SecureFact – Cyber Security News – Week of June 23, 2025

Healthcare services provider Episource experienced a data breach affecting over 5.4 million people.
The breach occurred between January 27 and February 6, 2025, when an unauthorized actor accessed and copied sensitive personal and health information.
Compromised data includes names, addresses, Social Security numbers, medical records, and insurance details.
Episource detected the incident in early February, promptly stopped the attack, and launched an investigation with law enforcement involvement.
The company notified affected customers and is assisting them with breach notifications.
Some clients, like Sharp HealthCare, also reported impacted individuals. This incident underscores the ongoing cybersecurity risks faced by healthcare service firms handling large volumes of sensitive data.

In November 2024, Krispy Kreme suffered a data breach impacting over 160,000 individuals, confirmed in a June 2025 filing with Maine’s Attorney General.
The breach exposed sensitive information including Social Security numbers, financial account details, driver’s license information, and health data.
Unauthorized activity was detected on November 29, 2024, disrupting online ordering systems.
The Play ransomware gang claimed responsibility, releasing stolen data after failed ransom negotiations.
Krispy Kreme hired cybersecurity experts to contain the breach and assess its impact.
Despite the severity, the company reported no evidence of misuse or identity theft so far.
This incident highlights ongoing risks from ransomware attacks targeting major corporations.

American insurance giant Aflac disclosed a data breach as part of a broader cybercrime campaign targeting U.S. insurance companies, likely linked to the sophisticated threat group Scattered Spider.
The attackers accessed sensitive personal and health information, including claims data, Social Security numbers, and other personal details related to customers, employees, and agents. Aflac stated that no ransomware affected its network and that the intrusion was stopped within hours after detection.
The company continues normal operations while investigating the breach with external cybersecurity experts. Scattered Spider is known for advanced social engineering tactics like phishing and MFA bombing and has recently focused on the insurance sector, causing disruptions at other firms such as Philadelphia Insurance Companies and Erie Insurance. Aflac’s incident highlights the ongoing targeted attacks against the insurance industry.

Oxford City Council suffered a cyberattack over the weekend of June 7-8, 2025, leading to unauthorized access to personal data stored in legacy systems.
The breach exposed information on current and former council officers, including those involved in elections between 2001 and 2022, such as poll station workers and ballot counters.
While the attackers accessed historic data, there is no evidence that citizen data or mass data extraction occurred, nor that the information has been shared with third parties.
The council’s automated security systems detected and limited the intrusion, and most affected systems have been restored, though some service delays remain.
Oxford City Council has begun notifying affected individuals, offering support, and has informed relevant government and law enforcement agencies.
The investigation is ongoing, with strengthened security measures being implemented to prevent future incidents.

Paddle.com agreed to pay $5 million to settle FTC charges for enabling tech-support scams targeting U.S. consumers.
The scams involved fake virus alerts from companies like Restoro and PC Vark, tricking victims into buying unnecessary software.
Paddle processed over $49 million in fraudulent transactions despite numerous complaints and chargebacks.
The FTC found Paddle failed to properly screen and monitor its clients.
As part of the settlement, Paddle must improve fraud detection, clearly disclose subscription terms, and get consent for recurring charges.
Paddle is also banned from processing payments for tech-support telemarketers. This case highlights the responsibility of payment processors in preventing fraud.