataset appearing on underground forums. The exposed information reportedly includes email addresses, names, user IDs and, in some cases, phone numbers and physical addresses, although passwords and payment details were not included. The same actor has also alleged that up to 40 million additional user records across other Condé Nast publications, such as Vogue, The New Yorker and Vanity Fair, could be released, but the full scope of any wider breach remains unverified, and Condé Nast has not publicly confirmed the incident.

68. Fyzical Acquisition Holdings LLC announced a security incident involving unauthorized access to the personal and protected health information of its patients. An investigation into the December 2024 attack, which took almost one year to complete, confirmed that affected data included names, SSNs, state IDs, financial account information, medical information and health insurance information.

69. A cybersecurity incident affecting Bangchak Group, a major Thai energy and petroleum company, was publicly reported in late December 2025, after Qilin named the organization on a dark web leak site.  Shortly afterward, Bangchak confirmed that it had detected unauthorized access to personal data of certain individuals associated with the group, though it said no financial information was involved, the organization has taken corrective actions to prevent further unauthorized access.

70. A data security incident at the international law firm Fried, Frank, Harris, Shriver & Jacobson LLP, which serves as outside counsel to several Goldman Sachs alternative investment funds, led to the potential exposure of sensitive personal and financial information held on behalf of investors. Goldman Sachs notified affected fund investors in December 2025 that Fried Frank had informed it of the incident and that its own systems were not impacted, but that data belonging to clients of the law firm may have been accessed. The organization said it acted quickly to contain the situation, engaged external cybersecurity experts and reported the matter to law enforcement, and the extent of any improper use of data remains under review. A class-action lawsuit has since been filed alleging the firm failed to adequately safeguard the information.

71. Meduza Locker took credit for a November 2025 cyberattack on Kelsey School Division in Canada. The division’s superintendent notified parents and guardians of the cybersecurity incident that impacted a portion of its network. Systems were taken offline to limit the attack from spreading. The ransomware group listed KSD on its leak site, claiming to have stolen documents for students, parents, staff, and sponsors from the division’s computers. Sample files were added as proof of claims and a ransom of $40,000 was set.

72. INC ransomware group publicly claimed a cyberattack against Klingele Paper & Packaging Group, a German paper and packaging manufacturer, asserting that about 450 GB of internal data, including confidential documents, client information, financial records and corporate files, was exfiltrated. Klingele separately reported a cyber incident at its Brazilian paper mill site on December 21, involving the unauthorized leakage of data from a locally isolated network, and said it is investigating with external specialists while noting there is currently no indication the broader group’s systems outside Brazil were affected.

73. Interlock claimed responsibility for a cyberattack on The Salvation Army, a major international charity and social services organization, posting threats to publish sensitive data unless negotiations were initiated. The threat actors claim to have obtained about 93 GB of data, including names, phone numbers, home addresses and donation records linked to more than 1.6 million donation transactions. The organization has not yet publicly confirmed the breach or provided details on the impact.

74. Artemis Healthcare in Nashville recently announced a data security incident that was identified in May 2025. The notification confirmed that it was a target of a ransomware group which accessed its network over a three-week period. An investigation confirmed that PII and PHI had been accessed during the incident. Crypto24 took responsibility for the attack and claimed to have exfiltrated 1 TB of data. The dark web post included image files for millions of patients.

75. Massachusetts-based accounting firm CSA Tax & Advisory may have had corporate and client data compromised following claims by the Lynx ransomware group. Analysis of data samples posted on the group’s leak site reportedly showed highly sensitive records, including full names, physical addresses, Social Security numbers, tax return information, IRS e-file authorization forms, healthcare coverage details, invoices and internal correspondence. CSA has not publicly acknowledged the incident.

76. Over the festive period, Everest ransomware group claimed on its dark web leak site that it had breached the systems of Chrysler, a major U.S. automaker and part of the Stellantis group, exfiltrating more than 1 TB (about 1,088 GB) of internal data spanning 2021–2025. The stolen material reportedly includes large volumes of Salesforce-related records, CRM exports, structured databases and internal spreadsheets containing customer interaction logs, names, contact details, vehicle and recall information, agent work logs, and what appear to be employee HR lists, among other operational files. The threat actors have also warned they may release additional data such as customer service audio recordings if their demands are not met. As of now, Chrysler and Stellantis have not publicly confirmed the breach or commented on the claims, and independent verification of the incident remains limited.

77. AllerVie Health, a Frisco, Texas–based allergy and immunology provider, reported a security incident involving unauthorized network access after unusual activity was detected on November 2. A review confirmed exposure of personal data including names, Social Security numbers, and driver’s license or state ID numbers, and affected individuals were notified on December 22, 2025, with credit monitoring offered. While AllerVie has not confirmed the cause, the incident has been linked to claims from the Anubis ransomware group, which alleges data from over 30,000 patients was accessed.

78. The European Space Agency (ESA) confirmed a cybersecurity breach after a threat actor using the alias “888” claimed to have accessed and exfiltrated roughly 200 GB of data from servers supporting external scientific and collaborative engineering activities. The agency said the incident affected only a very small number of external servers located outside its core corporate network and does not involve classified systems, and it has launched a forensic investigation and containment measures while informing relevant stakeholders. The alleged stolen data includes source code, configuration files, credentials and other internal development assets, though the full scope and validity of these claims are still being assessed.