Author: VictorAdmin5

Luxury jewelry company Cartier disclosed on June 3, 2025 that it had its web site hacked and some client data stolen.

Cartier, whose watches, necklaces and bracelets have been worn by celebrities such as Taylor Swift, Madonna and Angelina Jolie, said to its customers: “We are writing to inform you that an unauthorized-party gained temporary access to our system and obtained limited client information”.

“We contained the issue and have further enhanced the protection of our systems and data.”

The company said that the compromised information included names, email addresses, and countries where the customer resides.

Cartier stresses that the breach did not include more sensitive data, such as passwords, credit card numbers, or banking details.

It asked its customers to remain alert for any unsolicited communications or any other suspicious correspondence.

Read more about it here.

Apple revealed on May 27, 2025 that it prevented over $9 billion in fraudulent transactions in the last five years, including more than $2 billion in 2024 alone, highlighting its ongoing efforts to keep users safe.

Some of the other noteworthy statistics shared by Apple for 2024 are:

• Detected and blocked more than 10,000 illegitimate apps on pirate storefronts.
• Stopped nearly 4.6 million attempts to install or launch apps distributed illicitly outside the App Store or approved third-party marketplaces.
• Rejected more than 1.9 million App Store submissions for failing to meet Apple’s standards for security, reliability, privacy violations, or fraud concerns.
• Removed more than 37,000 apps for fraudulent activity.
• Rejected over 43,000 app submissions for containing hidden or undocumented features.
• Rejected over 320,000 submissions that copied other apps, were found to be spam, or otherwise misled users
• Rejected 400,000 app submissions for privacy violations.
• Removed more than 143 million fraudulent ratings and reviews from the App Store.
• Identified nearly 4.7 million stolen credit cards and banned over 1.6 million accounts from transacting again.

Read more about it here.

Google will pay Texas $1.375 Billion to settle two lawsuits over tracking users locations and storing biometric data without consent. This amount far exceeds previous fines over its location tracking practices: In November 2022, it paid $391 million to a group of 40 states. In January 2023, it paid $29.5 million to Indiana and Washington. In September 2023, it paid another $93 million to California.

Filed in 2022, the case accused Google of unlawfully tracking geolocation, incognito searches, and collecting biometric data without consent, even with Location History turned off.

The settlement represents a major privacy victory for Texas and a stark warning to companies against violating user trust.

Read more about it here.

Luxury UK retailer and department store Harrods confirmed on May 1, 2025 a cyberattack. This is the third UK retailer suffering a cyberattack, following earlier cyber-attacks on Co-operative Group (Co-op) and Marks and Spencer (M&S).

“We recently experienced attempts to gain unauthorised access to some of our systems.” reads a statement published by the company. “Our seasoned IT security team immediately took proactive steps to keep systems safe and as a result we have restricted internet access at our sites today.”

“Currently all sites including our Knightsbridge store, H beauty stores and airport stores remain open to welcome customers. Customers can also continue to shop via harrods.com.”

As of this writing, none of the retailers affected have instructed customers to take any action.

A hacking group called Scattered Spider is believed to be behind the M&S cyberattack.

Read more about it here.

WhatsApp has introduced an extra layer of privacy called Advanced Chat Privacy, that allows users to block participants from sharing the contents of a conversation in both traditional chats and chat groups.

“This new setting available in both chats and groups helps prevent others from taking content outside of WhatsApp for when you may want extra privacy,” WhatsApp said in a statement.

When this optional feature is enabled, it prevents other chat participants from exporting chats, auto-downloading media to their phone, and using messages for AI features. It’s worth noting that users can still take individual screenshots, or manually download the media.

​The new Advanced Chat Privacy feature is part of a broader effort to make communicating using WhatsApp more secure.

Read more about it here.

Car rental giant Hertz has announced and begun notifying its customers of a data breach that included their personal information and driver’s licenses. The data breach affected at least 100,000 customers.

The rental company, which also owns the Dollar and Thrifty brands, said in notices on its website that the breach relates to a cyberattack on one of its vendors, Cleo, providing file transfer platform used by Hertz.

“On February 10, 2025, we confirmed that Hertz data was acquired by an unauthorized third party that we understand exploited zero-day vulnerabilities within Cleo’s platform in October 2024 and December 2024.”

The stolen data varies by individual and region, but includes customer names, contact information, date of birth, credit card information, driver’s license information and information related to workers’ compensation claims. Hertz said a smaller number of customers had their Social Security or other government identification numbers, passport information, Medicare or Medicaid ID, or injury-related information associated with vehicle accident claims, were impacted by the event.

Hertz has disclosed the breach with several US states, including California, Maine, and Texas. Hertz said at least 3,400 customers in Maine were affected, and some 96,665 customers in Texas, but neither listed the total number of affected individuals.

Read more about it here.

Laboratory Services Cooperative (LSC) is a non-profit US organization providing laboratory services, primarily to Planned Parenthood clinics, in 31 states. It is based in Seattle, Washington.

“On October 27, 2024, LSC identified suspicious activity within its network,” reads the notice.

“In response, LSC immediately engaged third-party cybersecurity specialists to determine the nature and scope of the incident and notified federal law enforcement.”

“The investigation revealed that an unauthorized third party gained access to portions of LSC’s network and accessed/removed certain files belonging to LSC.”

The information exposed for each individual varies and may include one or more of the following data types:

Personal identifiers: Full name, SSN, driver’s license or passport number, date of birth, and government-issued IDs.
Medical info: Dates of service, diagnoses, treatments, lab results, provider, and facility details.
Insurance info: Plan type, insurer, and member/group ID numbers.
Billing and financial data: Claims, billing details, bank and payment card info.
According to an April 10, 2025 filing submitted to the Maine’s AG Office, the data breach impacts 1,600,000 people.

For LSC employees, the breach may also include information about their dependents or beneficiaries, if such details were provided to LSC.

Read more about it here.

Pennsylvania’s largest Workers and Teachers’ Union, PSEA, has exposed the personal information of over half a million individuals. PSEA is a labor union that represents public school teachers, higher education faculty members, school support staff, and retired educators across the Keystone State.

“PSEA experienced a security incident on or about July 6, 2024 that impacted our network environment,” the organization said in breach notification letters sent on March 17, 2025 to 517,487 individuals. “Through a thorough investigation and extensive review of impacted data which was completed on February 18, 2025, we determined that the data acquired by the unauthorized actor contained some personal information belonging to individuals whose information was contained within certain files within our network.”

PSEA says the stolen information varies by individual and consists of personal, financial, and health data, including driver’s license or state IDs, social security numbers, account numbers and PINs, account usernames and passwords, security codes, payment card information, passport information, taxpayer ID numbers, health insurance and medical information.

While the workers and teachers’ union has not disclosed the threat actor’s identity, the Rhysida ransomware took credit for the PSEA data breach in September 2024 and listed the labor union on its data leak site.

A law firm is currently investigating whether affected individuals are entitled to compensation.

Read more about it here.

On March 9, 2025, threat intelligence firm GreyNoise observed a coordinated surge in SSRF exploitation, affecting multiple widely used platforms. At least 400 IP addresses have been seen actively exploiting multiple SSRF CVEs simultaneously, with notable overlap between attack attempts. The top countries receiving SSRF exploitation attempts during the surge were the US, Germany, Singapore, India, and Japan. GreyNoise has observed Grafana path traversal attempts preceding the coordinated SSRF surge, indicating attackers may be using Grafana as a foothold for deeper exploitation.

Server-Side Request Forgery (SSRF) is a web security vulnerability that allows an attacker to cause the server-side application to make requests to an unintended location, either internally towards the organization’s network or externally to exfiltrate data. It is one of the OWASP Top 10 Application Security Risks.

Historical parallels: SSRF vulnerabilities played a key role in the 2019 Capital One breach, which exposed 100M+ records.

GreyNoise has identified active exploitation attempts against the following flaws:

• CVE-2017-0929 (CVSS score: 7.5) – DotNetNuke
• CVE-2020-7796 (CVSS score: 9.8) – Zimbra Collaboration Suite
• CVE-2021-21973 (CVSS score: 5.3) – VMware vCenter
• CVE-2021-22054 (CVSS score: 7.5) – VMware Workspace ONE UEM
• CVE-2021-22175 (CVSS score: 9.8) – GitLab CE/EE
• CVE-2021-22214 (CVSS score: 8.6) – GitLab CE/EE
• CVE-2021-39935 (CVSS score: 7.5) – GitLab CE/EE
• CVE-2023-5830 (CVSS score: 9.8) – ColumbiaSoft DocumentLocator
• CVE-2024-6587 (CVSS score: 7.5) – BerriAI LiteLLM
• CVE-2024-21893 (CVSS score: 8.2) – Ivanti Connect Secure
• OpenBMCS 2.4 Authenticated SSRF Attempt (No CVE)
• Zimbra Collaboration Suite SSRF Attempt (No CVE)

Organizations should promptly patch and secure affected systems, apply mitigations for targeted CVEs, and restrict outbound access to necessary endpoints. They should also monitor for suspicious outbound requests by setting up alerts for any unexpected activity.

Read more about it here.

Meta has fired “roughly” 20 employees for leaking confidential information, The Verge reports.

“We tell employees when they join the company, and we offer periodic reminders, that it is against our policies to leak internal information, no matter the intent,” Meta spokesperson Dave Arnold told the publication. “We recently conducted an investigation that resulted in roughly 20 employees being terminated for sharing confidential information outside the company, and we expect there will be more. We take this seriously, and will continue to take action when we identify leaks.”

The move comes in response to a surge of news stories that shared leaked details about Meta’s internal meetings and undisclosed product plans, including a recent all-hands led by Meta CEO Mark Zuckerberg. Following the leaks, Meta warned employees that leakers would be fired.

Meta did non disclose any details about the content leaked.

Read more about it here.