Weekly Cybersecurity Intelligence Report Cyber Threats & Breaches 2 Dec – 10 Dec 2025

From December 2-10, 2025, disclosures around an Oracle E‑Business Suite campaign, a large third‑party fintech breach, and several sector‑specific data exposures highlighted how platform and vendor compromises are driving multi‑organization risk. University of Phoenix confirmed a significant Oracle EBS breach tied to CVE‑2025‑61882, Marquis Software’s ransomware breach impacted over 74 U.S. banks and credit unions, and French DIY retailer Leroy Merlin reported loyalty‑data exposure for French customers. Freedom Mobile’s subcontractor account compromise exposed Canadian telecom customer data, while pharma CRO Inotiv’s August ransomware attack was confirmed to have led to data exfiltration affecting at least 9,542 individuals by early December.​

>>Outpace Attackers With AI-Based Automated Penetration Testing

1. University of Phoenix Data Breach After Oracle E‑Business Suite Hack

Breach window: Early August 2025 campaign; Oracle EBS compromise and data theft at UoPX confirmed on November 21, 2025.​
Disclosure window: Public breach disclosure and media coverage on December 2-4, 2025.​

Overview

University of Phoenix disclosed that attackers exploited a zero‑day in its Oracle E‑Business Suite financial environment, stealing data from ERP‑backed systems before the university detected the compromise via an extortion leak site listing on November 21, 2025. The breach impacts students, staff, and suppliers whose records were processed in the affected Oracle EBS instance.​

Explanation

Threat actors exploited CVE‑2025‑61882, an unauthenticated remote code execution flaw in Oracle EBS, via an internet‑exposed financials endpoint, enabling arbitrary SQL and application‑layer operations within the ERP stack. They ran large export jobs against HR, student, and supplier tables, staged data on EBS file shares, and used encoded PowerShell from associated Windows middleware hosts to exfiltrate datasets over HTTPS to external infrastructure.​

Impact

Compromised data spans PII and financial attributes for current and former students, staff, and vendors, including names, addresses, dates of birth, contact details, Social Security or taxpayer IDs, and bank/financial account information where stored for payroll, disbursements, or refunds. Sector summaries reference an estimated ~618,000 records exposed, though UoPX has not confirmed a final count, and exfiltrated data presence on extortion infrastructure significantly increases fraud and identity‑theft risk.​

Details

MITRE ATT&CK

• T1190 – Exploit Public‑Facing Application: CVE‑2025‑61882 on Oracle EBS financials front end.​
• T1059.006 – PowerShell: Encoded scripts from Oracle/WebLogic hosts for staging and exfiltration.​
• T1078.004 – Valid Accounts (Enterprise): Abuse of app/DB and potentially AD service accounts for deeper access.​
• T1005 / T1213 – Data from Local System / Repositories: Bulk exports from student, HR, and vendor schemas.​
• T1041 – Exfiltration Over C2 Channel: HTTPS exfiltration of ERP exports to attacker‑controlled endpoints.​

Key artifacts and behaviors

• Anomalous Oracle DB export jobs against person/vendor tables outside normal batch windows.​
• Web access logs showing repeated requests to sensitive Oracle EBS URLs with atypical parameters.​
• Windows logs on middleware servers with encoded PowerShell commands and unusual outbound HTTPS connections.​

Takeaway for CISO

ERP/EBS systems must be treated as Tier‑0 assets with emergency patch pathways, active WAF rules, and continuous attack‑surface discovery to prevent exposure of exploitable Oracle endpoints. Correlating DB audit, web access, and outbound network telemetry is essential for early detection of large ERP export and exfiltration patterns.​

2. Marquis Data Breach Impacts Over 74 US Banks and Credit Unions

Breach window: Initial compromise and ransomware deployment on August 14, 2025.​
Disclosure window: Impact and victim counts surfaced through regulatory filings and press reports on December 3-8, 2025.​

Overview

Marquis Software Solutions, a U.S. fintech/marketing provider to banks and credit unions, reported that a ransomware attack and data breach exposed data from over 74 U.S. financial institutions, affecting more than 780,000 individuals. The compromise originated from a SonicWall firewall exploit and resulted in exfiltration of high‑value aggregated customer datasets stored for analytics, marketing, and compliance.​

Explanation

Attackers exploited a vulnerability on Marquis’ SonicWall firewall to gain initial access into the Marquis network, then moved laterally into environments hosting multi‑client data warehouses. Before deploying ransomware, they staged and exfiltrated PII and financial data supplied by client institutions; subsequent reports indicate Marquis paid a ransom to prevent leak publication, a classic double‑extortion pattern.​

Impact

The breach impacts customers of at least 74 banks and credit unions and more than 780,000 individuals across the U.S., with exposed data including names, addresses, dates of birth, phone numbers, Social Security numbers, and bank account identifiers (reported without security/access codes in some notices). Because Marquis centralizes data from hundreds of institutions, this single compromise introduces cross‑institution fraud risks and complex notification cascades.​

Details

MITRE ATT&CK

• T1190 – Exploit Public‑Facing Application: SonicWall firewall exploitation for initial foothold.​
• T1021.001 – Remote Services (RDP/SMB): Lateral movement to data warehouse and application servers.​
• T1005 / T1213 – Data from Local System / Repositories: Extraction from multi‑tenant data stores holding client bank/credit‑union data.​
• T1074 – Data Staged and T1041 – Exfiltration Over C2: Staging of large exports and transfer to attacker infrastructure.​
• T1486 – Data Encrypted for Impact: Ransomware encryption of internal Marquis systems post‑exfiltration.​

Key artifacts and behaviors

• On August 14, 2025, unusual access through SonicWall management interfaces followed by internal admin sessions targeting data platforms.​
• Bulk queries and exports from PII‑ and account‑heavy schemas, with corresponding spikes in outbound traffic to non‑business IP ranges.​
• Ransom negotiations focused on suppression of exfiltrated data publication rather than system recovery alone.​

Takeaway for CISO

Vendors aggregating regulated financial data must be managed as Tier‑0 third parties with strict perimeter hardening, patch SLAs for network appliances, and detailed telemetry sharing obligations. Institutions should demand per‑client exposure metrics and IoCs from such vendors to accelerate downstream detection, fraud monitoring, and response.​

3. French DIY Retail Giant Leroy Merlin Data Breach

Breach window: Undisclosed; attack occurred before containment and investigation concluded in late November 2025.​
Disclosure window: Public breach disclosure and French customer notifications on December 2-4, 2025.​

Overview

Leroy Merlin reported that a cyberattack on its information systems led to unauthorized access to customer data related to its French operations, specifically affecting loyalty and contact information rather than payment data. The incident is limited to France despite the retailer’s broader European and global presence.​

Explanation

An attacker gained unauthorized access to Leroy Merlin’s customer information systems, likely including CRM and loyalty‑program components tied to French customers. While the company has not disclosed the specific vulnerability or initial vector, it confirmed that security teams blocked the intrusion, conducted an internal investigation, and began notifying affected customers once the scope was understood. No public claims of responsibility or evidence of data leak publication have been reported to date.​

Impact

The breach exposed personal and loyalty‑related data for Leroy Merlin France customers, including names, phone numbers, email addresses, postal addresses, dates of birth, and loyalty program details. The company states that no banking data or account passwords were compromised, which reduces direct payment fraud exposure but leaves customers vulnerable to highly targeted phishing, smishing, and impersonation attacks leveraging rich identity attributes.​

Details

MITRE ATT&CK (pattern‑based)

• T1190 – Exploit Public‑Facing Application: Plausible vector for access to CRM/loyalty portals or APIs.​
• T1078 – Valid Accounts: Use of compromised internal or partner credentials cannot be ruled out from available information.​
• T1213 – Data from Information Repositories: Access to CRM/loyalty databases holding French customer records.​
• T1041 – Exfiltration Over Web Service: Potential transfer of exported customer datasets to remote infrastructure.

Key observations

• Scope limited to French customers indicates either country‑level segmentation or localized systems, containing the blast radius geographically.​
• Clear separation between payment processing and CRM/loyalty systems prevented payment data exposure, suggesting effective segmentation at that boundary.​

Takeaway for CISO

Retailers should treat loyalty and CRM platforms as critical identity stores, not secondary marketing systems, applying payment‑grade controls, monitoring, and segmentation. Country‑level segmentation and strict cross‑region access controls can materially limit the scale of global impact when regional systems are compromised.​

4. Freedom Mobile Data Breach Exposing Customer Data

Breach date: October 23, 2025 – unauthorized access via a subcontractor account.​
Disclosure window: Public notification and media reporting on December 2-4, 2025.​

Overview

Freedom Mobile disclosed that an attacker used a subcontractor’s legitimate account to access its customer account management platform, viewing and collecting data on a subset of Canadian mobile subscribers. The compromise was detected the same day and the account was promptly disabled, limiting the duration but not preventing data exposure.​

Explanation

The attacker leveraged valid credentials belonging to a third‑party subcontractor to authenticate into Freedom’s internal account management system over HTTPS. From there, they accessed individual customer records within the application, pulling profile data fields visible to that subcontractor role. Freedom’s monitoring detected anomalous access patterns, leading to termination of the subcontractor account and additional hardening of third‑party access controls.​

Impact

The breach affected a “limited number” of customers (exact count undisclosed), exposing each impacted customer’s name, home address, date of birth, phone number(s), and Freedom Mobile account number. Although passwords and payment card data were not accessed, this data combination materially increases the risk of targeted SIM‑swap attempts, fraudulent port‑outs, and social‑engineering attacks against Freedom support channels.​

Details

MITRE ATT&CK

• T1078.004 – Valid Accounts (Cloud/Enterprise): Compromise and abuse of a subcontractor’s legitimate account.​
• T1213 – Data from Information Repositories: Querying customer account management databases via the application layer.​
• T1041 – Exfiltration Over Web Service: Viewing/exporting customer records over authenticated sessions.

Key artifacts and behaviors

• Subcontractor account logins from anomalous IP locations or devices compared to established baselines.​
• Patterns of rapid, sequential access to multiple customer accounts outside the subcontractor’s normal workload.​
• Access logs showing reads of profile fields containing PII and account identifiers for impacted customers.​

Takeaway for CISO

Third‑party identities with access to customer management platforms must be managed as privileged accounts with strong MFA, narrow scopes, behavioral baselines, and anomaly detection. Telecom and similar providers should tightly integrate SOC and fraud functions to monitor for SIM‑swap and port‑out attempts following any PII exposure event.​

5. Pharma Firm Inotiv Data Breach After Ransomware Attack

Attack and breach window: August 5-8, 2025 – unauthorized access, ransomware encryption, and data exfiltration.​
Disclosure window: Data‑breach dimension publicly detailed in media and regulatory notices on December 4-7, 2025.​

Overview

Inotiv, a pharmaceutical contract research organization, confirmed that a ransomware attack in early August 2025 not only disrupted operations but also resulted in theft of personal data for at least 9,542 individuals. Subsequent reporting in December clarified the breach scope, including employees, related family members, and other individuals associated with Inotiv or acquired companies.​

Explanation

Threat actors gained unauthorized access to Inotiv systems between August 5 and 8, 2025, moved laterally to critical servers, exfiltrated data, and then deployed ransomware, encrypting internal systems and forcing network shutdowns. While initial access vector details are not public, the attack follows common ransomware patterns, with some reporting attributing the campaign to the Qilin group and referencing extended pre‑encryption intrusion and reconnaissance.​

Impact

Regulatory filings and notifications indicate that 9,542 individuals’ data was exposed, including current and former employees, their family members, and individuals linked to Inotiv’s business or acquisitions. Exposed data includes personal identifiers and, in some cases, potentially health‑related or employment‑related information, though specific fields are not exhaustively listed in public notices. Operationally, the attack required system shutdowns and contributed to financial strain on a company already managing significant debt and operating losses.​

Details

MITRE ATT&CK

• T1566 – Phishing or T1190 – Exploit Public‑Facing Application: Likely initial access vectors based on common ransomware approaches; not explicitly confirmed.​
• T1021 – Remote Services: Lateral movement from initial foothold to critical servers and data stores.​
• T1005 / T1213 – Data from Local System / Repositories: Collection of employee and related individual datasets prior to encryption.​
• T1041 – Exfiltration Over C2 Channel: Export of personal data to threat actor infrastructure over encrypted channels.​
• T1486 / T1490 – Data Encrypted for Impact / Inhibit System Recovery: Ransomware encryption and likely attempts to disrupt backups and restoration paths.​

Key artifacts and behaviors

• August 5-8: abnormal access patterns to HR and related systems, followed by rapid spread of encryption activity.​
• Network isolation of affected systems and subsequent staged restoration once threats were removed.​
• Forensic conclusion that threat actors “may have acquired” and did exfiltrate personal data, triggering breach‑notification obligations.​

Takeaway for CISO

In healthcare and pharma, ransomware should be presumed to include data theft, with breach‑notification and regulatory implications baked into incident response from the outset. Segmentation between HR, R&D, clinical, and corporate IT, combined with strong exfiltration detection and offline, tested backups, is essential to limiting both operational and privacy damage.

Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:

FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management 

>>FireCompass Free Trial