SecureFact – Cyber Security News – Week of October 20, 2025

The Prosper data breach, disclosed in October 2025, exposed the personal information of approximately 17.6 million customers and loan applicants.
The breach was detected on September 2, 2025, involving unauthorized access to company databases containing confidential and proprietary data.
The stolen data includes highly sensitive personally identifiable information (PII) such as names, email addresses, physical addresses, dates of birth, Social Security numbers, government-issued IDs, employment status, credit status, income levels, IP addresses, and browser user-agent details.
Despite the substantial data exposure, there is no evidence yet that attackers accessed customer accounts or funds, and Prosper’s customer-facing operations remained uninterrupted.
The company is actively investigating the incident, working with law enforcement and cybersecurity experts, and plans to offer free credit monitoring to affected individuals once the investigation determines the full scope of impacted data. This breach poses significant risks of identity theft, phishing, and financial fraud due to the nature of the stolen information.

Envoy Air, a regional airline carrier owned by American Airlines, confirmed that data was compromised from its Oracle E-Business Suite application after the Clop extortion gang listed American Airlines on its data leak site.
The company stated that no sensitive or customer data was affected, with only a limited amount of business information and commercial contact details potentially compromised. The breach was part of a larger campaign by the Clop ransomware gang exploiting a zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite systems since early August 2025.
Upon learning of the incident, Envoy immediately began an investigation and contacted law enforcement.
The Clop gang is now leaking what they claim to be stolen data from Envoy on their data leak site.
Oracle initially stated the attacks exploited vulnerabilities patched in July, but later disclosed it was a zero-day flaw.
CrowdStrike and Mandiant revealed that Clop exploited the flaws in early August to breach systems and deploy malware.
Google’s threat intelligence team believes dozens of organizations were affected by this campaign.

Major international auction house Sotheby’s disclosed a data breach incident where threat actors stole sensitive information, including financial details.
The hack was detected on July 24, 2025, and the investigation took two months to determine the type of data stolen and individuals impacted.
According to a filing submitted to Maine’s AG office, the exposed data includes full names, Social Security numbers (SSNs), and financial account information. The total number of impacted individuals remains undisclosed, with the filing mentioning only two persons in Maine and two in Rhode Island.
Sotheby’s confirmed that the incident impacted employees, not customers, contrary to initial reports.
The company immediately launched an investigation in cooperation with leading data protection experts and law enforcement upon discovery.
All security protocols were activated, and the Spanish Data Protection Agency and relevant authorities were notified.
Sotheby’s customers who received breach notifications are provided 12-month free identity protection and credit monitoring through TransUnion.

Spanish fashion retailer MANGO sent data breach notifications to customers on October 14, 2025, warning that its marketing vendor suffered a compromise exposing personal data.
The exposed data includes customers’ first names, country, postal codes, email addresses, and telephone numbers used in marketing campaigns.
MANGO specified that last names, banking information, credit card data, IDs, passports, or account credentials were not compromised in the incident. The company noted that its corporate infrastructure and IT systems remain unaffected, with business operations continuing normally.
All security protocols were activated upon learning of the data breach at the unnamed marketing service provider.
The Spanish Data Protection Agency (AEPD) and relevant authorities have been notified about the breach.
A dedicated email address (personaldata@mango.com) and telephone hotline (900 150 543) were established to support concerned customers.
No ransomware groups have announced MANGO on their extortion portals, leaving the attackers’ identity unknown.

The UK’s Information Commissioner’s Office (ICO) fined Capita £14 million ($18.7 million) for a 2023 data breach that exposed personal information of 6.6 million people.
The breach occurred on March 22, 2023, when a Capita employee downloaded a malicious file giving hackers access to the internal network.
Despite detecting the breach within 10 minutes, Capita failed to isolate the infected device for 58 hours, allowing attackers to move laterally and access sensitive databases.
Between March 29-30, 2023, nearly one terabyte of data was exfiltrated before ransomware was deployed on March 31.
The Black Basta ransomware gang claimed the attack and threatened to leak stolen files unless ransom was paid.
The stolen data impacts hundreds of Capita clients, including 325 pension scheme providers in the UK.
Capita was fined for poor access controls, delayed response to security alerts, operating an understaffed Security Operations Center, and failing to perform regular penetration testing.
The ICO initially set the fine at £45 million but reduced it after Capita accepted liability and implemented security improvements.