SecureFact – Cyber Security News – Week of June 16, 2025

Victoria’s Secret restored all critical systems after a May 24 security incident forced shutdown of corporate systems and the e-commerce website.
The company operates 1,380 retail stores in nearly 70 countries. External experts were engaged to assess the impact, and all critical systems are now fully operational.
The company believes the incident will not materially impact fiscal results, though some expenses may continue. The attack delayed the quarterly earnings release due to system inaccessibility.
Victoria’s Secret enacted response protocols to contain and eradicate unauthorized access. No ransomware group has claimed responsibility, and the company continues to assess the full scope of the incident. No confirmation of data theft has been provided.

A misconfigured MongoDB database exposed 2.7 million patient profiles and 8.8 million appointment records.
Exposed data included names, birthdates, addresses, emails, phone numbers, gender, chart IDs, language preferences, and billing classifications. Appointment records contained metadata such as timestamps and institutional identifiers.
The database was publicly accessible online, unprotected by passwords or authentication protocols. The breach is linked to Gargle, a Utah-based company serving dental practices.
After discovery, the database was secured, but the duration of exposure is unknown. No public evidence indicates whether the data was downloaded by malicious actors. The company is assessing compliance with HIPAA and has not commented on mitigation for affected individuals.

The Texas Dept. of Transportation suffered a breach on May 12, 2025, when a threat actor accessed and downloaded nearly 300,000 crash records.
Exposed data includes full names, addresses, driver’s license numbers, license plate numbers, insurance policy numbers, and injury/crash details. TxDOT immediately disabled the compromised account and blocked further access.
Notifications were sent to affected individuals, and a support line was set up, but no credit monitoring was offered. The agency is implementing additional security measures.
No ransomware group has claimed responsibility. The breach increases risks of phishing and social engineering for those affected.

The Bank of England lost or had stolen over 300 laptops, tablets, and phones between May 2022 and March 2025, with the total value of these devices nearing £300,000. In the last year alone, 30 laptops were lost, valued at over £30,000.
This has raised serious concerns about potential security risks, as such devices could contain critical data valuable to cybercriminals. Experts warn that lost devices, even if encrypted, could still pose significant risks if they fall into the wrong hands.
The Bank of England stated that all devices were encrypted to mitigate data exposure and that any lost or stolen devices were blocked from further communication with the bank.
However, cybersecurity specialists emphasize that misplaced laptops remain a significant vulnerability, especially for high-profile institutions like the Bank of England, which are prime targets for hackers.
This issue comes amid a broader surge in cybercrime affecting UK organizations, including major attacks on retailers like Marks & Spencer and healthcare providers such as NHS trusts.

A data breach affecting 30,453 individuals was reported to the Maine AG. Of those, 17 were Maine residents.
The breach involved unauthorized access to an organization’s computerized system, resulting in the acquisition of personal information, which may include names combined with identifying data.
In compliance with Maine’s data breach law, the entity conducted a prompt investigation and issued notifications where required. The organization notified both affected individuals and statewide consumer reporting agencies.
It also reported the incident to the Maine Attorney General’s Office. No mention of credit monitoring services was provided in the notice.