SecureFact – Cyber Security News – Week of July 14, 2025

Data Breaches

Security researchers Ian Carroll and Sam Curry discovered a major vulnerability in McDonald’s chatbot job application platform, McHire, exposing chats from over 64 million job applications across the U.S.
The flaw stemmed from the chatbot’s admin panel being protected by weak default credentials—username and password both set to “123456.”
This allowed unauthorized access to an API where researchers could increment or decrement a parameter to retrieve full chat transcripts, session tokens, and personal data of applicants.
McHire, powered by Paradox.ai and used by about 90% of McDonald’s franchisees, collects sensitive applicant information such as names, emails, phone numbers, and addresses.
The issue was reported on June 30, 2025, and McDonald’s quickly mandated Paradox.ai to fix the flaw, which was addressed the same day. Paradox.ai is now reviewing its systems to prevent similar vulnerabilities. No evidence suggests the flaw was exploited by malicious actors before the patch.

Australian airline Qantas confirmed a data breach impacting 5.7 million customers after hackers accessed a third-party platform used by one of its contact centres on June 30, 2025.
The stolen data includes names, email addresses, and Qantas Frequent Flyer details for about 4 million customers, with 1.2 million records containing just names and emails, and 2.8 million also including frequent flyer numbers and tier status.
The remaining 1.7 million records exposed additional information such as addresses (1.3 million), dates of birth (1.1 million), phone numbers (900,000), gender (400,000), and meal preferences (10,000).
Qantas confirmed no credit card, financial, passport, or login credentials were compromised, and frequent flyer accounts remain secure. The hackers have contacted Qantas, likely to extort the airline.
Qantas is notifying affected customers, enhancing security measures, and advising vigilance against phishing attempts. The breach is linked to the Scattered Spider threat group known for targeting aviation.

Marks & Spencer (M&S) confirmed that its massive ransomware attack in April 2025 was initiated through a sophisticated social engineering impersonation targeting a third-party IT help desk.
Threat actors impersonated an M&S employee and tricked a third-party vendor, believed to be Tata Consultancy Services, into resetting the employee’s password, which was then used to breach M&S’s network.
The attack involved the DragonForce ransomware group, linked to the Scattered Spider hacking collective known for advanced social engineering tactics.
The ransomware encrypted numerous VMware ESXi servers and reportedly stole around 150GB of data. M&S shut down its systems to contain the attack, and while no ransom payment details were publicly disclosed, it is suspected that negotiations or payment may have occurred to prevent data leaks.
The incident caused significant operational disruption and financial losses, prompting calls for stronger defenses against social engineering in the retail sector.

Hackers stole nearly $140 million from six Brazilian banks by bribing an employee of C&M, a financial connectivity provider, to hand over his corporate credentials.
The employee, João Nazareno Roque, sold his login details for about $920 and received an additional $1,850 for executing commands that helped the attackers access confidential systems linked to Brazil’s Central Bank.
Roque tried to hide his involvement by frequently changing phones but was arrested on July 3 in São Paulo. The attackers used the stolen access to issue fraudulent transfers and have laundered $30–40 million of the stolen funds through cryptocurrencies like Bitcoin and Ethereum via Latin American OTC markets.
Brazilian authorities are investigating the largest digital heist in the country’s history, while C&M emphasized that the breach resulted from social engineering, not a technical flaw. Blockchain experts are assisting in tracking and freezing illicit funds.

Ingram Micro, a global IT distributor, suffered a major ransomware attack by the SafePay group just before the July 4th holiday, causing a multi-day outage that took down its website, ordering systems, and internal platforms.
The company confirmed it proactively took systems offline to contain the attack and has since begun restoring business operations, including accepting orders via phone and email in many countries.
Ingram Micro performed a company-wide password and multi-factor authentication reset and is gradually restoring VPN access and internal systems. While it remains unclear if data was stolen, SafePay is known for stealing data and demanding ransom.
The company is working with cybersecurity experts and law enforcement to investigate and recover fully. Customers and partners experienced significant disruption, but Ingram Micro is steadily progressing toward normal operations.