This Week’s Cybersecurity News: From Broken Updates to Exposed Access Brokers

Digital systems shape everyday life, often in ways people notice when something breaks. They reveal how personal data is quietly collected, traded, and used to make decisions about healthcare access, insurance, and consumer trust, often without clear consent.

Malware operations unraveled through technical flaws highlighted how vulnerability exploitation can open the door to valuable threat intelligence. All while defenders and regulators are busy with infrastructure takedowns, legal enforcement, and framework-driven security models. 

As societies grow increasingly dependent on online systems that remain fragile, and unevenly governed, cyber incidents of this week showed again how digital failures translate into real-world consequences.

California Privacy Regulator Fines Datamasters, Bans Data Broker

California’s privacy regulator fined Datamasters $45,000 for illegally selling sensitive personal data. The unregistered broker was barred from reselling Californians’ information under state privacy law. Investigators found Datamasters traded medical and behavioral data for targeted advertising. The order mandates deletion of all California resident data by December 31, 2025.

Court Sentences Hacker for Rotterdam, Antwerp Port Cyberattacks

A Dutch national has been sentenced to seven years in prison for hacking ports in Rotterdam and Antwerp to facilitate drug trafficking. The hacker compromised a port logistics firm by bribing an employee to install a remote access tool via USB sticks for data exfiltration. The insider used the Sky ECC encrypted chat service to communicate and accepted a €10,000 bribe.

FTC Bans GM From Selling Driver Data Used by Insurers

Driving data was influencing insurance decisions as General Motors, through its OnStar system, collected detailed location and driving behavior data from vehicles without clear user consent. This data was sold to consumer reporting agencies, which then shared it with insurance companies. Insurers used the data to assess driving risk, sometimes raising premiums, limiting coverage, or denying policies altogether. 

Belgian Hospital AZ Monica Disrupts Care After Cyberattack

Belgian hospital AZ Monica shut down all servers early Tuesday after a cyberattack. The incident forced the cancellation of scheduled procedures and reduced emergency department capacity across its Antwerp and Deurne campuses. Critical care services were taken offline, leading to the transfer of seven patients to other hospitals. Non-urgent consultations were postponed due to inaccessible digital medical records.

Uganda Cuts Internet Access Ahead of National Elections

Ugandan authorities imposed a nationwide internet blackout and suspended some mobile services ahead of Thursday’s general election. The Uganda Communications Commission began shutting down access earlier this week. Authorities said the restrictions aim to curb misinformation and electoral fraud. Similar shutdowns were imposed during Uganda’s 2021 elections, which were followed by deadly unrest.

Microsoft, Europol Disrupt RedVDS Cybercrime Hosting Platform

Microsoft’s Digital Crimes Unit supported an international law enforcement operation to dismantle RedVDS, a cybercrime hosting service used for fraud. Authorities seized key domains and infrastructure through coordinated actions in the US, UK, and Germany. RedVDS offered low-cost virtual machines with unlicensed software, for phishing and BEC attacks. The platform was linked to millions of phishing emails daily.

Sicarii Ransomware Raises Attribution Questions Over Identity

Check Point Research has identified Sicarii as a newly observed ransomware-as-a-service operation that emerged in late 2025. The group publicly presents itself using Israeli and Jewish symbolism, but researchers observed that its Hebrew content appears non-native, while most underground activity is conducted in Russian. These linguistic and behavioral inconsistencies raise questions about the group’s identity. Overall, the findings suggest Sicarii may be an early-stage or experimental operation.

Ransomware Activity Hit Record Levels in 2025, Manufacturing Most Affected

Ransomware activity surged 58% year over year in 2025, with a record 7,515 victims publicly claimed by threat actors. The GRIT 2026 report tracked 124 active ransomware groups, reflecting ecosystem expansion. Manufacturing emerged as the most targeted sector, accounting for 14% of observed victims globally. Qilin and Akira rose following law enforcement disruptions of earlier leaders. The increase is attributed to vulnerability exploitation, affiliate migration, and scalable attack models.

NSA Issues Early Zero Trust Guidance to Close Visibility Gaps

The National Security Agency has released the first two documents in its Zero Trust Implementation Guidelines series. The Primer outlines a phased, modular framework with the Department of Defense zero trust strategy emphasizing governance. The Discovery Phase directs organizations to formally inventory assets, identities, data, and access paths. The guidance is intended to prevent zero trust controls from being deployed on incomplete or outdated assumptions.

Microsoft Windows Update Disrupts Cloud PC Access for Enterprise Customers

Microsoft confirmed that a Windows update is blocking access to some Windows 365 Cloud PC sessions. The issue is causing sign-in failures and intermittent connection problems for enterprise customers using Azure Virtual Desktop The incident highlights how security updates can unintentionally disrupt critical cloud-based enterprise services and also raises concerns for enterprises about update testing, and rollback readiness.

AWS Launches European Sovereign Cloud to Address EU Data Sovereignty

AWS announced the launch of a European Sovereign Cloud designed to operate fully within the EU, both physically and logically. The new cloud will be run by EU-based entities, governed by European law, and free of critical dependencies on non-EU infrastructure. AWS said the move aims to give European customers stronger control over data residency, compliance, and operational autonomy.

Grubhub Confirms Breach as Hackers Download Data

Grubhub confirmed unauthorized access and data downloads from its internal systems. Reports suggest the incident may be linked to third-party platform access and credential abuse. The breach adds to growing concerns around supply chain risk and recurring security incidents affecting large consumer platforms. It follows recent security incidents at the company, including a disclosed breach earlier this year.

Anthropic Claude Vulnerability Exposes Cowork AI to Data Exfiltration

Anthropic’s Claude Cowork research preview is vulnerable to indirect prompt injection attacks that enable file exfiltration. Researchers demonstrated how malicious documents can manipulate Claude into uploading local files via the trusted Files API. The issue mirrors a previously disclosed Claude Code vulnerability that was acknowledged but not fully mitigated. The attack worked against multiple Claude models, including more injection-resistant variants. 

Jordanian Initial Access Broker Pleads Guilty to Selling Network Access

A Jordanian national pleaded guilty to selling illicit network access to at least 50 companies. The defendant operated under the alias “r1z”. Court records show he sold firewall exploits and offered advanced malware capable of disabling multiple endpoint detection and response tools. Investigators traced his identity through reused email addresses, payments, and forum accounts.

StealC Malware Operators Exposed After XSS Flaw Leaks Attacker Intelligence

A cross-site scripting flaw in StealC’s web-based control panel allowed researchers to monitor active malware operator sessions. One identified StealC customer ran large-scale malware campaigns throughout 2025 using hijacked YouTube channels. The operation resulted in thousands of victim logs and hundreds of thousands of stolen credentials. Researchers traced the attacker’s system configuration, time zone, and internet provider after a VPN lapse.

Authorities Identify Black Basta Ransomware Leader, Add Him to Wanted Lists

German and Ukrainian law enforcement have confirmed the identity of the leader behind the Black Basta ransomware gang. Germany’s BKA named Oleg Evgenievich Nefedov, a Russian national, as the operation’s founder and chief organizer. Raids in western Ukraine led to the seizure of digital storage devices and cryptocurrency assets. Investigators linked Nefedov to Black Basta through leaked internal chats and aliases used across cybercrime forums.

Critical ServiceNow Flaw Allowed Platform Takeover via AI Chatbot

Researchers disclosed a critical authentication flaw that could allow attackers to take over ServiceNow instances. The issue stemmed from a shared credential used by third-party chatbot integrations and weak identity verification. Attackers only needed a user’s email address and tenant details to impersonate accounts. ServiceNow fixed the issue after disclosure and said it saw no evidence of exploitation.

Reading Between the Lines of This Week’s Cyber Incidents

These incidents reflected the unexpected impact of security updates and the exploitation of AI systems via indirect prompt injection, reinforcing that automated systems require stronger controls.

Healthcare and patient care continue to hang in the balance as attackers show no signs of slowing. Where ransomware continues to grow year on year, the guilty plea of a Jordanian broker who sold initial access showed how investigations can disrupt even established ransomware groups.