The IT Nerd

Intimate clothing company Victoria’s Secret has taken it’s website down after apparently getting pwned. Though details aren’t clear how they got pwned.

Shares of Victoria’s Secret fell Wednesday after the lingerie company took down its US website, saying there was a prolonged “security incident.”

Shoppers visiting the website will see a black screen with the company’s statement rather than its usual selection of lingerie, sleepwear and other products.

The retailer has “identified and are taking steps to address a security incident,” according to a statement posted to its website. “We have taken down our website and some in store services as a precaution.”

It’s rare for a company of Victoria Secret’s size to have such a lengthy site-wide outage. While its physical retail stores remain open, revenue from online shopping is critical for Victoria’s Secret. The brand generated $2 billion in net sales from direct channels that include online shopping in 2024, or roughly a third of its annual sales.

Javvad Malik, Lead Security Awareness Advocate at KnowBe4, has provided the following commentary:

“The recent security incident at Victoria’s Secret, following a string of attacks on other retailers, suggests a potentially coordinated campaign targeting the retail sector. While information remains limited at this point, suspending website functionality is not a decision organizations take lightly.”

“This event underscores the critical importance of fostering a robust security culture within organizations. In the retail sector, where customer trust is paramount, embedding security awareness across all levels of the business is crucial. This culture should emphasize not only technological defenses but also staff vigilance to act swiftly when threats are detected.”

Clearly threat actors attacking the retail sector is the new cool thing of the moment. Thus proving that nobody is safe and everyone needs to take every precaution possible to prevent themselves from getting pwned. Because in the case of Victoria’s Secret, this is likely to cost them millions of dollars.

 It was confirmed today that information belonging to more than 360,000 people was leaked in a data breach affecting an arm of the analytics giant LexisNexis.

The breach occurred on December 25th, but Lexis Nexis only discovered it on April 1st, 2025, and is just starting to notify people. The company says it “promptly launched an investigation” and “notified law enforcement” once it discovered the breach, adding that the types of information exposed “varied by affected individual.” 

LexisNexis spokesperson Jennifer Richman told TechCrunch that an attacker obtained the data through the firm’s GitHub account. Neither LexisNexis nor GitHub immediately responded to The Verge’s request for comment.

LexisNexis is one of the biggest data brokers in the US, as it works to collect and sell vast amounts of personal information for fraud and risk assessment. Last year, LexisNexis was named in a report from The New York Times, which found that automakers had been sharing driving data with the firm that the firm then sold to insurance companies, leading to higher premiums for the drivers. Other than serving as a data broker, LexisNexis also offers access to a database of news articles, public records, and legal documents.

Chris Hauk, Consumer Privacy Champion at Pixel Privacy had this to say:

“Data breaches like this one underscore the need for users to remove their personal data from as many data brokers as possible. Data brokers are popular targets among the bad actors of the world, as they are literal treasure troves of personal and often financial information. This one is particularly troubling due to what was exposed, including driver’s license and Social Security numbers, as well as date of birth. This information is of value to hackers, as it can be used to open fraudulent accounts in the victim’s name, and it can also be used to gain access to current financial accounts.”

“There needs to be more legislation as to how data brokers collect, store, and share and sell users’ information. Personally, I am not a fan of LexisNexis, following the retaliation it conducted against the group of users that filed a class action lawsuit against the company last year, by freezing their credit and falsely reporting them as identity theft victims. This is uncalled for and is what should be considered criminal conduct. At the very least, it was childish.”

A data breach at a company like LexisNexis is not just bad news, it’s horrible news. The damage that this creates is potentially huge and underscores why personal data needs to be better controlled.

UPDATE: James McQuiggan, security awareness advocate at KnowBe4 added this comment:

“Third-party integrations can expose organizations to serious risk. When sensitive data flows through external platforms, oversight must match internal standards. Token misuse, shared credentials, and poor API security create vulnerabilities that attackers exploit without breaching your perimeter.

Security questionnaires and audits often miss insecure development practices in vendor tools. Many organizations trust integrations by default without visibility into how data is accessed or stored. Vendor risk is operational risk, and short-lived API tokens can be considered. Organizations and security teams should build incident response plans that account for data leaks caused by third parties, not just direct attacks. You can’t outsource responsibility without oversight.”

It is being reported from posts on dark web forms that the Everest ransomware group claims to have compromised internal and confidential information belonging to Coca-Cola, while the Gehenna hacking group claims to have breached Coca-Cola Europacific Partners’ Salesforce database earlier this month.

According to their claims, the compromised data appears to be primarily related to the Middle East operations.

This group has previously been linked to high-profile attacks on organizations including NASA and the Brazilian government.

In a separate but potentially more damaging incident, the Gehenna hacking group claims to have successfully breached Coca-Cola Europacific Partners’ Salesforce dashboard in early May 2025.

Javvad Malik, lead security awareness advocate at cybersecurity company KnowBe4, commented:

“The recent breaches at Coca-Cola and its Europacific Partners, claimed by the Everest and Gehenna hacking groups, highlight the vulnerability of internal systems and third-party platforms like Salesforce, emphasizing the need for comprehensive cybersecurity strategies. It underscores the importance of not only robust technical defenses but also human-centric approaches to cybersecurity.

In response, organizations must prioritize data protection through layered and advanced security measures which can reduce the target area, educate and inform people of the dangers, create a culture which empowers people to make the right security decision, and protects the organization should an error occur.” 

Another day, another incident that highlights the need for organizations of all sizes to prioritize defences that keep the bad guys out regardless of the attack vector. Because incidents like these are becoming way too frequent.

A ransomware attack on Kettering Health, a network of 14 medical centers in Ohio, has caused a system-wide technology outage, forcing the cancellation of elective inpatient and outpatient procedures. While emergency rooms remain operational, the incident has disrupted operations across the network and prompted a scramble to contain the damage. The ransomware note, attributed to the Interlock gang, threatens to leak sensitive data unless a ransom is paid. This is part of a wider trend: in 2023, the healthcare sector led all critical infrastructure sectors in reported ransomware incidents, reflecting persistent cybersecurity vulnerabilities. Similar attacks on Ascension and UnitedHealth Group have recently demonstrated the direct patient impact of such breaches.

Debbie Gordon, CEO and Founder, Cloud Range:

“We keep seeing healthcare systems pushed to the brink—not by medical emergencies, but by cyberattacks that disable basic operations. The Kettering Health attack is yet another example of why tabletop exercises and simulation-based training  programs are essential. Responding to ransomware is not only about technology; it’s about people knowing what to do when systems go down. Clinical staff, IT teams, and executives all need to rehearse how to operate effectively under pressure. The faster we normalize this kind of preparedness, the more resilient our healthcare infrastructure will become.”

Gunter Ollmann, CTO, Cobalt follows with this:

“The healthcare sector continues to be disproportionately targeted by ransomware groups because it presents a high-pressure environment where disruption can immediately impact patient lives. This urgency increases the likelihood of ransom payment, making hospitals prime targets for attackers looking for quick returns. But these incidents are more than just criminal opportunism—they’re warning shots for what cyber warfare could look like. The same vulnerabilities being exploited now would be leveraged in future geopolitical conflicts to destabilize critical infrastructure. Offensive security gives us the ability to simulate these high-stakes scenarios and uncover weak points before the stakes become national.”

This incident underlines how vulnerable the health care sector is to cybercrime. I’ve said it before and I will say it again. Urgent action needs to be taken to make this sector less of a target.

UPDATE: I have additional commentary starting with Rebecca Moody, Head of Data Research at Comparitech: 

“This attack has been linked to the ransomware gang Interlock. Since it first emerged back in October 2024, we’ve tracked 16 confirmed attacks via this group, while a further 17 remain unconfirmed by the victims involved. Today, Interlock also came forward to claim a large-scale attack on West Lothian Council, UK, which has been disrupting its school network for over a week.”

“Four of Interlock’s confirmed attacks are on healthcare organizations in the US. It was also confirmed as the gang involved in the attack on kidney dialysis company, DaVita, in April 2025, and the 2024 attacks on Brockton Neighborhood Health Center (which led to 97,488 people having their data breached) and Drug and Alcohol Treatment Service, Inc. (which impacted 22,215 people). Interlock was also behind the huge data breach on Texas Tech University Health Sciences Center, which involved nearly 1.5 million records.”

“So far this year, we’ve tracked 24 confirmed attacks on US healthcare companies in total, with nearly 1.6 million records breached across these attacks. While this attack on Kettering Health is in its early stages, it’s highly likely Interlock will have stolen data and will release this if its ransom demands aren’t met.”

Erich Kron, Security Awareness Advocate at KnowBe4 had this to say: 

“Sadly, the organizations that are charged with ensuring our health and safety are often the biggest targets of ransomware actors due to the sensitive information they collect and the time sensitive nature of their mission. This sensitivity to time gives the cybercriminals significant leverage when attempting to collect a ransom from organizations that have been left in a severely limited condition, or in some cases unable to provide services at all. While in this case it seems that only elective surgeries are being rescheduled, that doesn’t mean that the patients waiting for these surgeries are not uncomfortable or having issues.”

“Sometimes these procedures must be scheduled months in advance to find an available time on the schedule, especially in cases such as this where the organization is a nonprofit and is likely quite busy. This means that even though rescheduling is an option, it may push back their procedure by weeks or maybe even months.”

“In addition to the issues related to the inability to provide services, health care is a heavily regulated industry, and most ransomware actors will steal a copy of the most sensitive data they can get a hold of and threaten the organization with potentially leaking this information. Not only do the patients have to reschedule their procedures, but information such as their Social Security numbers, medical history, and other sensitive things are at risk of being dumped on the internet, making them more susceptible to future attacks from cybercriminals and possibly revealing embarrassing medical issues. There are also significant fines that may be leveraged by regulatory committees for the exposure of data in health care organizations.”

“Since most ransomware is spread through social engineering, such as email phishing or text message phishing, organizations in the healthcare industry especially need to ensure that they have a robust human risk management (HRM) in place, that data is being kept from leaving the network through data loss prevention (DLP) controls, and that they have backups that are tested on a regular basis, and kept off site or in an immutable state period.”

Additionally, Comparitech researchers today published a blog reporting another healthcare breach — this one a Montana hospital breach now confirmed to have compromised patient names, SSNs, DOBs, ID numbers, financial information, and more. This breach was claimed by ransomware gang Meow. For full details, please see here: https://www.comparitech.com/news/montana-hospital-data-breach-leaks-ssns-medical-and-financial-info/

UPDATE #2: Ensar Seker, CISO at SOCRadar adds this comment:

“The ransomware attack on Kettering Health is yet another stark reminder that cyberattacks in healthcare are no longer just data breaches. They are public health emergencies. When a system-wide outage results in canceled procedures and disrupted emergency operations, the consequences extend far beyond the digital domain and directly impact patient outcomes.”

“Healthcare systems like Kettering operate highly complex, interconnected environments with legacy infrastructure, fragmented security oversight, and tight operational margins. This makes them prime targets for ransomware groups, who know that the urgency of patient care often leads to faster ransom payments and less resistance. Disruption to electronic health records, scheduling, communications, and diagnostics can paralyze clinical operations, leading to delayed care, misdiagnoses, and even loss of life in worst-case scenarios.”

“This incident also reflects a growing trend. Threat actors are targeting not just data, but availability. The aim is to inflict operational chaos, knowing that healthcare providers must act fast. The fact that Kettering was forced to cancel both inpatient and outpatient procedures indicates a deep-level compromise of core infrastructure, not just a containment effort at the perimeter.”

“Hospitals must prioritize segmentation of critical systems, implement ransomware-specific playbooks, and invest in 24/7 threat detection tied to real-time operational impact assessments. Moreover, this reinforces the need for industry-wide collaboration, sharing IOCs, TTPs, and breach intel in real time to help other healthcare organizations stay ahead of similar attacks.”

“Ultimately, we need to treat ransomware in healthcare as a patient safety issue first, cybersecurity issue second. As long as these attacks continue to disable essential care services, they must be met with the same urgency as any other emergency affecting human lives.”

The Cybernews research team discovered that the Libyan Consulate in Stockholm left an unprotected instance accessible to the public with nearly 550 filled-in passport applications.

What data was revealed?

• Full names
• Dates of birth
• Email addresses
• Parental details

To read the full research, please click here.

The personal information of 210,140  people was stolen in a Harbin Clinic July 2024 data breach at debt collector Nationwide Recovery Services (NRS). There is more info posted here.

Ensar Seker, CISO at SOCRadar had this to say:

“The Harbin Clinic (NRS) incident is a textbook example of the cascading risks and delayed fallout of third-party breaches in healthcare, where the real victims (patients) are too often left in the dark for far too long.

This breach highlights the critical danger of delegated data stewardship without sufficient oversight. In this case, a cyberattack on Harbin Clinic’s third-party debt collection vendor, Nationwide Recovery Services (NRS), led to the exposure of highly sensitive health and financial information for hundreds of thousands of patients. But what makes this incident especially concerning is the timeline, the breach occurred in July 2024, yet patients are only being notified nearly a year later.

Such delays are deeply problematic. They increase the window of exposure for fraud, identity theft, and social engineering attacks, while eroding public trust in how healthcare providers handle patient data. In regulated sectors like healthcare, data sharing doesn’t mean risk sharing stops at the vendor boundary. It’s the responsibility of the covered entity, in this case, Harbin Clinic, to ensure that any vendor handling PHI or financial data has clear contractual obligations for rapid breach reporting, data segregation, encryption, and continuous risk monitoring. This case also underscores a growing pattern where third-party breaches are compounded by slow response cycles, internal communication gaps, and often, outdated or manual incident response processes between partners. We must move toward a model of shared real-time threat visibility across the entire supply chain, along with zero-trust access models that limit how much data vendors can retain or access post-engagement.

Ultimately, healthcare organizations must treat third-party services, especially those handling debt, litigation, or estate matters, as high-risk extensions of their own environment. If they don’t, patients will continue to suffer the consequences of invisible vulnerabilities buried deep in the supply chain.”

Erich Kron, security awareness advocate at KnowBe4 follows with this:

“Unfortunately, this is a case of the true victims being left unaware and vulnerable by the organizations that were trusted to keep their data secure. While the data was lost by NRS, they have been hired by the clinic to perform a service using data the clinic provided to them. As unfortunate as it is that the data was lost in the first place, the failure to notify individuals whose data was compromised for such a long time, leaves them open to potential fraud and identity theft. While NRS states there is no evidence to suggest there has been identity theft or fraud related to the incident, it can be extremely difficult to correlate attacks that may have happened specifically to this data dump. Information such as Social Security numbers, birth dates, and medical information, generally do not have a shelf life, and this information could be used against the victims of this crime years or decades later.

“In today’s business world, data breaches are a real concern and processes should be in place to quickly notify customers or employees impacted by the loss of data quickly and with a reasonable explanation of how to protect themselves now that their data is public.”

You’re only secure as those you work with. Thus you need to make sure that those you work with are as secure as possible. Just like the NHS in the UK has started to demand from those they work with.

Reports have surfaced that a “significant amount” of private data dating back to 2010, including details of domestic abuse victims, has been hacked from Legal Aid’s online system from an April breach.  

More details here: https://www.gov.uk/government/news/legal-aid-agency-data-breach

Martin Jartelius, CISO at cybersecurity company Outpost24, commented:

“While described as “the latest in a line of attacks,” it’s important to note that the Legal Aid Agency (LAA) first detected the breach on 23 April 2025 and has been actively managing the incident since then. Under UK data protection laws, a notifiable personal data breach must be reported to the Information Commissioner’s Office (ICO) within 72 hours, unless it’s unlikely to pose a risk to individuals’ rights. If there’s a high risk, affected individuals must also be informed without undue delay. In this case, the public was not informed until 16 May—nearly three weeks later. While delays can sometimes be justified to assess the situation or support an organized investigation, this timeline falls well outside the expected reporting window.

“Given the sensitivity of the data involved and the scale of the breach, it’s now clear that individuals were placed at risk of further harm, including malicious targeting. Transparency and timely communication are essential—especially when public trust and personal safety are at stake.

“While the UK has recently faced attacks from groups like Scattered Spider, the Legal Aid Agency breach does not currently match their known pattern. This appears to be a targeted compromise of a digital platform, rather than a broader, hands-on infiltration and ransomware operation. This is of course based on the limited data published.”

The UK has been starting to focus more on upping their cybersecurity game. This is an example of what I mean. But this breach shows that they have much more work to do on that front.

Google has warned that the hackers using Scattered Spider tactics against retail chains in the UK have now started targeting retailers in the US in ransomware and extortion operations

More details here: https://www.bleepingcomputer.com/news/security/google-scattered-spider-switches-targets-to-us-retail-chains/  

But here’s the TL:DR:

“The US retail sector is currently being targeted in ransomware and extortion operations that we suspect are linked to UNC3944, also known as Scattered Spider,” John Hultquist, Chief Analyst at Google Threat Intelligence Group, told BleepingComputer.

“The actor, which has reportedly targeted retail in the UK following a long hiatus, has a history of focusing their efforts on a single sector at a time, and we anticipate they will continue to target the sector in the near term. US retailers should take note.”

Martin Jartelius, CISO at cybersecurity company Outpost24, commented:

“Well, there is often a geographic element to campaigns, of course, but the difference between cyber and regular crime is that you have billions of neighbors on the internet.

A transition from one primarily English-speaking region to another is less adaption of scripts and makes good sense. Social engineering is related to marketing in that it aims to entice a desired behavior in another individual, which requires both a well-tailored script and an element of culture suited for those you target for it to work out. We see this in smaller fraud as well, where a method is reused, and in those cases scripts, that is ways of working the social engineering, is even sold between criminals.”

Hopefully US retailers are paying attention as UK retailers have been pwned in epic fashion over the last couple of weeks. Which in turn caused some amount of chaos. Thus I would not like to see history repeat itself in the US.

News has surfaced that Nucor, the largest steel manufacturer in the US, shut down production operations after discovering its servers had been penetrated. 

Nucor Corporation (the “Company”) recently identified a cybersecurity incident involving unauthorized third party access to certain information technology systems used by the Company. Upon detecting the incident, the Company began promptly taking steps to contain and respond to the incident, including activating its incident response plan, proactively taking potentially affected systems offline and implementing other containment, remediation, or recovery measures. The Company is actively investigating the incident with the assistance of leading external cybersecurity experts and has notified federal law enforcement authorities.As of the date of this filing and in an abundance of caution, the Company temporarily and proactively halted certain production operations at various locations. However, the Company is currently in the process of restarting the affected operations.

As the investigation of the incident is ongoing, the Company will continue to monitor the timing and materiality of the incident.

Javvad Malik, Lead Security Awareness Advocate at KnowBe4 had this to say: 

“The Nucor situation represents yet another concerning example of critical infrastructure disruption due to a cyber incident. While their response in the SEC filing offers very little by way of details, the incident highlights the persistent vulnerability of manufacturing environments to both nation-state actors and criminal enterprises.”

“The economic impact for such victims is particularly challenging. When production stoppages create immediate financial impact and supply chain disruptions, the pressure to resolve quickly—potentially through ransom payment—becomes intense, as demonstrated by the Colonial Pipeline incident.”

“This case should serve as a reminder that operational technology security requires investment proportional to its critical importance. For manufacturers like Nucor, cybersecurity isn’t restricted to IT but a fundamental business continuity issue.”

Rebecca Moody, Head of Data Research at Comparitech added this: 

“While Nucor hasn’t disclosed the nature of the attack and no gangs have claimed responsibility for the attack as of yet, there’s a high probability that we could be looking at a ransomware attack. So far this year, we’ve seen 19 such attacks on US manufacturers. Not only can these attacks cause widespread disruption, like we’re seeing with Nucor, but the majority of these attacks (18) have also seen data breached. Over 33,000 records are confirmed to have been impacted in these attacks, highlighting the ongoing double-extortion tactics used by ransomware gangs.”

“This is why the manufacturing sector is a key target for ransomware gangs: 1) because it can ill-afford downtime (our recent study found manufacturing companies lose an average $1.9 million per day of downtime after a ransomware attack) and 2) because these companies often have key data that can be exploited, too.”

“If this is indeed a ransomware attack, it’s likely data will have been stolen and, given the company’s size, this breach could be extensive.”

Chris Hauk, Consumer Privacy Champion at Pixel Privacy follows up with this:

“With multiple steel mills, reducing centers, and fabrication plants in the U.S., Nucor is an attractive target for a ransomware attack. A company like Nucor can’t afford extended downtime, so it will likely be willing to pay a ransom to get its systems released by the bad guys. Nucor may also have been targeted due to the ongoing trade war between the U.S. and China. China is not above using hackers to disrupt U.S. industry during such trade wars.”

“While not a direct piece of the U.S. infrastructure, Nucor definitely is a major supplier to companies that make up the infrastructure, also making them an attractive target for the bad actors of the world.”

I would be interested in hearing the details of this attack. Hopefully we get those as given the scant level of information, this attack could be bad, or really bad.

Trend Micro has identified a Chinese-linked threat actor, Earth Ammit, responsible for multi-wave supply chain attacks on organizations across Taiwan and South Korea between 2023 and 2024. The group executed two major campaigns—Venom and Tidrone—targeting military, industrial, technology, satellite, media, and healthcare sectors.

Andrew Obadiaru, CISO, Cobalt had this to say:

“Long-term supply chain intrusions like this are exactly why security validation needs to extend beyond your own environment. You’re only as secure as the least-tested component in your ecosystem—and in aerospace and defense, that often means legacy systems and smaller vendors without rigorous security programs. Offensive security helps close this gap by identifying the weak links attackers look for first. Whether it’s certificate abuse or persistence techniques buried deep in outdated firmware, you can’t defend what you don’t test. There must be a comprehensive VMP process as a key component in mitigating this risk as well as a recognition that an attack of this nature demonstrates that cybersecurity threats are no longer limited to digital boundaries; they’re embedded in the physical products and systems we rely on. A secure defense infrastructure requires regular pentesting, continuous visibility and proactive threat modeling.”

Supply chain attacks are becoming increasingly pervasive. Just look at this high profile example from earlier this week. Thus organization’s defence strategy has to be based around this new reality.