Farmers Insurance Data Breach Affects Over 1 Million Customers

Harrods, a luxury British department store, disclosed a new data breach affecting 430,000 online customers. The breach involved the compromise of a third-party provider's system, leading to the exposure of names, contact details, and internal marketing tags and labels. The incident was isolated and contained, and no account passwords, payment details, or order histories were compromised. The breach is not connected to a previous incident in May, where unauthorized access attempts were detected. Four individuals were arrested in July for suspected involvement in cyberattacks against Harrods and other major British retailers. This breach is part of a series of recent cyberattacks targeting high-profile British businesses, including Jaguar Land Rover and Kido nursery chain.

SonicWall has released a firmware update to remove rootkit malware from SMA 100 series devices, following a breach that exposed firewall configuration backup files. The breach, caused by brute-force attacks, affected less than 5% of customers and may have exposed sensitive information. SonicWall has advised customers to reset credentials and update secrets. Additionally, the Akira ransomware group has been targeting unpatched SonicWall devices, exploiting a year-old security flaw (CVE-2024-40766) and bypassing MFA on VPN accounts using previously stolen OTP seeds. There is no evidence that threat actors have leveraged exposed data against impacted customers in attacks at this time. In September 2025, SonicWall disclosed a security breach affecting MySonicWall accounts, resulting in the exposure of firewall configuration backup files for less than 5% of its customers. The breach, caused by a series of brute-force attacks, could facilitate easier exploitation of SonicWall firewalls by threat actors. SonicWall has advised customers to reset credentials, update secrets, and follow detailed guidance to mitigate potential risks. The company has cut off attackers' access and is collaborating with cybersecurity and law enforcement agencies. The exposed files may contain sensitive information, such as credentials and tokens, for services running on SonicWall devices. Additionally, the Akira ransomware group has been targeting unpatched SonicWall devices, exploiting a year-old security flaw (CVE-2024-40766) and bypassing MFA on VPN accounts using previously stolen OTP seeds. SonicWall confirmed that attackers accessed the API service for cloud backup and there is no evidence that threat actors have leveraged exposed data against impacted customers in attacks at this time. The threat actor UNC6148 has been deploying the OVERSTEP malware, a previously unknown persistent backdoor/user-mode rootkit, to maintain persistent access, steal sensitive credentials, and conceal its own components. The malware modifies the appliance's boot process to evade detection and hide files and activity. UNC6148 may have used an unknown zero-day remote code execution vulnerability to deploy OVERSTEP on SonicWall SMA appliances. Potential vulnerabilities exploited by UNC6148 include CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039, and CVE-2025-32819. SonicWall has advised customers to look for signs of compromise, such as gaps or deletions in SMA logs, unexpected appliance reboots, persistent admin sessions, unauthorized configuration changes, and reoccurring access following patching or resets. CISA recommends upgrading firmware, replacing and rebuilding SMA 500v, resetting OTP bindings, enforcing MFA, resetting passwords, and replacing certificates with private keys stored on the appliance.

The RaccoonO365 phishing network, a financially motivated threat group, was disrupted by Microsoft's Digital Crimes Unit (DCU) and Cloudflare. The operation, executed through a court order in the Southern District of New York, seized 338 domains used by the group since July 2024. The network targeted over 2,300 organizations in 94 countries, including at least 20 U.S. healthcare entities, and stole over 5,000 Microsoft 365 credentials. The RaccoonO365 network operated as a phishing-as-a-service (PhaaS) toolkit, marketed to cybercriminals via a subscription model on a private Telegram channel. The group used legitimate tools like Cloudflare Turnstile and Workers scripts to protect their phishing pages, making detection more challenging. The mastermind behind RaccoonO365 is believed to be Joshua Ogundipe, who received over $100,000 in cryptocurrency payments. The group is also suspected to collaborate with Russian-speaking cybercriminals. Cloudflare executed a three-day 'rugpull' against RaccoonO365, banning all identified domains, placing interstitial 'phish warning' pages, terminating associated Workers scripts, and suspending user accounts to prevent re-registration.

Plex, a media streaming platform, has suffered a data breach where an unauthorized third party accessed a subset of customer data from one of its databases. The compromised information includes email addresses, usernames, and securely hashed passwords. Plex has advised users to reset their passwords, enable two-factor authentication, and sign out connected devices to secure their accounts. The breach did not include payment card information. Plex has addressed the vulnerability and launched internal reviews to improve security. The company also warns users about potential phishing attacks. This is the second data breach for Plex, prompting users to take immediate action to secure their accounts.

Jaguar Land Rover (JLR) has extended the production shutdown for another week following a cyberattack that severely disrupted its operations. The UK government has announced a £1.5 billion ($2 billion) loan guarantee for JLR to support its supply chain, which has been greatly impacted by the shutdown. The incident, which occurred over the weekend, forced the shutdown of several systems, including those at the Solihull production plant. Customer data appears unaffected, but some data was stolen during the breach. This is the second cyberattack JLR has experienced this year, following a previous incident in March. JLR operates under Tata Motors India and produces over 400,000 vehicles annually, with a revenue exceeding $38 billion. The attack impacted the ability to register new cars and supply parts at service points in the UK. The specific type of attack and timeline for recovery remain unspecified. A group identifying as "Scattered Lapsus$ Hunters" has claimed responsibility for the attack, posting screenshots of an internal JLR SAP system on a Telegram channel and stating that they deployed ransomware on the company's compromised systems.