SecureFact – Cyber Security News – Week of July 21, 2025

Data Breaches

In April 2025, UK retailer Co-op suffered a major cyberattack that resulted in the theft of personal data belonging to all 6.5 million members. The attackers accessed names, addresses, phone numbers, email addresses, and membership card details but did not steal financial or transaction information.
The breach forced Co-op to shut down parts of its IT systems, leading to food shortages and operational disruptions in its grocery stores and funeral services.
The incident involved a social engineering attack resetting an employee’s password, allowing the threat actors to steal the Windows Active Directory database file (NTDS.dit), enabling further network compromise.
The attack is linked to the ransomware group DragonForce and affiliate hacking group Scattered Spider, known for targeting other UK retailers like Marks & Spencer and Harrods.

On July 2, 2025, luxury fashion giant Louis Vuitton suffered a major data breach exposing personal information of customers across multiple countries, including the UK, South Korea, Turkey, Italy, Sweden, and Hong Kong.
The company confirmed that these regional breaches stem from the same cyberattack, linked to the ShinyHunters extortion group, which accessed and exfiltrated customer data from a third-party vendor’s database.
Exposed information includes names, contact details, dates of birth, addresses, phone numbers, and purchase histories, but no payment or financial data was compromised.
Louis Vuitton immediately contained the incident, blocked unauthorized access, and began notifying affected customers and relevant regulators such as the UK Information Commissioner’s Office.

In February 2022, a British Ministry of Defence official accidentally leaked personal data of nearly 19,000 Afghans who applied to the UK relocation scheme following the Taliban takeover.
The leak included names, contact details, and family information, putting many at risk of Taliban retaliation. The breach was kept secret under a superinjunction until July 2025, when it became public, prompting the UK government to establish a covert Afghan Relocation Route to safely move affected individuals.
About 4,500 Afghans and their families have been relocated so far, with thousands more awaiting relocation. The Ministry of Defence apologized for the error but decided no criminal investigation was needed. Concerns about the safety and compensation for affected Afghans remain ongoing.

Russian alcohol retailer WineLab, part of the Novabev Group, closed over 2,000 stores nationwide following a large-scale ransomware attack on July 14, 2025. The cyberattack disrupted key IT infrastructure, affecting WineLab’s online services, mobile app, and point-of-sale systems, causing significant operational and purchasing issues.
Novabev Group confirmed the hackers demanded a ransom payment, but the company refused to negotiate or comply. Although no evidence currently suggests customer data was compromised, the investigation is ongoing.
The attack has caused substantial financial losses, estimated at $2.6 to $3.8 million per day in lost revenue, and is notable since most Russian-based ransomware groups typically avoid domestic targets.
Novabev’s IT teams and external specialists are working around the clock to restore services and strengthen security defenses.

Krispy Kreme is facing a class-action lawsuit after a November 2024 ransomware attack compromised sensitive personal and health information of over 160,000 current and former employees.
The breach, claimed by the Play ransomware gang, exposed data including names, Social Security numbers, health insurance details, dates of birth, driver’s license numbers, passport numbers, financial account data with usernames and passwords, biometric information, and even military and immigration IDs.
Despite discovering the breach months ago, Krispy Kreme only began notifying affected individuals around May 22, 2025, raising concerns about delayed disclosure. The company has offered free credit monitoring and identity protection services to those impacted but faces scrutiny over potential violations of data breach notification laws.
The incident resulted in over $11 million in losses in fiscal 2024 and disrupted operations significantly. Legal firms are investigating and pursuing damages, alleging Krispy Kreme failed to adequately protect employee data and delayed notification.