SecureFact – Cyber Security News – Week of June 09, 2025

Germany’s data protection authority (BfDI) fined Vodafone GmbH €45 million (about $51.4 million) for serious privacy and security violations in June 2025.
The penalty was split into two parts: a €15 million fine for failing to properly monitor partner agencies whose employees committed fraud by tricking customers into fictitious contracts or unauthorized changes, and a €30 million fine for authentication vulnerabilities in Vodafone’s “MeinVodafone” portal and hotline that allowed attackers to access customer eSIM profiles.
The regulator highlighted Vodafone’s inadequate oversight of third-party vendors and weak identity verification processes as key failings under GDPR. Vodafone has since overhauled its systems, improved partner selection and auditing procedures, severed ties with fraudulent partners, and paid the fines in full.
The case serves as a major warning on the risks of poor third-party risk management and weak identity and access controls in protecting customer data.

AT&T has been hit by another massive data leak, with hackers releasing 86 million records containing decrypted Social Security numbers, full names, addresses, dates of birth, and other personally identifiable information1.
Nearly 44 million Social Security numbers were exposed, significantly increasing the risk of fraud and identity theft for affected customers1. The data, originally stolen by the ShinyHunters group, was re-uploaded to a popular Russian cybercrime forum in a well-structured format, making it easier for criminals to exploit1.
AT&T is investigating the incident and noted that cybercriminals often repackage previously disclosed data for financial gain1. Cybersecurity experts warn that with both SSNs and birth dates compromised, malicious actors have all they need to impersonate customers and commit fraud1.
This breach underscores the urgent need for stronger identity verification systems beyond static identifiers like Social Security numbers.

A massive data leak exposed the records of approximately 2.7 million patients and 8.8 million dental appointment records due to an unsecured MongoDB database, likely linked to the dental marketing company Gargle.
The exposed data included names, dates of birth, emails, addresses, phone numbers, gender, billing details, and appointment metadata.
This breach raises serious concerns about third-party handling of sensitive medical information and potential violations of HIPAA regulations.
After being notified by researchers on March 26, 2025, Gargle secured the database, though it remains unclear how long the data was exposed or if it was accessed maliciously. The leaked information poses risks of identity theft, insurance fraud, and phishing attacks.
Affected individuals are advised to stay vigilant and monitor their medical and insurance records closely.

MainStreet Bancshares disclosed that data belonging to approximately 4.65% of its customers was stolen in a cyberattack targeting a third-party provider in March 2025.
The bank confirmed that its own technical infrastructure was not compromised, and no unauthorized transactions occurred. After learning of the breach, MainStreet immediately activated its incident response, ceased activities with the affected vendor, and notified impacted customers by May 26, 2025, providing them with tools to monitor suspicious activity.
The incident did not affect the bank’s operations or finances. This case highlights the ongoing risks posed by third-party vendors in the financial sector and the importance of robust security vetting and response processes.

LexisNexis Risk Solutions suffered a data breach impacting over 364,000 individuals after an unauthorized third party accessed sensitive information via the company’s GitHub account, exploiting a third-party software development platform.
The compromised data included names, Social Security numbers, contact details, driver’s license numbers, and birth dates. The breach occurred on December 25, 2024, but was only detected on April 1, 2025.
LexisNexis responded by launching an investigation with law enforcement, reviewing exposed data, and offering identity protection services to affected individuals.
This incident highlights the importance of robust identity and access management, especially for data brokers handling large volumes of personal information.

A data breach involving Kelly & Associates Insurance Group, Inc. has affected nearly 19,000 residents of Maine, according to a filing with the Maine Attorney General’s Office.
The breach potentially exposed victims’ names, Social Security numbers, and financial information. Nationwide, approximately 500,000 individuals were impacted by this incident.
In Maine, most of those affected are associated with the Maine School Management Association, which represents school boards and superintendents. The breach highlights the risks to sensitive personal and financial data held by insurance and advocacy organizations.