Author Archive

« Older Entries
Newer Entries »

Rillet raises $70M to replace 20th-century accounting software with AI-native ERP built by accountants

Posted in Commentary with tags on August 6, 2025 by itnerd

Ambitious companies don’t rise or fall by product alone – they win or lose by how they run finance and accounting. Rillet, the AI-native ERP (enterprise resource planning) platform built for modern finance teams, today announced a $70 million Series B co-led by Andreessen Horowitz and ICONIQ with participation from Sequoia, Oak HC/FT and earlier investors. In conjunction with the new funding, Andreessen Horowitz General Partner Alex Rampell and ICONIQ General Partner Seth Pierrepont are joining the board.

This round comes just 10 weeks after Rillet announced a $25m Series A round from Sequoia, the company has now raised over $100 million in under a year. Since launch, Rillet has signed over 200 customers and doubled its ARR over the past 12 weeks. The rapid growth has also resulted in strategic partnerships with many of the nation’s top accounting firms like Armanino (top 20) and Wiss (top 50).

The investment accelerates the company’s mission to rebuild enterprise accounting from the ground up, giving finance leaders the ability to scale multi-billion dollar companies with teams a fraction of the size.

The transformation they envisioned is now a reality. PostScript, a unicorn with over $100 million in ARR and global operations, closes their books in just three days using Rillet. Windsurf, one of the fastest-growing companies in recent memory, runs their entire finance operation with a lean team of two people. Customers consistently report cutting their close times to just a few days while implementing Rillet as fast as 4 weeks vs the 12 months required in traditional systems.

Rillet’s breakthrough lies in how it redefines financial systems architecture. Legacy ERPs are, at their core, “dumb databases”. They store transactions, but the real work happens in spreadsheets and bolt-on analytics tools. Rillet flips that model. It starts with native integrations, which enable structured data to flow into their smart general ledger. AI is then applied directly within the system, empowering finance teams to collaborate in real time, automate workflows natively and get insightful reporting the moment something happens, not days or weeks later.

Although accounting is the single biggest category in enterprise software –  a $500B+ global market that nearly every company on Earth depends on –  the space is dominated by incumbents owned by slow-moving conglomerates: NetSuite by Oracle, Intacct by Sage, Dynamics by Microsoft. Even more recent players like Acumatica are being folded into private equity portfolios. 

Rillet is a clean-slate rethink for this new era – built for speed, intelligence, and scale. And unlike those legacy platforms, Rillet is built by accountants. Its Chief Product Officer is a former EY controller; the Head of Customer Success came from PwC; and the VP of Implementations is a CPA and former customer. This DNA shows up in every workflow, every implementation, and every customer result.

The timing here is critical. The accounting industry is facing a major talent crunch, with 75% of accountants expected to retire in the next 15 years. At the same time, 80% of routine financial operations could be automated according to Accenture. Rillet sits right at this crossroads, creating a new platform shift in how humans and AI work together in finance. The result is transformative: finance teams get more done with fewer people, while shifting their focus from manual grunt work to strategic analysis that actually moves the needle for their business.

Looking ahead, Rillet’s plan is to expand its AI capabilities and deepen integrations across the financial technology stack. The team’s ultimate vision extends far beyond automation; they’re building towards a collaborative platform where AI agents and human expertise work together to transform how businesses understand and manage their financial performance. 

With several customers expected to go public on Rillet’s platform in the next 6-12 months, the company is set to prove that today’s most ambitious businesses can scale from startup to IPO on truly AI-native financial infrastructure – signaling the first major shift in years in how companies run, and win, with finance.

Leave a comment »

Pandora Pwned In Salesforce Related Attack

Posted in Commentary with tags on August 6, 2025 by itnerd

Another retailer suffered a cyberattack. Danish jewelry company Pandora sent emails to its customers informing them that their data might have been stolen

Danish jewelry giant Pandora has disclosed a data breach after its customer information was stolen in the ongoing Salesforce data theft attacks.

Pandora is one of the largest jewellery brands in the world, with 2,700 locations and over 37,000 employees.

“We are writing to inform you that your contact information was accessed by an unauthorized party through a third-party platform we use,” reads a Pandora data breach notification sent to customers.

“We stopped the access and have further strengthened our security measures.”

As first reported by Forbes, only customers’ names, birthdates, and email addresses were stolen in the attack. Passwords, IDs, and financial information were not exposed.

Ignas Valancius, head of engineering at cybersecurity company NordPass, comments:

“This is not the first time this year that an attack was carried out by exploiting the weaknesses of third-party business partners. I don’t want to point fingers, but those cases are quite high profile and were discussed in the media. Actually, according to a Verizon report, around 30% of data breaches in 2025 involved third-party suppliers. You would think that large, experienced companies would learn from others’ mistakes and check their partners’ cybersecurity policies and practices. But apparently, it’s not the case. 

“I know it’s not as easy as it sounds. Companies today use dozens or even hundreds of different vendors, from coffee suppliers to cloud providers and remote support desk services, which greatly increases the risk of being exposed through their system. We use quite a few third-party services ourselves. I know it takes time and effort to set security requirements for partners and verify their compliance, but discussing cybersecurity matters with them is a very healthy business exercise. 

“If the news reports are accurate, Pandora customers should be in no immediate danger. Cybercriminals allegedly were able to access only names and email addresses. Passwords and credit card details were not disclosed. However, people should be vigilant, as such breaches are often followed by phishing attacks. Don’t fall into the trap and start clicking jewelry discount links you suddenly receive. Carefully read the addresses from which you receive emails and do not click on links in unsolicited communication. – it’s better to go to the website directly. I also highly recommend turning on multi-factor authentication.”

Here’s a quick primer on the ongoing Salesforce attacks that are mentioned in the article.

This highlights the fact that companies need to do a much better job of stopping attacks like this. It’s a lot of effort, but it’s well worth it to not be Pandora.

Leave a comment »

Xona announces the general availability of Xona Platform v5.4.2

Posted in Commentary with tags on August 5, 2025 by itnerd

Xona today announced the general availability of Xona Platform v5.4.2, a major update that extends centralized control, unified policy enforcement, and scalable auditability across globally distributed operational environments.

Building on its proven foundation of secure, zero-trust access for OT, IT, and hybrid networks, Xona’s v5.4.2 release introduces new Xona Centralizer management features to extend existing enterprise-grade visibility and control across multiple Xona deployments. Combined with cross-gateway access groups, expanded identity provider support, and enhanced session governance, the release equips critical infrastructure organizations to scale secure access—without adding complexity or risk.

Platform Enhancements in v5.4.2

The Xona Platform v5.4.2 introduces key capabilities for managing secure access in complex, multi-site environments:

  • Xona Centralizer: A new centralized management interface that enables real- time oversight of users, roles, and sessions across multiple deployments— eliminating silos and simplifying governance.
  • Cross-Gateway Group Management: Administrators can define access groups once and apply them universally across distributed gateways, reducing policy drift and configuration overhead.
  • Federated Identity Provider Support: Native multi-domain SAML and LDAP integration simplifies IT/OT convergence and strengthens identity-based zero trust enforcement.
  • Enhanced Role and Time-Based Controls: Fine-grained policy management enables precise access governance by user, site, role, and schedule.
  • Centralized Logging and Session Metadata: Unified activity records and session logs improve incident response and simplify compliance with NERC CIP, IEC 62443, and TSA SD2 mandates.
  • Enhanced Connections: WebGL has been added as an option for connections allowing customers to take advantage of 3D graphics displays from remote assets.
  • Multi-monitor VNC Support: Users can now leverage remote multi-monitor setups with VNC with pan/zoom to view their applications across multiple displays.
  • Improved UX and Collaboration Tools: Streamlined UI, lower session latency, and enhanced session handoffs support fast, secure collaboration between field users and remote OEMs.
  • Customer Branding: Ability for customers to have customized branding with company logo and favicon support.
  • Cybersecurity Integrations: File uploads can now be automatically checked against the PaloAlto WildFire cloud malware scanner prior to introduction to connected assets.
  • International Keyboard Support: Customers can use their localized keyboard when connecting to Windows based assets.

Scaling Secure Access for the Modern CI Enterprise

As critical infrastructure organizations expand operations across regions and third-party ecosystems, the need for secure, scalable access control is more urgent than ever. According to recent industry data, more than 88% of industrial organizations cite insecure remote access as a top cyber risk, while ransomware attacks on OT environments have surged over 80% year-over-year.

Xona’s v5.4.2 release directly addresses these trends, helping customers:

  • Eliminate the need for vulnerable legacy tools like VPNs and jump servers in OT environments with a modern, zero-trust access model purpose-built for critical infrastructure.
  • Maintain consistent policy enforcement across all users—employees, OEMs, contractors—regardless of location.
  • Strengthen compliance readiness with real-time logging, video session recording, and centralized audit controls.

Trusted by Industry Leaders

Leading organizations across multiple industries trust Xona’s platform. Global giants such as GE, Baker Hughes, and Mitsubishi Corporation have adopted Xona’s secure access solutions to protect their critical infrastructure.

One of Xona’s long-standing customers in the power generation sector commented, “Xona has allowed our lean IT team to manage and troubleshoot issues remotely across all our sites. This has reduced the need for costly on-site visits and improved our overall operational efficiency.”

Why Xona Matters in Today’s Market

As critical infrastructure industries face increasing digital threats and navigate an evolving regulatory landscape, secure, simple access solutions like Xona’s are more critical than ever. The Xona Platform secures critical OT, IT, and cloud environments and supports compliance with leading standards including IEC 62443, the Cyber Resilience Act (CRA), and NERC-CIP by providing required access controls, auditability, and governance capabilities. Xona provides auditability and governance features that simplify the compliance process, all while reducing the operational burden on IT and OT teams.

Take a First Look or Another Look at Xona

For organizations seeking to improve their OT security, now is the time to consider Xona.

Visit the website at http://www.xonasystems.com to learn more about how the Xona Platform can transform your approach to secure access. Schedule a demo to see firsthand how Xona enables a zero-trust architecture that can reduce your attack surface, simplify operations, and protect your critical assets from today’s evolving threats.

Leave a comment »

Wallarm Unveils Industry-First Revenue Protection for APIs

Posted in Commentary with tags on August 5, 2025 by itnerd

Wallarm announced the introduction of the industry’s first-ever API Revenue Protection capability, setting a new standard for aligning API security with business impact. Delivered as a set of integrated features in the Wallarm platform, this new capability empowers CISOs to become strategic business partners by quantifying how attacks impact revenue, disrupting attacker economics, and demonstrating financial ROI. 

From AI-generated abuse to account takeovers and business logic exploits, API threats are evolving faster than signatures can keep up. At the same time, organizations rely on digital revenues enabled through APIs, such as payment processing and partner integrations. Downtime or compromise of these API endpoints can result in immediate, costly consequences. 

Powered by agentic AI and transaction-aware telemetry to track revenue flows and shut down fraud in-session before attackers win, Wallarm’s new capability ensures continuous availability through protection of revenue-generating APIs, shielding them from the most sophisticated threats while providing visibility into the actual dollars at risk and protected.

Key features and benefits include:

  • Automated Identification of Revenue-Critical APIs: Automatically detects which APIs contribute to revenue based on traffic patterns, monetization logic, and integration context. 
  • Transaction-Aware Revenue Attribution: Extracts revenue amounts directly from API transactions, such as order values, subscription events, or payment confirmations, to provide real-time financial insight using the actual revenue flowing through APIs.
  • Advanced Threat Protection for High-Value Endpoints: Delivers effective, real-time mitigation of attacks, protecting revenue-generating APIs from OWASP Business Logic Abuse Top 10, account takeover (ATO) attacks, data scraping and credential stuffing, agentic AI-driven attacks, and business logic anomalies that can lead to fraud or service abuse.
  • Business Context-Aware Detection and Response: Adapts in real time to evolving threat patterns while maintaining API availability and user experience by analyzing the full business logic and transaction flows behind each API.
  • Purpose-Built Revenue Protection Dashboard: Quantifies protected revenue, highlights attack trends targeting monetized APIs, and helps security leaders communicate their value to executive stakeholders.

Security teams can now quantify how much revenue has been protected and shift the conversation from reactive risk mitigation to proactive value creation. For digital-first enterprises, they can now measure a new security metric: Revenue Secured Per Dollar Spent.

Wallarm’s Revenue Protection for APIs will be demonstrated at Black Hat USA 2025 in Las Vegas, is available for Early Access, and will be generally available in the second half of 2025.

For more information, visit https://www.wallarm.com/product/api-security-overview.

Leave a comment »

Silent Push Expands Cyber Defense Capabilities with VPN, Proxy, and Sinkhole Tagging on all Public IP Addresses 

Posted in Commentary with tags on August 5, 2025 by itnerd

Silent Push today announced the release of IP Context – a powerful new detection method that identifies all uses of IP addresses in one place, including use as a VPN, proxy, or sinkhole or benign scanner across the company’s global dataset.

IP Context allows defenders to minimize fraud and abuse through more effective identification of adversary infrastructure by gaining immediate context on the function and risk level of any given IP address. Tagged IPs are presented alongside everything else we know about an indicator – including its relationship with the rest of the Internet – in a single view, including DNS history, hosting relationships, campaign associations,  and proprietary categories not available anywhere else.VPNs and proxies are tagged and filtered per commercial service provider. Proxies are further categorized as ‘residential’, ‘open’, ‘http’, ‘socks4/5’, or if authentication is required.

With currently over 50 million IPs categorized daily as a VPN, proxy, or sinkhole, Silent Push brings full-spectrum tagging and enrichment to any IP it scans – whether it’s in an existing threat feed or discovered during an investigation.

Enterprise use cases for IP Context include:

  • Credential Stuffing & Account Takeover Detection: Flag login attempts from residential proxy IPs commonly used in automated attacks, helping SOC teams act before escalation.
  • Infrastructure Discovery: Reveal contextual information about unknown IP addresses, allowing differentiation between normal users, residential proxies, and VPNs.
  • Threat Actor Clustering: Identify shared proxy or VPN services across campaigns, enabling faster attribution and proactive blocking of related assets.
  • Incident Response & Malware Triage: Instantly recognize sinkhole-tagged IPs to avoid false alarms and focus efforts on containment and root cause analysis.
  • Advertising Fraud and Abuse Discovery: IP Context provides new opportunities to track ad fraud operators and coordinated inauthentic traffic schemes.

IP Context is available as an add-on for Enterprise customers. Tags are accessible through Silent Push’s Total View screen, or as a daily bulk data download, allowing teams to integrate tag intelligence into existing workflows and filter based on their unique operational needs.

Leave a comment »

Reveal Security Unveils the Reveal Platform

Posted in Commentary with tags on August 5, 2025 by itnerd

 Reveal Security today announced the release of the Reveal Platform, the first solution to deliver preemptive identity security across SaaS, cloud, and custom applications. Designed for modern hybrid enterprises, the platform provides end-to-end visibility into both human and non-human identity behaviors, empowering security teams to stop threats before damage is done.

Go Beyond Login: From Detection to Anticipation

According to Gartner® Research, “Without preemptive cybersecurity, no organization is safe. The increasing speed, sophistication and scope of AI-enabled threats is destroying the reliability of existing stand-alone detection and response (DR) cybersecurity methods.”

But most security tools monitor identity at the point of login. Reveal goes further – tracking identity behavior across applications and clouds, correlating signals, and detecting anomalies both at and after authentication. With identity attribution, stories of identity behavior, and one-shot response automations, security teams can act quickly and preempt threats. 

With its innovative core technology, including rich data, application threat modeling, ML, and AI, Reveal simultaneously protects against account takeover attacks and insider threats in a single platform without overwhelming the SOC with alerts or the need to write detection rules.

Key capabilities include:

  • Post-Authentication Visibility: Uncovers what identities do after login across applications like Box, Salesforce, Okta, Microsoft 365, Google Workspace, AWS, Azure, and more.
  • Cross-App Behavioral Analytics: Provides the full picture of what identities are doing across the many enterprise applications they use daily. 
  • Credential Abuse Detection: Identifies unauthorized access and post-login activity resulting from stolen or exploited credentials.
  • Insider Threat Protection: Monitors risky users and detects malicious or negligent insider activity.
  • Human and Non-Human Behavior Monitoring: Profiles bots, APIs, and GenAI agents just like human users.
  • Preemptive Identity Security: Through identity attribution and predictive intelligence, Reveal determines who is acting and why, so security teams can take action before damage occurs.
  • One-Shot Response Automations: Instantly suspends accounts, revokes sessions, or updates risk scores based on policy.
  • Seamless SOC Integration: Works with SIEM, SOAR, and Slack for contextual alerting and streamlined response. No endpoint agents required.

Built for the Front Lines of Cyber Defense

Reveal’s high-fidelity behavioral intelligence prioritizes alerts by severity and confidence, reducing noise while increasing precision. The platform supports hybrid identity environments, flags risky behavior across user and service accounts, and arms security teams with actionable context.

Real-world examples of Reveal’s behavior-based detections, without rule creation, include:

  • Detect Recon of Threat Actor Using Stolen Credentials
    Reveal detected a coordinated series of suspicious actions across multiple applications affecting cloud file-sharing (BOX) and identity access (OKTA) systems, indicating reconnaissance. Showing deviation from normal identity behavior, these anomalies included account deletions, unauthorized collaboration removals, and unexpected identity verification attempts from the Southern Asia subcontinent. The threat was contained.
  • Privilege Abuse in Microsoft 365
    The Reveal Platform detected a coordinated series of mailbox-related administrative operations within Microsoft 365. This activity was immediately flagged due to the identity’s atypical behavior and the security-sensitive nature of the actions, consistent with potential data exfiltration. While each operation was individually valid, their combination exhibited a high-risk pattern, indicative of either an insider threat or the malicious exploitation of elevated privileges, potentially stemming from a compromised administrator account. The account was immediately suspended, and the security team launched a full investigation.
  • Suspicious Insider Activity in a Custom Application
    Legacy and custom applications are often not well protected by organizations and usually have minimal controls in place.  Reveal detected a highly trusted identity logging into a “crown jewel” critical business application and accessing confidential data abnormally. The SOC investigated and determined that a company leader was being specifically targeted by a financially motivated cybercrime group.
  • CEO Impersonation Using Legitimate Credentials
    Reveal detected that a company’s top executive was accessing Confluence and browsing content on critical information and business systems. Reveal detected the identity performing anomalous behaviors involving this proprietary information and notified the security team.  The information security analysts revoked sessions for that identity to protect the data and to stop the attacker. The executive’s laptop had been stolen while he was already logged into multiple applications.

Availability

The Reveal Platform is available immediately. Existing customers will receive upgrade support. New customers can request a demo at www.reveal.security.

Leave a comment »

NetRise Introduces A Significant Platform Enhancement

Posted in Commentary with tags on August 5, 2025 by itnerd

NetRise announced a significant update to its core product platform. This update makes users’ time more efficient and effective in prioritizing, mitigating, and remediating vulnerabilities found in the software they produce and reducing risk in the environments in which that software runs.

Key features introduced into the NetRise platform include:

  • Reachability – context on whether a vulnerability is reachable and autoruns within a given system, including user execution context. This approach aims to prioritize vulnerabilities more effectively, focusing on those that pose a real threat to the system.
  • SBOM Edit – manually add, remove, and edit SBOM components, and add information that is often lost in the build process, or licensing information that is contained in metadata files from a package manager, to ensure the accuracy of SBOMs delivered.
  • Fix Version – indication of the minimum version of the component in which the vulnerability is resolved, a useful datapoint for prioritization because it highlights issues that are likely easy to fix.
  • Platform re-architecture that increases the ability to scale and to speed up the development of future releases.

In its Supply Chain Visibility & Risk Study, published in Q4 2024, NetRise reported that on networking devices whose compiled software NetRise analyzed, an average of 1,120 CVEs were found per device. The report showed how to prioritize those CVEs to focus on those that were network accessible, greatly reducing the work required of a manufacturer’s development team or of an enterprise’s third-party risk management team.

Resources

  • Meet NetRise: Request a meeting with the team in Las Vegas for the Black Hat Conference2025 from 8/4 – 8/10.
  • Schedule a Demo: To learn more about the value that a software asset inventory brings to global enterprises and device manufacturers alike, see a demo of the NetRise Platform.
  • For more information about the NetRise Platform, visit https://www.netrise.io/products/platform.

Leave a comment »

Minimus Announces New Product Enhancements

Posted in Commentary with tags on August 5, 2025 by itnerd

Minimus announced new product enhancements, including: integrated Vulnerability Exploittability eXchange (VEX) support, new compliance dashboards and views, hardened helm charts for security deployment, and integration with Microsoft for Single Sign-On (SSO).

More details are available here: http://www.minimus.io/post/whats-new-in-minimus-august-2025

Leave a comment »

Contrast ADR Marks One Year with Surging Growth, Expands Reach with New Developer and SecOps-Focused Integrations

Posted in Commentary with tags on August 5, 2025 by itnerd

One year after launching Application Detection and Response (ADR) at Black Hat, Contrast Security is accelerating its mission to secure modern software from the inside out. While legacy AppSec tools struggle to keep pace with AI-accelerated pipelines and cloud-native environments, Contrast has delivered a new approach built on runtime context, AI-driven remediation, and shared visibility across Dev, AppSec, and SecOps.

Contrast Security’s ADR adoption reached 40% of its customer base, reflecting rapid market validation and strong demand for a runtime-native approach to securing applications and APIs in production.

The Northstar release, announced earlier this year, marked a major evolution of the platform. It unified detection, remediation, and observability into a single experience, powered by the Contrast Graph, a real-time behavioral model of the application layer that maps attack surface, defenses, vulnerabilities and more, providing the rich context app/API security demands. Northstar also introduced SmartFix, Contrast’s agentic AI for auto-generating validated code fixes, and Deployment Hub with Flex Agent, which makes it easy to scale ADR across complex enterprise environments.

According to Contrast’s Software Under Siege 2025 report, application-layer attacks now occur every 3 minutes, yet most security teams lack the runtime context to detect or respond in time.

This week, Contrast is expanding the reach of Northstar with two new ecosystem integrations that make runtime security even more accessible and effective:

  • GitHub Copilot Integration – Developers can now apply AI-generated fixes that are validated by live runtime evidence, bridging the gap between detection and developer action. Unlike traditional AI suggestions that lack runtime context, Contrast SmartFix works with GitHub Copilot to generate secure code fixes based on runtime vulnerability details, proven exploitability, attack details, defenses available, and context from the Context Graph. This streamlines remediation by delivering ready-to-review pull requests that are both context-aware and safe for production, helping developers fix real issues faster without disrupting their workflow and ship with confidence.
  • Sumo Logic Integration – Contrast attack telemetry now flows directly into Sumo Logic, enabling SOC teams to triage, investigate, and respond with full application-layer context. Security teams gain real-time visibility into exploit attempts, vulnerable code paths, and application behavior, all enriched through the Contrast Graph. By integrating runtime intelligence into existing SIEM workflows, organizations can stop breaches faster, reduce mean time to detect (MTTD), cut investigation overhead, understand the blast radius and close the loop between AppSec and incident response.

The updates to the Northstar release align with Contrast’s vision of securing software across the full lifecycle, from production back to code, with a single, unified platform.

Contrast ADR is the first runtime-native platform for defending applications in production, built to detect, block, and remediate real threats as they happen. By uniting developers, AppSec, and SecOps around the same runtime intelligence, Contrast ADR delivers the shared context teams need to act faster, fix smarter, and stop chasing noise.

The adoption of ADR has been especially strong in industries with the highest security and compliance demands, including financial services, healthcare, manufacturing, and technology. Organizations in these sectors are replacing legacy scanners and fragmented workflows with Contrast’s unified runtime platform to reduce time-to-fix, eliminate false positives, and improve real-world outcomes.

To see Contrast ADR in action, visit Booth #1861 at Black Hat USA 2025, or learn more at contrastsecurity.com.

Leave a comment »

Dialysis firm DaVita pwned by Interlock…. 915,000 affected

Posted in Commentary with tags on August 5, 2025 by itnerd

Kidney dialysis company DaVita today confirmed it notified 915,952 people of an April 2 breach of its systems, and that the following info was swiped:

  • Names
  • Social Security numbers
  • Health insurance info
  • Medical info including conditions, treatments, and test results
  • Tax ID numbers
  • Images of checks made out to DaVita
  • Dates of birth
  • Addresses

The attack disrupted internal operations at DaVita, and the Interlock ransomware gang took credit for the attack.

Rebecca Moody, Head of Data Research at Comparitech had this comment: 

“This attack on DaVita is one of the largest data breaches via ransomware this year so far. It’s the seventh largest overall, the third largest in the US, and the third largest on a healthcare provider. This highlights the far-reaching consequences these attacks have, particularly as ransomware gangs remain increasingly focused on stealing vast quantities of data.”

“Interlock, in particular, is notorious for its data theft claims. Across its 54 victims, it alleges to have stolen over 79.2 TB of data, with an average of nearly 1.5 TB per victim. This is higher than most other groups (in July 2025, for example, the average known data theft across all attacks by all groups was just over 475 GB). It was also responsible for the attacks on Texas Tech University Health Sciences Center in September 2024 where nearly 1.5 million people were affected, Brockton Neighborhood Health Center in November 2024 in which 97,488 people were affected, and, more recently, in May 2025, Texas Digestive Specialists (Gastroenterology Consultants of South Texas) in which 41,521 people were impacted.”

“Interlock was responsible for the disruptive attack on Kettering Health in May 2025, too. A data breach following this attack is yet to be confirmed, but in this attack, Interlock said it had stolen 941 GB in total.”

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4 adds this comment:

“Certainly, something impacted patients need to be concerned about is scammers using the stolen information against them. That sort of thing happens all the time. For example, you could get a supposed (fraudulent) medical billing company calling a potential victim with all the right information (e.g., medical treatment, dates performed, names, addresses, dob, etc.) and then ask the potential victim for some made-up outstanding payment. Every data theft is new information that can be used by a scammer.”

Ensar Seker, CISO at SOCRadar followed up with this comment:

“This incident with DaVita is a sobering illustration of how ransomware campaigns continue to target healthcare’s most critical third-party providers. Operating more than 2,600 dialysis clinics nationwide, DaVita serves over 200,000 patients. In April they suffered a ransomware attack, later claimed by the Interlock ransomware gang, which reportedly exfiltrated and leaked terabytes of patient data including sensitive personal health and insurance information, Social Security numbers, and financial data, impacting nearly one million individuals.”

“While DaVita’s contingency plans have ensured patient treatment hasn’t been interrupted, the breach highlights a key truth: operational resilience doesn’t equate to data resilience. Encrypting systems may be recoverable, but exfiltration of personal health information brings long-term repercussions from identity theft and fraud to regulatory penalties and reputational damage.”

“This attack underscores several health sector realities: first, the growing threat from criminal groups targeting critical third-party providers, which can create widespread exposure across multiple healthcare entities. The strategy is calculated: by hitting one vendor, threat actors pressure dozens of connected institutions. Second, healthcare providers must assume data exfiltration is part of the ransomware playbook, not a secondary outcome. As this attack shows, even without disrupting clinical workflows, the long tail of exposed data damages remains severe.”

“For healthcare CISOs, it’s clear that traditional defenses alone aren’t enough. Continuous monitoring of not only local infrastructure but also vendor environments, encryption of both data at rest and in transit, and segmented access controls, even within SaaS platforms, are essential. In addition, patient communication and identity protection must be swift and transparent to preserve trust, regardless of operational impact.”

Two things jump out at me. First, health care is once again the low hanging fruit for threat actors. Second, 915,000 people are going to be really badly affected by every threat actor who means to do harm. This isn’t a good situation.

Leave a comment »

« Older Entries
Newer Entries »