By |Last Updated: July 2nd, 2026|50 min read|Categories: Ransomware, 2026, Research|

Contents

PDF Report Banner 2026

Get our Quarterly Ransomware Report as a PDF

vCISO Report Banner 2026

Free vCISO Ransomware Assessment

The State Of Ransomware June 2026

June saw 102 publicly disclosed ransomware attacks across 21 countries, with Australia experiencing a particularly active month at 21 attacks. Healthcare remained the top target with 30 incidents, followed by services with 15 and education with 14. The ransomware ecosystem also continued to fragment, with 31 groups claiming victims. The newly emerged 2019 ransomware group led the month with 12 claimed victims, making it one of June’s most notable developments.

1. The Melbourne International Film Festival (MIFF) suffered a data breach after attackers compromised its third-party ticketing provider, Ferve, exposing the personal information of around 26,700 customers. While payment card details and passwords were not affected, names, email addresses, phone numbers and residential addresses were potentially accessed. Ransomware group 2019 has claimed responsibility for the attack and allegedly advertised a much larger dataset for sale, although MIFF disputes those claims and the attribution remains unverified.

2. VSP Solutions, an Australian distributor of video security products, confirmed it is investigating a cyber incident after the Stormous ransomware group claimed responsibility for the attack. Stormous alleges it stole more than 40 GB of sensitive data, including financial records, email archives and customer databases, although VSP says the compromised information was historical and that business operations were not disrupted. The company has engaged forensic experts and notified the relevant authorities while its investigation continues.

3. The UN World Food Programme (WFP) disclosed that a cyberattack exposed the personal data of approximately 600,000 households in Gaza after attackers compromised its Palestine self-registration platform. The exposed information included names, ID numbers, mobile phone numbers, and location data used to register for food and cash assistance. WFP took the affected system offline, launched an investigation, and stated that no ransomware group had claimed responsibility for the attack.

4. IMA Diligence Services confirmed it had notified 525,306 individuals that their personal information was compromised in a December 2025 cyberattack involving a legacy server hosted by a third-party provider. The exposed data included Social Security numbers, financial information, medical records, and government-issued IDs. Genesis ransomware group claimed responsibility for the attack, alleging it stole 700 GB of data, although the company did not confirm the attribution or the volume of data reportedly exfiltrated.

5. More than 3,100 individuals were notified by Bronsky Orthodontics after unauthorized access to multiple employee email accounts exposed protected health information. The compromised data included patient names, dates of birth, contact information, dental and orthodontic treatment records, insurance information, and, for a limited number of individuals, Social Security numbers, financial account information, and government-issued IDs. The practice said it secured the affected accounts, completed a forensic investigation, and is reviewing its data privacy and security policies.

6. Hampr, an Australian workplace catering provider, said it was investigating claims that a ransomware group had stolen and published more than 360,000 customer records on a hacking forum. 2019 ransomware group alleged the leaked data included customer IDs, names, mobile phone numbers, account details, dietary preferences, payment information, billing data, and workspace details. Hampr said it had notified customers and relevant cybersecurity authorities while its investigation remained ongoing, and the claims had not been independently verified.

7. Bridle Trails Family Dentistry disclosed that 20,976 current and former patients were affected by a data breach stemming from the compromise of an employee email account in November 2024. The potentially exposed information included names, dates of birth, Social Security numbers, medical and treatment records, medical record numbers, health insurance information, driver’s license numbers, and taxpayer ID numbers. The practice said it was unaware of any misuse of the data and has enhanced its security measures.

8. A ransomware attack against the National Federation of Subpostmasters (NFSP) disrupted communications with the UK Post Office after attackers exploited a critical cPanel vulnerability. The attackers encrypted the federation’s website files and demanded a ransom, prompting the Post Office to temporarily suspend email communications with the NFSP as a precaution. While the incident caused ongoing operational disruption, the NFSP said its investigation found no evidence that data had been lost or exfiltrated.

9. More than 25,000 Australian Centre for the Moving Image (ACMI) customers were allegedly impacted after ransomware group 2019 claimed to have breached the organization’s systems and published customer data on a hacking forum. The actor alleged the stolen data included names, email addresses, dates of birth, gender, sign-in details, invoicing information, and IP addresses. ACMI said it was investigating a separate breach involving a third-party system used for its Cinema 3 streaming service, emphasized that payment card details and passwords were not compromised, and had not confirmed the group’s claims.

10. IKEA said it was investigating claims that the LAPSUS$ extortion group had stolen and was attempting to sell 180 GB of internal data allegedly taken from Ingka Group, the retailer’s largest franchisee. The ransomware group claimed the data included source code repositories, e-commerce architecture, supply chain systems, cloud infrastructure, and AI/MLOps projects, but there was no evidence that customer data was involved. IKEA had not confirmed the breach or the authenticity of the claims at the time of publication.

11. An unauthorized third party accessed and exfiltrated customer data from Australian luxury fashion brand Camilla, prompting the company to confirm a cyber incident affecting its Australian operations. The compromised information included customer names, dates of birth, email addresses, and phone numbers stored in its point-of-sale system, while payment card and banking information were not affected. Camilla said it notified impacted customers and the Office of the Australian Information Commissioner, and that business operations continued without disruption while the investigation remained ongoing.

12. More than 17,300 MMJ Real Estate clients may have had their personal data exposed after 2019 ransomware group claimed to have breached the Australian real estate agency and posted the data on a hacking forum. The allegedly compromised records included full names, email addresses, mobile numbers, addresses, business interests, property price ranges, and inquiry timestamps. MMJ said it was aware of the claims, had engaged cybersecurity advisers, and believed the incident had only impacted general enquiry information, with no disruption to business operations.

13. Clarinda Regional Health Center began notifying 24,341 individuals after determining that patient data may have been accessed without authorization during a cyberattack linked to LockBit5 ransomware group. The compromised information included names, dates of birth, medical and health insurance information, financial account numbers, Social Security numbers, driver’s license numbers, and taxpayer identification numbers, although the data varied by individual. The hospital said it implemented additional security measures following the incident and is offering complimentary credit monitoring and identity theft protection to individuals whose Social Security numbers were exposed.

14. Waveny Lifecare Network began notifying 8,548 individuals after determining that an unauthorized third party accessed a limited amount of data during a cybersecurity incident in May 2025. While the organization redacted the specific data types in its regulatory filing, it confirmed the information was detailed in notifications sent to affected individuals. Waveny said it completed its investigation and data review before issuing notifications and is offering complimentary credit monitoring and identity theft protection services as a precaution.

15. NJ Pain Care Specialists disclosed a cybersecurity incident involving unauthorized access to its network between February 25 – February 28, 2026, during which files may have been removed. The potentially compromised data included names, addresses, dates of birth, medical record numbers, clinical and treatment information, prescription details, health insurance information, and driver’s license or other government-issued ID numbers. The practice said its investigation remains ongoing, has reported the incident to the HHS using an interim total of at least 501 affected individuals, and has strengthened its security policies and safeguards.

16. An alleged ransomware attack targeting Avcon Jet, one of Europe’s largest private aviation companies, was claimed by Qilin ransomware group, which said it had stolen and published sensitive internal data. The leaked files allegedly included employee passports and resumes, aircraft maintenance work orders, export airworthiness certificates, training records, and the company’s cyber incident response plan. Avcon Jet had not confirmed the breach or the authenticity of the claims at the time of reporting.

17. Services Australia denied claims by 2019 ransomware group that it had breached Centrelink, after the hacker advertised the alleged data for sale on a cybercrime forum. The agency confirmed it was aware of the claims but said there was no evidence Centrelink had been compromised, describing the allegations as false. 2019 did not publish proof of the alleged breach, and no customer data exposure was confirmed. 

18. A ransomware attack against Chandrapur Cancer Care Foundation Hospital encrypted the hospital’s entire database, disrupting access to patient records and administrative systems. The attackers demanded 1.23 BTC (approximately $90,000) in exchange for a decryption key, claiming any stolen data would not be shared if the ransom was paid. The incident severely disrupted hospital operations, and authorities launched an investigation into how the attackers gained access to the network.

19. A ransomware attack against Krum Public Library in Texas disrupted computer access, printing, and Wi-Fi services after attackers infiltrated the library’s network. NightSpire ransomware group later claimed it had stolen 50 GB of data, including financial documents, HR records, and supervisor information, although the library did not verify those claims. Officials said the attack was contained to the library’s environment, with no evidence that Social Security numbers or personal financial account information had been compromised, and confirmed that backups prevented any permanent loss of critical data.

20. Nearly 400,000 BCD Travel customers had their personal information exposed after the ShinyHunters extortion group published data online when ransom negotiations allegedly failed. The leaked data included names, email addresses, phone numbers, physical addresses, job titles, employer names, and customer support tickets. ShinyHunters claimed it had stolen more than 30 GB of data, including over 700,000 Salesforce records and internal SharePoint documents, although BCD Travel did not confirm the scope of the breach or the claims.

21. A ransomware attack forced Evanston Township High School District 202 in Illinois to cancel summer school classes, sports camps, and all on-campus activities after disrupting internet access, phone systems, and critical school infrastructure. The district engaged cybersecurity experts, notified the FBI, and launched an investigation to determine whether any data had been accessed or stolen. At the time of the announcement, officials said the full scope of the incident remained under investigation and no ransomware group had claimed responsibility.

22. A claimed ransomware attack against the Shipping Association of New York and New Jersey (SANYNJ) was posted by Qilin ransomware group, raising concerns over potential disruption to one of North America’s busiest port complexes. While Qilin alleged it had stolen and published data, the leak link was unavailable at the time of reporting, leaving the scope of the alleged breach and the types of data involved unverified. SANYNJ had not confirmed the attack or the claims.

23. Tripod Farmers Group, an Australian fresh produce supplier, confirmed it was investigating a cyber incident after Qilin ransomware group claimed responsibility and listed the company on its leak site. Qilin alleged it had exfiltrated company data and briefly published sample files, although the claims could not be independently verified and were later removed. Tripod said unauthorized access had affected part of its systems, that production and customer operations were not disrupted, and that some personal information may have been compromised as it continued notifying affected individuals and investigating the incident.

24. More than 53,300 FirstClass customers may have been affected after 2019 claimed to have breached the Australian luxury travel agency and advertised the data on an underground forum. The hacker alleged the stolen records included names, email addresses, phone numbers, IP addresses, account status, and preferred airport, although analysis of a sample suggested the leaked data primarily contained names, email addresses, and phone numbers. FirstClass had not confirmed the alleged breach or the authenticity of the claims.

25. Australian cosmetics brand Napoleon Perdis was allegedly breached after ransomware group 2019 claimed to have stolen and published customer data on a hacking forum. The actor alleged the leak contained more than 288,000 customer records, including names, email addresses, phone numbers, and account information, although the company had not confirmed the breach or the authenticity of the claims. Napoleon Perdis said it was aware of the allegations and was investigating the incident.

26. 53,800 patients were affected by a cyberattack on Singing River Health System, after Anubis ransomware group claimed responsibility and alleged it had stolen 293 GB of data comprising more than 1.2 million files. The exposed information included names, contact details, Social Security numbers, driver’s license numbers, bank account information, health insurance data, and medical records. While Singing River confirmed the December 2025 breach and notified affected individuals, it did not confirm Anubis’ claims regarding the volume of data stolen.

27. Australian lingerie retailer DeBra’s said it was investigating claims by 2019, who alleged it had stolen and leaked 196,800 customer records and 1.2 million order records. The purportedly compromised data included customer names, addresses, phone numbers, email addresses, loyalty program details, transaction histories, and order information. DeBra’s had not confirmed the breach or verified the authenticity of the claims at the time of reporting.

28. Chelan County, Washington entered its third week of disruption following a malware attack that forced officials to shut down countywide networks, phone systems, email, and public-facing websites. The county said it had no timeline for full recovery, with many public services operating under manual processes while federal law enforcement and third-party cybersecurity specialists investigated the incident. No ransomware group claimed responsibility, and officials had not confirmed whether any data was stolen.

29. Gastro Health began notifying 37,260 patients after phishing attacks in February and March 2026 allowed unauthorized access to multiple employee email accounts. The compromised information included names, dates of birth, Social Security numbers, government-issued ID numbers, medical record numbers, diagnosis and treatment information, prescription details, Medicare/Medicaid information, and health insurance data, although the affected information varied by individual. The medical group is providing 24 months of complimentary credit monitoring and identity theft protection to affected individuals following the incident.

30. Spokane Digestive Disease Center notified patients after unauthorized access to an employee’s email account exposed sensitive personal and protected health information. The compromised data included names, dates of birth, Social Security numbers, driver’s license or state ID numbers, credit card and financial account information, electronic signatures, and medical information. The breach affected 2,093 Washington residents, while an interim report to the HHS listed at least 501 individuals, and the practice is providing 12 months of complimentary credit monitoring to affected patients.

31. Bayside Dental notified 10,216 patients after a cybersecurity incident resulted in unauthorized access to files containing protected health information. The compromised data included names, dates of birth, Social Security numbers, medical treatment and diagnostic information, prescription details, patient numbers, health insurance information, and dates of service. Although the practice did not describe the incident as ransomware, Sinobi ransomware group claimed responsibility and alleged it had stolen 580 GB of data, including patient records. 

32. A cyberattack on Mackay Sugar, Australia’s second-largest raw sugar producer, forced the shutdown of its Farleigh and Racecourse mills, halting cane harvesting for more than 1,300 growers during the peak crushing season. The company engaged cybersecurity specialists and notified authorities while restoring operations and later confirmed it was investigating claims by The Gentlemen ransomware group that it was responsible for the attack. At the time, no evidence had been provided to verify the group’s claims or confirm whether any data had been stolen.

33. Virta Health disclosed a data breach affecting 14,636 individuals after unauthorized access to a non-production data repository between March 19 – 22, 2026. The compromised information included names, Social Security numbers, dates of birth, medical service dates, diagnoses, treatment information, medical record numbers, and other health identifiers. LAPSUS$ extortion group claimed responsibility for the attack and listed Virta Health on its leak site, although the company did not confirm the attribution or whether any data was exfiltrated.

34. Stewart Home & School confirmed that a ransomware attack in August 2025 exposed the personal and protected health information of 3,677 individuals after attackers used stolen credentials to access internal systems, steal data, and encrypt files. The compromised information included names, contact details, Social Security numbers, financial information, health insurance details, diagnoses, medications, test results, and education-related records. Sinobi ransomware group claimed responsibility for the attack.

35. Taos Mountain Casino confirmed it had notified affected individuals following a March 2026 cyberattack that exposed names, addresses, and Social Security numbers. DragonForce ransomware group claimed responsibility for the attack, alleging it stole 38.6 GB of data, although the casino did not confirm the group’s claims or the volume of data exfiltrated.

36. RCI Internet Services, the IT subsidiary of RCI Hospitality Holdings, confirmed that a March 2026 data breach affected 40,178 individuals after unauthorized access to its internal network. The compromised information included names, Social Security numbers, driver’s license numbers, and passport numbers. The company said it notified law enforcement and strengthened its security measures following the incident.

37. South African insurer AVBOB said it was continuing to investigate a cybersecurity incident that disrupted its digital systems and forced the company to rely on manual processes to serve customers. The insurer said it could not yet confirm whether the incident was a ransomware attack or data breach and was still assessing whether customer information had been compromised and how many individuals may have been affected. AVBOB said it had engaged specialist partners to restore systems and investigate the full scope of the incident.

38. A cyberattack forced Great Marlow School in Buckinghamshire, England, to send most of its 1,400+ students home for two days after the incident disrupted the school’s ICT systems. Only students sitting GCSE and A-Level examinations were permitted on campus while the school worked with cybersecurity specialists to restore services. The nature of the attack had not been confirmed, and officials said the investigation was ongoing in coordination with the UK’s National Cyber Security Centre (NCSC).

39. GrayRobinson, P.A. notified 65,113 individuals after determining that a cyberattack between March 5 – 24, 2025 resulted in the theft of files containing personal and protected health information. The compromised data included names, dates of birth, Social Security numbers, driver’s license and government-issued ID numbers, financial account information, medical information, and health insurance details, with 54,131 individuals having protected health information exposed.

40. Interlock claimed responsibility for the cyberattack on Reynella East College, alleging it stole about 610 GB of data after the breach knocked the South Australian school’s ICT systems offline. The group claimed the leak included more than 473,000 files across 68,000 folders, including student and staff IDs, contracts, financial reports, contact details, teaching documents, passwords, and passport scans. The Department for Education said the posted information remained unverified.

41. Australian educational publisher R.I.C. Publications confirmed it was investigating claims that 2019 had published the personal information of more than 116,000 customers on a cybercrime forum. The allegedly compromised data included names, email addresses, phone numbers, physical and IP addresses, school affiliations, and order histories. The company said it had engaged cybersecurity experts and advised customers to remain alert for phishing and scam attempts while the investigation remained ongoing.

42. The University of Nottingham confirmed that a cyberattack exposed the personal data of approximately 454,600 current and former students and alumni after ShinyHunters leaked the stolen information online. The group claimed it had exfiltrated more than 40 GB of data, including names, contact details, student and staff IDs, course information, financial records, national insurance numbers, and billing data from the university’s UK, Malaysia, and China campuses. The university said it had taken the affected systems offline, notified impacted individuals, and was working with the UK Information Commissioner’s Office (ICO) and Action Fraud while its investigation continued.

43. Global Schools Group (GSG) confirmed it was investigating a cyberattack after FulcrumSec extortion group claimed to have stolen 4.8 TB of data spanning its international network of schools. FulcrumSec alleged the stolen data included 33,088 passport numbers belonging to students and parents, approximately 9.4 million internal messages, staff and parent communications, salary records, teacher credentials, and other sensitive records. GSG said it had contained the incident, restored affected systems, and notified relevant authorities, but did not verify the scope of FulcrumSec’s claims.

44. Ochre Health confirmed it was investigating a cyber incident after 2019 allegedly compromised a third-party HotDoc platform account linked to its Tuggeranong Medical Centre, potentially exposing the records of more than 25,000 patients. The allegedly compromised data included names, dates of birth, contact details, Medicare and DVA numbers, appointment information, and medical records. Ochre Health said the incident was limited to two compromised HotDoc user accounts, its broader IT environment remained unaffected, and it was working with the OAIC, ACSC, and cybersecurity specialists while determining the full scope of the breach. 

45. Italian waste management company ViAmbiente/Soraris disclosed that a ransomware attack on April 27, 2026 resulted in the exfiltration of a limited amount of personal data from systems at its Sandrigo facility. The potentially compromised information related to users of waste management services across multiple municipalities and included names, identification document details, and cadastral (property) data. The company said it contained the incident, notified the relevant authorities and affected municipalities, and stated that only a limited portion of its infrastructure and data was impacted.

46. Novo Nordisk confirmed that unauthorized access to a limited number of internal IT systems resulted in the theft of pseudonymized clinical trial data and certain healthcare professional information. Shortly afterward, FulcrumSec extortion group claimed responsibility, alleging it had stolen 1.3 TB of data, including clinical trial records, proprietary drug research, source code, employee data, and AI models, and demanded a $25 million ransom. Novo Nordisk did not verify the scope of the claims but said its core business operations were unaffected and that no directly identifiable patient information had been exposed.

47. The Council of Europe said it was investigating claims by the ShinyHunters extortion group that it had stolen 297 GB of HR and payroll data affecting more than 10,000 current and former employees, contractors, and job applicants. ShinyHunters alleged the stolen dataset contained more than 429,000 files, including 409,000 payslips, 14,000 CVs, personnel files, bank account details, tax and social security information, salaries, and medical records. At this time, the Council of Europe had not confirmed the breach or the authenticity of ShinyHunters’ claims.

48. JCPenney said it was investigating claims by ShinyHunters that it had stolen sensitive employee data from the retailer and several affiliated Catalyst Brands businesses. ShinyHunters alleged the compromised data included Social Security numbers, dates of birth, W-2 tax records, payroll information, and scans of government-issued IDs, but did not provide evidence to verify the claims, and it remained unclear whether any customer data was involved. JCPenney had not confirmed the breach or the authenticity of the allegations.

49. An alleged cyberattack targeting California Water Service (Cal Water) was claimed by Handala hacking group, which said it had stolen and published 5 GB of data from the utility. The leaked information allegedly included customer names, addresses, phone numbers, account numbers, payment histories, and credentials from an internal GPS mapping system used by field crews. Cal Water said it was investigating the claims and emphasized there was no evidence that its water production or distribution systems had been compromised.

50. M1xchange, India’s RBI-approved Trade Receivables Discounting System (TReDS) platform, denied claims by the World Leaks that it had breached the company’s systems. World Leaks listed M1xchange on its leak site and threatened to publish stolen data if negotiations did not occur, but no evidence of exfiltrated data was released. M1xchange said there had been no data breach or data leak involving its operating platform or core systems.

51. Eastman Kodak confirmed that an unauthorized third party temporarily accessed a limited amount of company data after ShinyHunters claimed it had stolen more than 2.2 million customer and corporate records. ShinyHunters alleged the data included customer personally identifiable information and internal corporate data, and threatened to publish it unless Kodak engaged by a set deadline. Kodak said it had engaged external cybersecurity experts, notified law enforcement, and did not verify the scope of ShinyHunters’ claims, adding that there was no threat to its systems or operations.

52. Clinical Registry Solutions notified patients of Dignity Health’s St. Mary’s Medical Center after an April 2026 cyberattack resulted in the theft of files containing patient data. The compromised information included patient names, procedure dates, and medical record numbers, while Social Security numbers, diagnoses, and treatment information were not affected. Although not acknowledged by the company, the Akira ransomware group claimed responsibility for the attack, alleging it stole 41 GB of data, including employee passports, Social Security numbers, and driver’s license information.

53. Columbia Orthopaedic Group was sued in a proposed class action after the LockBit5 ransomware group claimed it had breached the Missouri healthcare provider and posted stolen patient data on the dark web. The lawsuit alleged the practice failed to adequately protect sensitive patient information, including by not encrypting or redacting data, and sought damages for negligence and privacy violations. At the time of the filing, Columbia Orthopaedic Group had not publicly confirmed the breach or disclosed the scope of any data compromise.

54. German housing company Neuwoges said it would not pay a multimillion-euro ransom after an international hacking group stole around 39,000 files from private and business customers. The potentially exposed data included private customer names, addresses, dates of birth, and bank details, as well as business invoices and other company-related information. Neuwoges said affected customers had been notified.

55. Ecovacs said it was investigating claims after the SpaceBears ransomware group listed the robot vacuum manufacturer on its leak site and alleged it had stolen 2 TB of company data. SpaceBears claimed the data included internal documents, source code, financial records, customer information, and employee data, but did not provide evidence to substantiate the allegations. At the time of reporting, Ecovacs had not confirmed a breach or verified the authenticity of the ransomware group’s claims.

56. Southern Illinois Ob-Gyn Associates notified 38,700 current and former patients after a cybersecurity incident resulted in unauthorized access to its network and the exposure of sensitive personal and protected health information. The compromised data included names, dates of birth, Social Security numbers, demographic information, health information, and health insurance information.

57. Prince George County, Virginia confirmed a cybersecurity incident after a network outage disrupted county phone, internet, and online payment systems beginning June 11, 2026. While RansomHouse later claimed it had encrypted the county’s systems and posted an alleged “evidence pack,” officials did not confirm the ransomware claim, any data theft, or a ransom demand, stating the allegations remained under investigation. The county said most systems had been restored with the help of external cybersecurity experts and law enforcement, while critical public safety services remained operational throughout the incident.

58. Kee Wah Bakery, one of Hong Kong’s best-known bakery chains, confirmed that a ransomware attack on its internal network potentially exposed the personal information of employees, business partners, online customers, and loyalty program members. The company said it could not confirm whether any data had been exfiltrated but had begun notifying potentially affected individuals as a precaution. Kee Wah emphasized that payment and credit card information was not compromised, reported the incident to Hong Kong’s privacy regulator and police, and engaged cybersecurity experts to investigate and strengthen its systems.

59. Elmwood Home Care disclosed a cybersecurity incident after unauthorized access to its systems exposed patient information. The compromised data included names, dates of birth, Social Security numbers, driver’s license numbers, demographic information, medical information, and health insurance details. While the number of affected individuals had not been disclosed, LockBit5 ransomware group claimed responsibility for the attack, and the provider said it was strengthening its security controls in response.

60. The New South Wales government rejected claims by the Nova ransomware group that it had stolen more than 200 GB of sensitive government data, saying there was no evidence of any compromise. Officials said the sample files published by the ransomware group consisted of historical documents that were already publicly available, and that public sector agencies had investigated the allegations. Nova later removed the NSW Government listing.

61. Madison Square Garden Sports was allegedly breached by ShinyHunters, which published 45 GB of data after the company reportedly missed a ransom deadline. The leaked data allegedly included more than 26 million customer and corporate records, customer support emails, and internal “talent” files containing contact information, appearance fees, home addresses, and risk ratings for celebrities and high-profile individuals. Madison Square Garden Sports had not publicly confirmed the breach or verified the scope of the claims.

62. The National Association of Insurance Commissioners (NAIC) confirmed that attackers exploited a zero-day vulnerability in Oracle PeopleSoft to gain unauthorized access to part of its environment. ShinyHunters claimed responsibility, alleging it stole 3.1 TB of data, but the NAIC said its investigation found the claims were overstated and that there was no evidence personal information, banking data, payment information, or state insurance department systems were compromised. The organization said the incident was contained, the access path was remediated, and the FBI and external cybersecurity experts were assisting with the investigation.

63. Mount Royal University in Calgary responded to a cyber incident that disrupted access to its website, internet, phone systems, and other campus services. The university said it contained the incident, engaged external cybersecurity experts, and notified law enforcement, while confirming that classes and exams continued as scheduled and that campus safety and emergency systems were not affected. The nature of the attack and whether any personal information had been compromised remained under investigation.

64. Nelson University disclosed a ransomware attack after unauthorized access to its systems potentially exposed sensitive personal information. The affected data may have included names, Social Security numbers, and financial account information, with the number of impacted individuals not yet disclosed. Qilin ransomware group claimed responsibility about 10 days later and allegedly published stolen university data on its Tor leak site.

65. Blue Fish Pediatrics began notifying 41,485 Texas residents after determining that a July 2025 cyberattack exposed sensitive patient information. The compromised data included names, dates of birth, medical record numbers, diagnoses, lab results, medication and claims information, and, for some individuals, Social Security numbers and driver’s license or state ID numbers.

66. iRhythm Holdings disclosed a cybersecurity incident after attackers used social engineering to gain unauthorized access to third-party-hosted business applications containing sensitive data. The company confirmed that proprietary information, protected health information (PHI), and other personal data were exfiltrated before the threat actor demanded payment to prevent the data from being published. iRhythm said the incident did not affect its clinical or medical device systems, patient safety, manufacturing operations, or payment card data, and the number of affected individuals has not yet been disclosed.

67. Kinetic Education, a Victoria-based K-12 tutoring provider, was listed by Qilin ransomware group on its darknet leak site. Qilin did not disclose the amount or type of data allegedly stolen, publishing only the company’s logo and basic details of the claim. Kinetic Education had not responded publicly or confirmed the alleged breach.

68. REIC Rentals disclosed that an unauthorized third party accessed its network in February, potentially exposing names and Social Security numbers belonging to an undisclosed number of individuals. The equipment rental company said it completed its review of the affected data in late February and began notifying impacted individuals in April.

69. Alcott HR disclosed that an unauthorized actor accessed internal systems in February 2025, exposing employee personal information including names, Social Security numbers, and dates of birth. The company completed its review in March 2026 and began notifying affected individuals in June 2026, while confirming that its iSolved human capital management platform, which stores payroll, tax, benefits, and banking information, was not compromised.

70. Jamaica’s National Health Fund (NHF) continued investigating a cyber incident after PEAR extortion group claimed to have stolen sensitive beneficiary data. The group alleged it had exfiltrated financial records, HR data, provider and vendor information, thousands of patients’ personally identifiable and protected health information, email correspondence, and database exports. NHF said the claims remained unverified, services were unaffected, and it was working with the Major Organised Crime and Anti-Corruption Agency (MOCA), the Office of the Information Commissioner, and external cybersecurity experts while strengthening its security controls.

71. Nintendo of America confirmed that a cyberattack affecting TinyPulse, a third-party employee survey platform, resulted in the theft of a limited amount of internal employee survey data. Shadowbyt3$ claimed it had stolen nearly 1 GB of data spanning 2016–2026, including employee names, email addresses, survey responses, analytics, bank statements, W-9 forms, and internal reports, and demanded a $2 million ransom. Nintendo said its own systems were not compromised, no customer or financial data was accessed, and the exposed information was limited to survey content involving a small subset of employees, with much of the data dating back several years.

72. Melbourne-based Elina Medical Weight Loss Clinic confirmed it was investigating claims after 2019 alleged it had breached the clinic and stolen data relating to more than 28,000 patients across over 300,000 records. 2019 claimed the compromised data included patient names, contact details, dates of birth, medical information, consultation records, pathology results, prescriptions, Medicare details, and payment information. At the time of reporting, Elina Medical had not verified the authenticity or scope of the claims and said its investigation was ongoing.

73. Harcourts said it was investigating claims after SafePay ransomware group listed the global real estate company on its leak site. While the group alleged it had compromised Harcourts’ systems, it did not publish any evidence or disclose what data had allegedly been stolen. Harcourts said it had found no evidence that its systems or customer data had been impacted but was continuing to investigate the claims with cybersecurity specialists.

74. Cherry Health disclosed a preliminary notice after detecting suspicious activity on its network in April 2026, confirming that an unauthorized actor accessed and copied data belonging to current and former patients and staff. The potentially compromised information included names, addresses, phone numbers, dates of birth, health insurance information, patient ID numbers, provider names, service dates, and, in some cases, Social Security numbers. The number of affected individuals has not yet been disclosed, and while the incident was widely reported as a suspected ransomware attack, no ransomware group had claimed responsibility at this time.

75. Klue confirmed that attackers used a compromised legacy integration credential to steal Salesforce OAuth tokens, allowing the Icarus extortion group to access CRM data from hundreds of downstream customers. Klue said the incident affected connected Salesforce data rather than its core platform and revoked the compromised credentials.

76. Moody Bible Institute disclosed that it was investigating a cyber incident after detecting unauthorized access to part of its IT environment. While the institute did not confirm the nature or scope of the breach, ShinyHunters claimed it had stolen more than 23 GB of data, including 46 million communication records, 2.2 million enrollment lead records, donor data, payroll files, and student records. Moody said it had engaged external cybersecurity experts, notified law enforcement, and was continuing to assess whether any personal information had been compromised. 

77. Bellflower Unified School District notified an undisclosed number of current and former students, parents, and employees after confirming that an August 2025 cyberattack exposed sensitive personal information, including Social Security numbers. Rhysida claimed responsibility, alleging it stole 4.5 TB of data comprising more than 2.3 million files and demanded a 10 BTC ransom. The district said current student records stored in its Aeries system were not affected, is offering complimentary credit monitoring, and has not confirmed Rhysida’s claims.

78. Senegal’s Court of Auditors (Cour des Comptes) confirmed it had detected a technical incident affecting its information systems after Krybit ransomware group claimed to have stolen 20 GB of data and threatened to publish it. The institution said it had implemented containment measures with the relevant authorities and was assessing the impact, while not confirming the ransomware group’s claims or any data theft. 

79. Southern Design RV, a Ballarat-based caravan and RV dealer, was listed by CMD Organization, which claimed it had stolen customer data and posted a sample on its leak site. The allegedly compromised information included names, addresses, email addresses, phone numbers, and purchase details. CMD Organization reportedly auctioned the data for 5 BTC, while Southern Design RV had not publicly confirmed the breach or verified the group’s claims.

80. One Medical disclosed that an unauthorized actor accessed a third-party file storage system containing archived One Medical Seniors (formerly Iora Health) patient records. The incident was limited to legacy demographic and clinical records, with no impact on One Medical’s electronic medical record system or other Amazon systems. ShinyHunters claimed it stole 8.8 TB of data, although One Medical did not verify the claim or disclose how many patients were affected.

81. Xsolis, a healthcare AI and utilization management provider, disclosed that a targeted phishing attack resulted in unauthorized access to patient data affecting 1,396,519 individuals. The compromised information included names, addresses, dates of birth, Social Security numbers, health insurance information, and medical treatment details. Xsolis said it had no evidence the data had been misused, and no ransomware group had claimed responsibility at the time of disclosure.

82. Florida Retina Center notified 13,652 patients after confirming that unauthorized access to parts of its network exposed sensitive personal and medical information. The compromised data included names, dates of birth, Social Security numbers, driver’s license numbers, and medical information. The provider said it had no evidence of data misuse.

83. Nottingham Village notified 5,240 individuals after confirming that a November 2025 security incident exposed sensitive personal and health information. The compromised data included names, dates of birth, Social Security numbers, driver’s license or state ID numbers, financial account information, medical information, and health insurance details. The facility said it continues to review and strengthen its security practices following the incident.

84. Vienna Airport (Flughafen Wien AG) investigated claims by Bashe that it had stolen more than 500,000 emails and 4,470 files from the airport. Bashe published 2025 cargo documents as proof, but the airport said the files were outdated and taken from a single email account, with no evidence of a large-scale cyberattack or compromise of passenger or business-critical data. Airport operations continued without disruption while authorities and external cybersecurity experts investigated the incident.

85. Lifepoint Health disclosed a limited data breach after a compromised user account allowed an unauthorized party to access certain internal databases on February 22, 2026. The incident affected employees of contracted vendors only, exposing names, addresses, phone numbers, dates of birth, and Social Security numbers. Lifepoint said the breach was contained within 24 hours and patients and direct employees were not affected.

86. Ransomware group 2019 claimed it had breached the National Portrait Gallery of Australia and stolen customer and client data, including names, email addresses, and location data. The gallery said it was investigating the allegations but had not confirmed any compromise or verified the scope of the claimed breach.

87. Tata Electronics confirmed a cybersecurity incident after the World Leaks claimed to have stolen and published more than 200,000 files (around 630 GB) from its systems. The alleged leak included confidential Apple and Tesla documents, such as component specifications, engineering drawings, manufacturing records, employee passport scans, and files labelled “com.apple.factorydata”, prompting Apple to investigate the incident. Tata said the breach did not impact its operations, but reports indicated the company received a ransom demand.

88. Stadttheater Gießen was hit by a cyberattack that disrupted email, phone systems, and access to server data, forcing staff to revert to manual operations while recovery efforts continue. The Gentlemen ransomware group later claimed responsibility, threatening to publish allegedly stolen data unless negotiations began. The theatre said performances and ticket sales remained unaffected, while authorities and cybersecurity specialists continued investigating the incident.

89. The Central Bank of Libya (CBL) said it had fully contained the cyber incident disclosed on 9 June, despite Qilin ransomware group claiming responsibility for the attack. The bank said comprehensive investigations found no evidence that customer accounts, balances, financial assets, or banking data had been compromised, and confirmed the impact was limited to a small number of technical systems while recovery efforts and security enhancements continued.

90. Glendale Community College disclosed that unauthorized access to its systems resulted in the potential theft of student educational records. The potentially compromised data included names, Social Security numbers, driver’s license numbers, passport numbers, financial aid information, and health-related information, while the college said it had no evidence that employee data was affected. ShinyHunters extortion group claimed responsibility, alleging it stole more than 62 GB of data, over 304,000 files, and records relating to more than 150,000 students, though the college did not verify those claims.

91. Bajaj Auto confirmed that a ransomware attack affected the IT systems of both the company and its subsidiary, Bajaj Auto Technology Ltd (BATL), prompting an immediate incident response and notification to CERT-In. The manufacturer said its containment measures were successful and that manufacturing, sales, customer services, and other key business operations continued to function normally, while the investigation into the incident remained ongoing. The company did not disclose whether any data had been stolen or identify the ransomware group behind the attack.

92. AYA Bank, one of Myanmar’s largest private banks, acknowledged that a legacy application portal had been breached, exposing non-financial customer application records, while maintaining that its core banking system, AYA Pay, card systems, and customer financial data were not affected. The LAPSUS$ extortion group disputed that account, claiming it had stolen around 120 GB of data from the bank’s core systems, including personally identifiable information, payment records, and card-related files, although those claims have not been independently verified.

93. Nova ransomware group claimed responsibility for a cyberattack against the New South Wales Rural Fire Service (NSW RFS), alleging it had stolen 300 GB of data from the agency’s systems. NSW RFS confirmed it was investigating a cybersecurity incident involving unauthorized access to its IT environment but said firefighting operations were not affected, and that many of the potentially exposed files appeared to be historical, with no evidence of sensitive personal information being accessed or misused.

94. Minnesota Epilepsy Group began notifying current and former patients after confirming that unauthorized access to its network exposed sensitive patient information. The compromised data included names, addresses, dates of birth, Social Security numbers, medical treatment information, and health insurance details, with the information varying by individual. The provider said it had strengthened its security measures and is offering complimentary credit monitoring and identity theft protection to individuals whose Social Security numbers were exposed.

95. Campbell University disclosed a cybersecurity incident involving unauthorized access to a cloud-based data storage platform, potentially exposing a wide range of personal, financial, student, and protected health information. While the investigation remains ongoing and the total number of affected individuals has not yet been determined, the university has reported the incident to the HHS Office for Civil Rights as affecting at least 500 individuals. Campbell said it has reset passwords, rebuilt the affected platform, strengthened access controls, and implemented additional security measures in response.

96. Kentucky Mountain Health Alliance disclosed a data breach involving unauthorized access to patient information, with some files confirmed to have been copied. The compromised data included names combined with information such as Social Security numbers, driver’s license or passport numbers, financial account and payment card details, health insurance information, and medical records. The nonprofit has not disclosed how many individuals were affected.

97. Challenge Manufacturing disclosed a ransomware attack after Chaos claimed to have stolen 270 GB of data from the automotive supplier. The breach exposed names, Social Security numbers, and medical information, with at least 1,661 Texas residents confirmed to be affected, although the total number of impacted individuals nationwide has not been disclosed. 

98. South Florida Injury Centers reported a hacking-related data breach affecting 1,525 patients after Kairos claimed responsibility. Kairos alleged it had stolen 45 GB of data and published samples containing patient names, contact information, driver’s license numbers, Social Security numbers, and medical histories before later leaking the dataset, suggesting the ransom demand was not paid.

99. A cyberattack disrupted the District of Columbia Housing Authority (DCHA), taking its website and several internal systems offline. While the incident affected online services and some administrative functions, housing assistance and landlord payments were expected to continue, and officials said there was no confirmation that personal data had been compromised. DCHA is working with cybersecurity experts to investigate the incident and restore affected systems, with no ransomware group claiming responsibility.

100. River Financial Corporation, the parent company of River Bank & Trust, disclosed a ransomware attack after an unauthorized third-party gained access to its network and deployed ransomware across portions of its server environment. The company said certain operations were disrupted, but it has not yet determined whether any personally identifiable information was accessed or exfiltrated, and the investigation remains ongoing with the assistance of external forensic experts.

101. Amicus Solutions (Fedora Solutions) disclosed a cybersecurity incident affecting 1,137 individuals, including patients of OneOncology practices such as New York Cancer and Blood Specialists. The attackers exfiltrated data and published some of it online, exposing names, contact information, dates of birth, Social Security numbers, medical information, and health insurance details. Amicus said its clients’ networks were not compromised and no misuse of the data had been identified.

102. A suspected cyberattack compromised Brazil’s Civil Defense emergency alert system, sending false “Extreme Alert” notifications containing the word “misantropi4” to mobile phones across multiple states. Authorities temporarily shut down the national alert platform, launched a Federal Police investigation, and said there was no evidence the core infrastructure had been structurally compromised, although the incident exposed weaknesses in the country’s emergency notification system.

Share This Story, Choose Your Platform!

Related Posts