SecureFact – Cyber Security News – Week of October 06, 2025

The WestJet data breach, disclosed in June 2025, compromised the personal information of approximately 1.2 million customers.
The breach involved social engineering, where attackers reset an employee password to gain access via Citrix, which allowed network and Microsoft cloud compromise.
Exposed data includes full names, dates of birth, mailing addresses, travel documents like passports or government IDs, requested accommodations, filed complaints, WestJet Rewards information, and some credit card details (excluding card numbers, expiration dates, and CVVs).
The breach did not expose credit card or debit card numbers or user passwords.
The FBI is investigating, and WestJet is offering affected customers free two-year identity theft protection and monitoring.
The company continues to assess the breach’s full scope and has taken measures to prevent recurrence.

A hacking group called Scattered LAPSUS$ Hunters claims to have stolen nearly 1 billion records from companies using Salesforce cloud databases.
The data allegedly includes personally identifiable information (PII) from about 39-40 organizations, including Toyota, FedEx, Walgreens, HBO Max, Allianz Life, Google, Qantas, and Stellantis.
The hackers did not breach Salesforce directly but used voice phishing to trick company help desks and employees, gaining access via third party Salesforce applications like Salesloft Drift.
Salesforce has confirmed awareness of extortion attempts but states there is no evidence its platform has been compromised or that vulnerabilities in its technology were exploited.
The hacker group launched a dark web site threatening to leak stolen data unless ransom demands are met, with some victims believed to be negotiating.
Security experts note the group employs social engineering and tampered Salesforce tools to conduct their attacks.

Hackers compromised a third-party customer service provider on September 20, 2025, gaining access to Discord user data.
The attack affected a limited number of users who interacted with Discord’s customer support and Trust and Safety teams.
Exposed data includes personally identifiable information such as real names, usernames, email addresses, and contact details.
IP addresses, messages and attachments sent to customer service agents were also compromised in the breach.
Photos of government-issued identification documents (driver’s license, passport) were accessed for a small number of users.
Partial billing information including payment type, last four credit card digits, and purchase history was exposed.
The hackers demanded a ransom from Discord in exchange for not leaking the stolen information publicly.
Discord took immediate action to isolate the support provider, launched an investigation, and engaged law enforcement.

Customers of Renault and Dacia in the United Kingdom were notified of a data breach at an unnamed third-party provider.
The compromised information includes full names, gender, phone numbers, email addresses, and postal addresses of customers.
Vehicle identification numbers and vehicle registration numbers were also exposed in the security incident.
Banking or financial information was not compromised according to the carmaker’s notification to affected customers.
The targeted third-party company has isolated the incident and removed the threat from its networks following the breach.
UK authorities including the Information Commissioner’s Office (ICO) have been informed of the cyberattack by Renault.
The company advised customers to remain vigilant against unsolicited phone calls and emails following the breach.
Renault confirmed the contract agreement prevents them from disclosing the name of the affected third-party provider.

Asahi Group Holdings disclosed that a ransomware attack caused IT disruptions forcing factory shutdowns this week.
The Tokyo-based company is Japan’s largest beer brewer with 30,000 employees and produces 100 million hectoliters of beverages annually.
Investigation confirmed that servers were targeted by ransomware and found traces suggesting potential unauthorized data transfer.
The company owns major brands including Peroni, Pilsner Urquell, Grolsch, and Fullers with $20 billion annual revenue in 2024.
While the attack only impacted Japanese operations, it forced the company to switch to manual order processing and shipment.
System-based order and shipment processes remain suspended with no clear timeline for recovery provided by the company.
The Emergency Response Headquarters is working with external cybersecurity experts to restore systems as quickly as possible.
No ransomware operations have claimed responsibility for the attack, suggesting ongoing negotiations or non-response to demands.

Oracle links Clop extortion attacks to July 2025 vulnerabilities

Oracle confirmed that customers received extortion emails from the Clop ransomware gang targeting E-Business Suite vulnerabilities.
The ongoing investigation found potential use of previously identified vulnerabilities addressed in the July 2025 Critical Patch Update.
Oracle addressed nine security flaws in E-Business Suite, with three exploitable remotely without requiring user credentials.
Executives at multiple companies received ransom emails requesting payment to prevent sensitive data leaks from Oracle systems.
The Clop gang claimed involvement in the extortion campaign, linking attacks to a bug in Oracle’s core product.
Extortion emails began on or before September 29, 2025, according to Google Threat Intelligence Group analysis.
While insufficient evidence exists to confirm actual data theft, the campaign follows Clop’s pattern of exploiting zero-day vulnerabilities.
The U.S. State Department offers a $10 million reward for information linking Clop ransomware attacks to foreign governments.