The IT Nerd

Industrial tech maker Sensata yesterday confirmed it notified victims of an April 2025 data breach that compromised names, SSNs, Tax ID numbers, government-issued ID numbers, financial account info, payment card info, medical info, health insurance info, and DOBs. 

In a blog post reporting this news, Paul Bischoff, Consumer Privacy Advocate at Comparitech, wrote:

“In 2025 to date, Comparitech researchers have logged 21 confirmed ransomware attacks on US manufacturers. We’re monitoring another 334 unconfirmed claims that haven’t been acknowledged by the targeted companies.”

“The manufacturing industry is a growing target for hackers. The total number of attacks rose from 40 in 2022 to 85 in 2023 and 94 in 2024. The number of records breached rose accordingly as well, from 1 million in 2023 to 2.5 million in 2024.”

“Ransomware attacks on US manufacturers can both steal data and lock down computer systems, leading to costly production delays and significant business risks. Manufacturers must pay a ransom or face extended downtime, data loss, and putting data subjects at increased risk of fraud.”

Wonderful. Another health care industry data breach. It shows that threat actors are running wild which is completely insane. The fact is that the insanity needs to stop and stop now.

A threat actor has re-released data from a 2021 AT&T breach affecting 70 million customers, this time combining previously separate files to directly link Social Security numbers and birth dates to individual users. Bleeping Computer has details:

A threat actor has re-released data from a 2021 AT&T breach affecting 70 million customers, this time combining previously separate files to directly link Social Security numbers and birth dates to individual users.

AT&T told BleepingComputer that they are investigating the data but also believe it originates from the known breach and was repackaged into a new leak.

“It is not uncommon for cybercriminals to repackage previously disclosed data for financial gain. We just learned about claims that AT&T data is being made available for sale on dark web forums, and we are conducting a full investigation,” AT&T told BleepingComputer.

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4 had this to say:

“I have to think that our data leaks have been so pervasive for so long that whether or not this particular leak package is new or old really doesn’t matter. I’m pretty sure my Social Security number has been stolen, leaked, and sold a few dozen times over the last five years. What does one more personal data leak mean to me…or really anyone? Anyone can already look up anyone else’s personal information. What does one more data leak really mean? It’s not increasing the risk that I and others are already facing. At this point, is there a cybercriminal willing to pay for any of it, since they can all access a dozen plus previous data leaks with nearly the same information? My Social Security number and date of birth don’t change between leaks. I have a hard time getting worked up over any single data leak. The horse is already out of the barn.”

Chris Hauk, Consumer Privacy Champion at Pixel Privacy follows with this comment:

“While this is simply repackaged data, created by combining two different information caches, it can still be a danger to affected users. Having the information in one package means bad actors can do more with the data, making it easier for them to attempt to open accounts in victims’ names or use the information to send phishing emails and texts in an attempt to steal more information, like banking and credit card info. AT&T customers should stay alert for phishing attempts, as well as new accounts being opened in their name.”

Clearly everything old is new again when it comes to data breaches. That’s why it’s important to stop them before they happen. Because once that stolen information is out there, it’s out there forever.

News has surfaced that the Interlock ransomware gang has claimed a recent cyberattack on the Kettering Health:

This morning, ransomware gang Interlock has posted Kettering Health to its data leak site. It alleges to have stolen 941 GB of data, which includes 732,490 files across 20,418 folders and appears to contain ID cards, payment data, financial reports, and more.

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4 has provided the following commentary:

“After any successful cyberattack, as an impacted victim I’m wondering two things (beyond just how the current breach has impacted my current privacy and personal risk). One, does the victim company know how the intruders gained unauthorized access to their systems? Was it social engineering (very likely), unpatched software or firmware (second most likely), or some other initial root access issue. Because if they don’t know how it happened, they can’t begin to take steps to stop it from happening (at least the same way). Second, what steps are being taken to reduce my current risk from the breach (i.e., am I getting some free protective services) and how can I be assured it won’t happen again (related to the first question). Because if I can’t be reassured it won’t happen again, I’m less likely to remain a customer.”

Another non-trivial health care breach with lots of stolen data that affects a whole lot of people. This is unfortunately becoming close to normal. And it should not be. The world really needs this to change and change quickly.

The Clark County, WA government this week confirmed it notified 76,253 people of an October 2023 data breach that compromised names, SSNs, financial account info, payment card info, medical and health insurance info, government-issued ID numbers, and DOBs. 

In a blog post reporting this news, Paul Bischoff, Consumer Privacy Advocate at Comparitech, wrote:

“Comparitech researchers logged 85 confirmed ransomware attacks on US government entities in 2023, compromising more than 1 million records. In 2024, those figures increased to 94 attacks and 2.5 million records. So far in 2025, we’ve recorded 27 attacks compromising 8,550 records. The average ransom demand across all these attacks is $1.8 million.”

“Other recent such attacks include those on the city of Durant, OK and the OmniRide bus service in Virginia. In 2025 to date, ransomware gangs have claimed responsibility for another 30 unconfirmed attacks that haven’t been acknowledged by the targeted organizations.”

This isn’t a trivial breach as that’s a lot of people who have just had some really sensitive information leaked. This underscores the need to do everything possible to prevent these events from occuring.

Newspaper giant Lee Enterprises has reported that personal information belonging to 39,779 people was stolen in a February 2025 ransomware attack which you can read about here.

Jim Routh, Chief Trust Officer at Saviynt had this to say:

“Sophisticated threat actors continue to target enterprises with a high likelihood of making an extortion payment to resume critical operations. Often the threat actors will target an enterprise data replication and recovery infrastructure to create great disincentive to avoid a ransom payment. 

“The key for enterprises to avoid these types of attacks is to supplement their privileged access user monitoring system (PAM) with continuous validation based on user behavior analytics. Any significant deviation of pattern by a privileged user results in an automatic revocation of the entitlement operating in milliseconds. Continuous validation is not common for enterprises today, but it offers an essential control to reduce the risk of a ransomware attack causing significant business disruption.”

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4 adds this:

“This seems like a standard, run-of-the-mill ransomware event. It is a little concerning that the breach happened in early February and impacted victims are just learning about the breach 4 months later. That isn’t timely.

“Second, this is the second data breach they suffered. What can they tell customers and employees to allay fears of another breach? Do they know how this breach happened, or the last? What steps are they taking to make sure that further breaches using the same methods or other hacking methods don’t happen again?

“Every company is given one breach forgiveness. But not two. When the second breach happens, customers and victims need to know how the breach happened (likely social engineering, unpatched software or firmware, or weak credentials), and what steps the company is taking to prevent it from happening again. Customers won’t likely give automatic forgiveness for the third breach.”

I will be interested in finding out what actually happened here and what Lee Enterprises will do to stop it from happening again. Hopefully those details actually see the light of day seeing as almost 40,000 people have been affected in this attack.

This morning, ransomware gang Interlock posted Kettering Health to its data leak site. It alleges to have stolen 941 GB of Kettering’s data, which includes 732,490 files across 20,418 folders and appears to contain ID cards, payment data, financial reports, and more.

In a blog post today, Rebecca Moody, Head of Data Research at Comparitech, commented:

“Interlock first began adding victims to its data leak site in October 2024. As with most ransomware gangs today, it seeks a ransom payment for the decryption of systems and the deletion of stolen data. Since October 2024, we’ve tracked 17 confirmed attacks via this group and a further 22 unconfirmed attacks that haven’t been acknowledged by the organizations in question. Interlock was also responsible for the April 2025 attack on kidney dialysis firm DaVita. This too caused widespread disruption to patient care and saw a large breach of 1.5 TB of data.”

“2025 has already seen 26 confirmed attacks on US healthcare companies, as well as a further 92 unconfirmed. Other recently confirmed attacks include Marlboro-Chesterfield Pathology, P.C. which was hit by SafePay in January 2025. This resulted in a data breach involving 235,911 people.”

“Over the last week, Bradford Health Services and Next Step Healthcare, LLC have started notifying patients of breaches stemming from older ransomware attacks. Bradford Health Services suffered an attack via Hunters International in December 2023 and has now confirmed 22,465 people were affected. Meanwhile, Next Step Healthcare, LLC has just started notifying 12,090 people of a breach following an attack via Qilin in June 2024.”

“As we are seeing with Kettering Health, ransomware attacks on healthcare companies have the potential to cause widespread disruption. Not only can they result in patient care being impacted after systems are encrypted, but the consequences are often felt months, and even years, afterward when data is stolen by hackers. In 2024 alone, nearly 27.3 million records were breached across 163 individual ransomware attacks on US healthcare companies.”

Once again, health care is the victim of a cyberattack. This isn’t a trivial event as any attack can cost lives potentially. More focus is needed to change this paradigm and that needs to happen fast.

Researchers from ReliaQuest have reported that the ‘Russian Market’ cybercrime marketplace has emerged as one of the most popular platforms for selling credentials stolen by infostealer malware.

Ensar Seker, CISO at SOCRadar, commented:

“The rise of the Russian Market as a post-Genesis powerhouse for credential sales is no surprise. It underscores a growing trend where info-stealer logs are the new currency of access in the cybercrime ecosystem. These logs are often harvested at scale via malware like Raccoon, RedLine, and Vidar, then sold in semi-curated bundles for as little as $2. For threat actors, it’s a low-cost, high-reward model that enables everything from account takeovers to full-blown ransomware deployment.”

“What makes this surge concerning is not just the affordability and volume of stolen credentials, but the quality and contextual richness of the logs—browser session cookies, saved passwords, crypto wallets, VPN configs, and even MFA tokens can be included. The Russian Market has also benefitted from the void left by Genesis Market’s takedown, which previously offered a slick user interface and session replay capabilities. While the Russian Market lacks that level of polish, its availability, persistence, and pricing are drawing in a new wave of threat actors, especially low-skilled affiliates and initial access brokers.”

“The cybersecurity industry needs to stop thinking of stealer logs as a footnote. They are a first-stage breach vector and increasingly weaponized in the earliest stages of intrusions. Organizations must monitor the dark web and infostealer marketplaces to understand whether their attack surface has already been compromised. At SOCRadar, we’ve observed a 30% uptick in stealer log exposure among enterprise assets across our monitored datasets, especially credentials linked to VPNs and SaaS platforms.”

“This also ties back to the larger issue of password reuse and unmanaged credentials. It’s not just about detecting breaches after the fact, but reducing the exploitability of leaked credentials through password managers, device-based authentication, and routine credential rotation. The Russian Market is just one shop in a growing underground mall and unfortunately, business is booming.”

Additionally, SOCRadar recently published an analysis on the prevalence of stealer logs. Here it is in full: https://socradar.io/stealer-logs-everything-you-need-to-know/

My $0.02 worth on this is to not to be a victim. And the best way to avoid being a victim of phished or stolen credentials is to use some form of 2FA or even migrate to a passwordless solution. The former will make it harder for stolen credentials to be used. The latter will make stolen or phished credentials a non-issue as there’s nothing to steal.

Next Step Healthcare in Massachusetts over the weekend confirmed it notified thousands of patients of a June 2024 data breach that compromised SSNs, medical records, financial account details, drivers’ licenses, and credit and debit card numbers

So far, 10,041 residents in Massachusetts and 1,697 in New Hampshire are known to be compromised. 

In a blog post reporting this news, Paul Bischoff, Consumer Privacy Advocate at Comparitech, wrote:

“Comparitech researchers logged 162 confirmed ransomware attacks on US hospitals, clinics, and other direct care providers in 2024, compromising 27.2 million records. Another 125 claims remain unconfirmed. In 2025 so far, we recorded 26 confirmed attacks affecting 1.8 million records, plus 90 unconfirmed attacks. On average, it takes hospitals and other healthcare businesses 3.7 months to notify victims of a data breach.”

“Ransomware attacks on US hospitals, clinics, and other care providers can cripple key systems and endanger the health, privacy, and security of patients. Hospitals must pay a ransom or face extended downtime, data loss, and putting patients and staff at increased risk of fraud. Hospitals and clinics might have to resort to pen and paper, cancel appointments, and divert patients elsewhere until systems are restored.”

“Elderly people are at a higher risk of identity theft. The data breached in the attack on Next Step could lead to financial exploitation of victims. More than 6 in 100 elderly people in the United States have been victims of elder fraud.”

Health care as frequent readers of this blog will know is a prime target for threat actors. This sector is not as well resourced to defend itself from a cyberattack, thus a threat actor can really go to town on most in this sector. Rapid change is required to address this as the status quo isn’t acceptable.

Ransomware gang Qilin took credit for a cyber attack on Botetourt County Public Schools earlier this month and demanded the district pay a ransom by June 12, 2025. Botetourt County Public Schools has not verified Qilin’s claim.

 In a blog post reporting this news, Paul Bischoff, Consumer Privacy Advocate at Comparitech, wrote:

“Qilin is a ransomware gang that began claiming responsibility for attacks on its data leak site in late 2022. Based in Russia, Qilin mainly targets victims through phishing emails to spread its ransomware. It launched in August 2022 and runs a ransomware-as-a-service business in which affiliates pay to use Qilin’s malware to launch attacks and collect ransoms. Qilin has claimed credit for 26 confirmed ransomware attacks so far this year, plus 201 unconfirmed claims that haven’t been acknowledged by the targeted organizations.”

“At the same time that Qilin claimed the attack on BCPS, it also took credit for an attack on Logan University that remains unconfirmed. In April 2025, Qilin attacked Western New Mexico University and defaced its website.”

“Comparitech researchers have logged 19 confirmed ransomware attacks on US schools, colleges, and other educational institutions in 2025 to date. Earlier this month, ransomware gangs also hit Coweta County School System in Georgia, Bartlesville Public Schools in Oklahoma, and Kalamazoo Public Schools in Michigan. The education sector takes longer than any other to report data breaches to victims: 4.8 months on average.”

While everyone is a target for threat actors, health care and education are top targets because they are underfunded from a cybersecurity perspective. That needs to change ASAP to stop this sort of thing from happening over and over again.

Adidas has confirmed a data breach stemming from a compromise of a third-party customer service provider. Hackers stole contact information of customers who had reached out to Adidas’ help desk. While no financial or password data was reportedly accessed, the breach raises concerns about supply chain vulnerabilities.

Andrew Obadiaru, CISO, Cobalt had this to say:

“This Adidas breach is yet another case of attackers taking the path of least resistance—third-party vendors with less mature defenses. In offensive security, these peripheral entry points are frequently the first tested during a campaign. And in retail, where customer engagement relies on sprawling digital ecosystems, vendors often fall outside the scope of proactive security testing. It’s no longer enough to harden your own walls—you must probe your supply chain with the same rigor. Otherwise, your vendors become the adversary’s open door.”

Wade Ellery, Field CTO, Radiant Logic follows with this:

“The Adidas breach puts a spotlight on the observability gap in third-party environments. While payment data may be safe, identity data—names, emails, contact history—still holds value in the attack chain. These are real identity artifacts, and they deserve the same level of scrutiny and visibility as any internal asset. Enterprises must rethink vendor oversight, ensuring that even external service layers feed into a unified observability framework. Without this, organizations risk flying blind where it matters most: at the seams between systems.”

Once again we see an example of a company getting pwned through no fault of their own. Other than the fact that they should consider holding third parties accountable for their security like the NHS recently did. Because it should be crystal clear by now that you’re only as secure as the companies that you work with.