TransUnion Data Breach Affects Over 4 Million Customers

Harrods, a luxury British department store, disclosed a new data breach affecting 430,000 online customers. The breach involved the compromise of a third-party provider's system, leading to the exposure of names, contact details, and internal marketing tags and labels. The incident was isolated and contained, and no account passwords, payment details, or order histories were compromised. The breach is not connected to a previous incident in May, where unauthorized access attempts were detected. Four individuals were arrested in July for suspected involvement in cyberattacks against Harrods and other major British retailers. This breach is part of a series of recent cyberattacks targeting high-profile British businesses, including Jaguar Land Rover and Kido nursery chain.

The RaccoonO365 phishing network, a financially motivated threat group, was disrupted by Microsoft's Digital Crimes Unit (DCU) and Cloudflare. The operation, executed through a court order in the Southern District of New York, seized 338 domains used by the group since July 2024. The network targeted over 2,300 organizations in 94 countries, including at least 20 U.S. healthcare entities, and stole over 5,000 Microsoft 365 credentials. The RaccoonO365 network operated as a phishing-as-a-service (PhaaS) toolkit, marketed to cybercriminals via a subscription model on a private Telegram channel. The group used legitimate tools like Cloudflare Turnstile and Workers scripts to protect their phishing pages, making detection more challenging. The mastermind behind RaccoonO365 is believed to be Joshua Ogundipe, who received over $100,000 in cryptocurrency payments. The group is also suspected to collaborate with Russian-speaking cybercriminals. Cloudflare executed a three-day 'rugpull' against RaccoonO365, banning all identified domains, placing interstitial 'phish warning' pages, terminating associated Workers scripts, and suspending user accounts to prevent re-registration.

Conor Brian Fitzpatrick, alias Pompompurin, the administrator of the BreachForums hacking forum, has been resentenced to three years in prison. Fitzpatrick was initially sentenced to time served and 20 years of supervised release, but this was overturned due to violations of pretrial release conditions. BreachForums was a significant platform for trading and selling stolen data and access to corporate networks. Fitzpatrick's resentencing follows his guilty pleas to charges of conspiracy to commit access device fraud, solicitation for the purpose of offering access devices, and possession of child sexual abuse material (CSAM). The forum's activities included the sale and trade of stolen data from various sectors, including telecom providers, social networks, healthcare companies, investment firms, and government agencies. Fitzpatrick agreed to forfeit over 100 domain names, a dozen electronic devices, and cryptocurrency used in the operation of BreachForums. The U.S. Court of Appeals for the Fourth Circuit vacated Fitzpatrick's prior sentence on January 21, 2025. BreachForums had over 14 billion individual records at its peak and was relaunched multiple times despite efforts to shut it down. The original BreachForums database was leaked in July 2024, exposing members' information. ShinyHunters claimed the forum was compromised and under the control of international law enforcement in August 2025. The copycat forum went offline in September 2025, stating they have "decided to go dark" along with 14 other e-crime groups.

Jaguar Land Rover (JLR) has extended the production shutdown for another week following a cyberattack that severely disrupted its operations. The UK government has announced a £1.5 billion ($2 billion) loan guarantee for JLR to support its supply chain, which has been greatly impacted by the shutdown. The incident, which occurred over the weekend, forced the shutdown of several systems, including those at the Solihull production plant. Customer data appears unaffected, but some data was stolen during the breach. This is the second cyberattack JLR has experienced this year, following a previous incident in March. JLR operates under Tata Motors India and produces over 400,000 vehicles annually, with a revenue exceeding $38 billion. The attack impacted the ability to register new cars and supply parts at service points in the UK. The specific type of attack and timeline for recovery remain unspecified. A group identifying as "Scattered Lapsus$ Hunters" has claimed responsibility for the attack, posting screenshots of an internal JLR SAP system on a Telegram channel and stating that they deployed ransomware on the company's compromised systems.

A cybercrime campaign has deployed TamperedChef, an information-stealing malware, through fake PDF editor installers. The malware steals credentials and cookies from infected systems. The campaign began on June 26, 2025, and activated malicious features on August 21, 2025. The malware is distributed via malvertising, directing users to fraudulent sites offering a trojanized PDF editor. The malware achieves persistence through Windows Registry changes and communicates with a command-and-control server to execute various malicious actions. The campaign is assessed to have been active for 56 days before activating malicious features. The malware, TamperedChef, is designed to harvest sensitive data, including credentials and web cookies. It also acts as a backdoor, supporting features such as scheduled tasks, data exfiltration, and arbitrary command execution. The campaign is part of a broader trend of malicious ad campaigns promoting trojanized PDF editors. The campaign involves more than 50 domains hosting deceiving apps signed with fraudulent certificates from at least four different companies. The campaign has been active since at least August 2024 and promoted other tools, including OneStart and Epibrowser browsers.