Weekly Cybersecurity Intelligence Report Cyber Threats & Breaches 30 Sep – 07 Oct, 2025

The first week of October 2025 witnessed a significant escalation in cybersecurity incidents affecting major organizations across multiple sectors including aviation, insurance, automotive, gaming, telecommunications, and software industries. This week’s incidents demonstrate sophisticated attack methodologies ranging from credential stuffing campaigns to ransomware deployment and supply chain compromises. Ten major incidents impacted over 5.5 million individuals and organizations globally, with threat actors increasingly leveraging third-party vulnerabilities and social engineering tactics.

Key highlights include WestJet’s massive data breach affecting 1.2 million passengers with passport exposures, Allianz Life’s confirmation of 1.5 million impacted customers, and the emergence of ShinyHunters’ aggressive extortion campaign targeting Salesforce customers. The week also saw continued targeting of the automotive sector with Renault and Dacia breaches, alongside sophisticated ransomware attacks on Japanese beverage giant Asahi.

>>Outpace Attackers With AI-Based Automated Penetration Testing

Incident Feed

WestJet Data Breach Exposes Travel Documents of 1.2 Million Customers

Overview

On September 30, 2025, Canadian airline WestJet confirmed that a cyberattack occurring on June 13, 2025, resulted in the exposure of sensitive personal data belonging to over 1.2 million customers. The incident represents one of the most significant aviation-related data breaches in recent years, with attackers gaining access to highly sensitive travel documents including passports and government-issued identification.

Explanation

The attack methodology involved social engineering techniques to reset employee credentials, followed by exploitation of Citrix infrastructure to gain access to WestJet’s Windows network and Microsoft Cloud environment. Threat actors, likely associated with the Scattered Spider group, utilized compromised employee credentials to traverse internal systems and exfiltrate extensive customer databases. The attack demonstrated sophisticated lateral movement capabilities through cloud infrastructure, leveraging valid account access to maintain persistence and avoid detection.

Impact

The breach exposed comprehensive passenger data including full names, dates of birth, mailing addresses, travel documents (passports and government IDs), accommodation requests, complaint histories, WestJet Rewards membership details, and partial credit card information. The exposure of travel documents creates significant long-term identity theft risks, as these documents are difficult to replace and can enable synthetic identity fraud for extended periods. WestJet’s operations serve over 25 million passengers annually across 104 destinations, magnifying the potential impact scope.

Technical Details

• MITRE ATT&CK Mapping: T1078 (Valid Accounts), T1566 (Phishing), T1021.001 (Remote Desktop Protocol), T1105 (Ingress Tool Transfer)
• Attack Vector: Social engineering → Employee credential compromise → Citrix exploitation → Network traversal → Data exfiltration
• IOCs: Suspicious Citrix access patterns, anomalous Microsoft Cloud API calls, unusual data transfer volumes
• Log Artifacts: Failed authentication followed by successful privileged access, bulk data export operations, suspicious geographic login patterns
• Timeline: Initial breach June 13, 2025; Investigation completed September 15, 2025; Public disclosure September 30, 2025

Remediation

WestJet has implemented additional security measures including enhanced multi-factor authentication, improved network segmentation, and strengthened third-party access controls. The company is providing two years of free identity theft protection services through November 30, 2025. Recommended immediate actions include credential rotation, Citrix infrastructure hardening, and implementation of zero-trust access principles.

CISO Takeaway

This incident highlights the critical vulnerability of cloud-hybrid infrastructures and the devastating potential of social engineering attacks against privileged accounts. CISOs must prioritize employee security awareness training, implement robust identity verification procedures, and establish comprehensive monitoring for cloud environment anomalies.

Allianz Life Data Breach Impacts 1.5 Million People

Overview

Allianz Life completed its investigation into the July 16, 2025 cyberattack and confirmed on September 30, 2025, that 1,497,036 individuals were impacted. The attack targeted a third-party cloud-based Customer Relationship Management (CRM) system, exposing names, addresses, dates of birth, and Social Security numbers of customers, financial professionals, and employees.

Explanation

The breach was attributed to the ShinyHunters extortion group, which conducted a large-scale campaign targeting Salesforce instances of major companies. Attackers exploited API vulnerabilities and misconfigured permissions to gain unauthorized access to customer databases. The attack demonstrated sophisticated cloud targeting techniques, utilizing automated scripts to perform bulk data extraction operations while evading traditional security controls.

Impact

Compromised data includes highly sensitive personally identifiable information (PII) for nearly 1.5 million Americans. The exposure of Social Security numbers creates immediate risks for identity theft, financial fraud, and long-term privacy violations. The breach affects Allianz Life’s entire customer base and extends to business partners and internal employees, representing one of the largest insurance-related data incidents in recent years.

Technical Details

• MITRE ATT&CK Mapping: T1078 (Valid Accounts), T1190 (Exploit Public-Facing Application), T1213 (Data from Information Repositories)
• Attack Vector: Salesforce API exploitation → Credential compromise → Database access → Bulk data exfiltration
• IOCs: Anomalous API request patterns, unauthorized token generation, suspicious geographic access locations
• Log Artifacts: Burst API activity outside normal patterns, bulk database query operations, unusual authentication events
• Data Volume: Approximately 2.8 million records across Salesforce “Accounts” and “Contacts” tables

Remediation

Allianz Life is providing two years of free Kroll Identity Monitoring services and has implemented enhanced API security controls. Salesforce has issued patches addressing API permission vulnerabilities and strengthened multi-factor authentication requirements for administrative accounts.

CISO Takeaway

The incident underscores the critical importance of third-party cloud security governance and API access management. CISOs must establish comprehensive vendor risk management programs with continuous monitoring of cloud service configurations and API usage patterns.

Data Breach at Dealership Software Provider Impacts 766,000 Clients

Overview

Motility Software Solutions (formerly Systems 2000/Sys2K) disclosed on September 30, 2025, that a ransomware attack on August 19, 2025, compromised sensitive data belonging to 766,000 customers. The attack affected the dealer management software provider serving approximately 7,000 dealerships across automotive, powersports, marine, and RV retail sectors.

Explanation

The attack involved the deployment of file-encrypting malware that both encrypted internal systems and exfiltrated customer data prior to encryption. The threat actors followed a typical ransomware operation methodology, gaining initial access, establishing persistence, conducting reconnaissance, and then simultaneously deploying ransomware while stealing sensitive data files. The dual-purpose attack ensured maximum leverage for extortion attempts.

Impact

Exposed data includes full names, addresses, email addresses, telephone numbers, dates of birth, Social Security numbers, and driver’s license numbers. The breach affects customers across the entire automotive retail ecosystem, potentially enabling identity theft and financial fraud. The incident disrupted operations for thousands of dealerships dependent on Motility’s software platforms.

Technical Details

• MITRE ATT&CK Mapping: T1190 (Exploit Public-Facing Application), T1486 (Data Encrypted for Impact), T1005 (Data from Local System)
• Attack Vector: Initial access → System enumeration → Credential harvesting → Lateral movement → Data exfiltration → Ransomware deployment
• IOCs: Malware file hashes, suspicious network traffic patterns, anomalous system process execution
• Log Artifacts: Process creation events, network connection logs, file system access patterns
• Recovery: Systems restored from clean backups with enhanced security measures implemented

Remediation

Motility has established dark web monitoring to detect stolen data circulation and is providing one year of free LifeLock identity monitoring services. The company implemented additional security tools and measures following full system restoration from backups.

CISO Takeaway

This incident demonstrates the growing threat of ransomware targeting software service providers, creating cascading impacts across entire industry sectors. CISOs must prioritize supply chain security assessments and ensure comprehensive backup and recovery capabilities.

ShinyHunters Launches Salesforce Data Leak Site to Extort 39 Victims

Overview

On October 3, 2025, the ShinyHunters threat group launched a dark web data leak site claiming to have stolen approximately 1 billion records from 39 companies using Salesforce cloud databases. The site represents an escalation in the group’s extortion tactics, directly pressuring victims to pay ransoms to prevent public data disclosure.

Explanation

ShinyHunters exploited vulnerabilities in Salesforce instances integrated with Salesloft Drift artificial intelligence chatbot services. The attacks leveraged API misconfigurations and weak access controls to systematically extract customer relationship management data. The group’s methodology demonstrated advanced cloud targeting capabilities with automated data harvesting across multiple victim organizations simultaneously.

Impact

Named victims include major corporations such as Cisco, Disney, KFC, IKEA, Marriott, McDonald’s, Walgreens, Albertsons, and Saks Fifth Avenue. Exposed data encompasses extensive personally identifiable information including names, dates of birth, nationality, passport numbers, employment histories, shipping information, chat transcripts, and flight details. The breach affects hundreds of millions of customer records across multiple industry sectors.

Technical Details

• MITRE ATT&CK Mapping: T1078 (Valid Accounts), T1190 (Exploit Public-Facing Application), T1537 (Transfer Data to Cloud Account)
• Attack Vector: Salesforce API exploitation → Bulk data extraction → Cloud storage transfer → Extortion deployment
• IOCs: Anomalous API usage patterns, bulk data transfer operations, specific domain infrastructure used for extortion
• Proof of Concept: Automated scripts conducting unauthorized API calls to export large PII volumes
• Data Volume: Claimed 1.5 billion records from 760 companies total

Remediation

Salesforce issued security patches addressing API permission vulnerabilities and enhanced MFA controls for administrative accounts. Organizations should implement IP whitelisting for API access, rotate all API credentials, and enable Salesforce Shield Event Monitoring for anomalous activity detection.

CISO Takeaway

The incident highlights the critical need for comprehensive cloud API security governance and continuous monitoring. CISOs must establish granular permission models, implement real-time API traffic analysis, and develop rapid credential rotation capabilities for cloud service disruption scenarios.

Japanese Beer Giant Asahi Confirms Ransomware Attack

Overview

Asahi Group Holdings confirmed on October 2, 2025, that a ransomware attack disrupted its operations across Japan beginning September 29, 2025. The Qilin ransomware group claimed responsibility on October 6, 2025, stating they had stolen 27 gigabytes of data including employee information, financial documents, and business forecasts.

Explanation

The Qilin ransomware group, operating as a ransomware-as-a-service platform, successfully infiltrated Asahi’s network infrastructure and deployed file-encrypting malware across critical systems. The attack methodology involved initial access through unknown vectors, followed by network reconnaissance, credential harvesting, lateral movement, and simultaneous data exfiltration and ransomware deployment. The attackers maintained access long enough to steal significant volumes of sensitive corporate data.

Impact

The attack halted order processing, shipping operations, and customer service functions across Asahi’s Japanese operations. Production was suspended at the majority of Asahi’s 30 domestic facilities, creating nationwide shortages of popular beverages including Asahi Super Dry beer. The incident affected one of Japan’s largest beverage producers with operations spanning multiple international markets.

Technical Details

• MITRE ATT&CK Mapping: T1486 (Data Encrypted for Impact), T1005 (Data from Local System), T1041 (Exfiltration Over C2 Channel)
• Attack Vector: Initial access → Network enumeration → Credential compromise → Lateral movement → Data theft → Ransomware deployment
• IOCs: Ransomware executable hashes, suspicious network communications, anomalous file encryption patterns
• Data Compromised: Over 9,300 files totaling 27GB including contracts, employee data, financial records, forecasts
• Recovery Timeline: All six alcohol production sites resumed operations by October 2, 2025

Remediation

Asahi is conducting comprehensive investigations to determine the full scope of data compromise and has engaged with law enforcement agencies. The company is implementing enhanced cybersecurity measures and working to restore full operational capacity across all affected systems.

CISO Takeaway

The incident demonstrates the operational and reputational impact of ransomware attacks on critical infrastructure. CISOs must prioritize network segmentation, implement comprehensive backup strategies, and establish robust incident response procedures to minimize operational disruption.

Renault and Dacia UK Warn of Data Breach Impacting Customers

Overview

Renault and Dacia UK notified customers on October 2, 2025, that personal data was compromised following a cyberattack on an unnamed third-party provider. The breach exposed customer names, contact information, vehicle identification numbers, and registration details for an undisclosed number of UK customers.

Explanation

The attack targeted a third-party data processing provider used by Renault Group UK, demonstrating the continuing trend of supply chain cybersecurity incidents. While specific attack methodologies were not disclosed, the incident followed typical third-party compromise patterns involving initial access through vendor systems followed by data exfiltration from customer databases. The attack was contained within the vendor’s environment without direct compromise of Renault’s core systems.

Impact

Compromised data includes sensitive customer information that could enable targeted phishing campaigns, social engineering attacks, and vehicle-related fraud schemes. The breach affects both Renault and Dacia customers in the UK market, potentially exposing individuals to identity theft and fraudulent activities. No financial information was compromised during the incident.

Technical Details

• MITRE ATT&CK Mapping: T1199 (Trusted Relationship), T1005 (Data from Local System), T1041 (Exfiltration Over C2 Channel)
• Attack Vector: Third-party vendor compromise → Database access → Customer data extraction
• Data Types: Names, gender, phone numbers, email addresses, postal addresses, VIN numbers, registration details
• Containment: Incident isolated within third-party provider systems, threat removed from networks
• Regulatory Response: UK Information Commissioner’s Office (ICO) notified and conducting inquiries

Remediation

Renault has contacted all affected customers and reported the incident to UK authorities including the Information Commissioner’s Office. The company is advising customers to remain vigilant against unsolicited communications and never share password information with unknown parties.

CISO Takeaway

This incident reinforces the critical importance of comprehensive third-party risk management programs. CISOs must implement continuous monitoring of vendor security postures and establish contractual requirements for incident notification and response procedures.

Discord Discloses Data Breach After Hackers Steal Support Tickets

Overview

Discord disclosed on October 4, 2025, that hackers breached a third-party customer service provider on September 20, 2025, gaining access to support ticket data for users who interacted with Discord’s Customer Support and Trust & Safety teams. The Scattered Lapsus$ Hunters group claimed responsibility and demanded ransom payments.

Explanation

The attack exploited vulnerabilities in a third-party customer support platform, identified by attackers as Zendesk. Threat actors used social engineering and credential stuffing techniques to compromise support agent accounts or hijack active sessions, enabling unauthorized access to Discord’s ticketing system. The breach demonstrated sophisticated targeting of customer service infrastructure to access sensitive user communications and identification documents.

Impact

Exposed data includes Discord usernames, email addresses, names, IP addresses, limited billing details, support messages and attachments, and government ID images for a small subset of users. The breach particularly impacts users who submitted identification documents for age verification, creating significant identity theft risks. The incident affects Discord’s 200+ million monthly user base through potential exposure of sensitive support interactions.

Technical Details

• MITRE ATT&CK Mapping: T1190 (Exploit Public-Facing Application), T1078 (Valid Accounts), T1005 (Data from Local System)
• Attack Vector: Third-party platform exploitation → Credential compromise → Support system access → Data exfiltration
• IOCs: Anomalous login IP addresses, suspicious API calls in logs, specific attacker tool file hashes
• Log Artifacts: Failed authentication events followed by successful privilege escalations
• Affected Systems: Third-party customer service ticketing platform with Discord integration access

Remediation

Discord revoked the third-party provider’s access to its ticketing system and engaged external forensic experts and law enforcement agencies. The company is implementing additional security measures for vendor access management and providing notification to affected users with protective guidance.

CISO Takeaway

The incident highlights risks associated with third-party service providers having access to sensitive customer data. CISOs must establish strict vendor access controls, implement continuous monitoring of third-party integrations, and maintain rapid response capabilities for vendor security incidents.

Red Hat Data Breach Escalates as ShinyHunters Joins Extortion

Overview

The Red Hat data breach initially claimed by Crimson Collective escalated on October 6, 2025, when ShinyHunters joined the extortion campaign. The attackers claim to have stolen approximately 570GB of data from 28,000 internal development repositories, including sensitive Customer Engagement Reports (CERs) containing confidential infrastructure information.

Explanation

The breach originated from unauthorized access to Red Hat’s GitLab environment used by the consulting division. Attackers utilized stolen credentials and automated repository cloning techniques to systematically extract source code and customer documentation. The involvement of ShinyHunters represents an escalation in “extortion-as-a-service” tactics, where established groups leverage their infrastructure and reputation to maximize extortion success rates.

Impact

Stolen data includes sensitive customer reports from high-profile organizations such as Walmart, HSBC, Bank of Canada, Atos Group, American Express, and the US Department of Defense. The exposure of Customer Engagement Reports creates significant risks for Red Hat’s clients, as these documents contain detailed information about network architectures, security configurations, and infrastructure dependencies.

Technical Details

• MITRE ATT&CK Mapping: T1078 (Valid Accounts), T1213 (Data from Information Repositories), T1537 (Transfer Data to Cloud Account)
• Attack Vector: Credential compromise → GitLab access → Automated repository cloning → Data exfiltration → Multi-group extortion
• IOCs: Suspicious domains, IP addresses used for exfiltration, hashes of stolen code samples
• Data Volume: ~570GB compressed data from 28,000 repositories including 800+ sensitive CERs
• Extortion Timeline: April 2024 breach, October 2025 ShinyHunters involvement and escalation

Remediation

Red Hat isolated the affected GitLab instance and engaged with authorities upon discovery. The company implemented additional security measures and continues investigating the full scope of the compromise. Organizations should review their engagement with Red Hat consulting services and assess potential exposure risks.

CISO Takeaway

This incident demonstrates the evolution of cybercriminal collaboration and the importance of comprehensive source code and repository security. CISOs must implement robust access controls for development environments and establish procedures for managing sensitive client documentation.

DraftKings Warns of Account Breaches in Credential Stuffing Attacks

Overview

DraftKings notified customers on October 6, 2025, that accounts were compromised in credential stuffing attacks discovered on September 2, 2025. The sports betting company confirmed that fewer than 30 customers were affected, with attackers using stolen credentials from non-DraftKings sources to gain unauthorized account access.

Explanation

The attack utilized credential stuffing methodology, where threat actors employed automated tools to test stolen username/password combinations against DraftKings’ authentication systems. The attackers leveraged credential databases compiled from previous data breaches across various online services, exploiting users’ tendency to reuse passwords across multiple platforms. The attack demonstrated typical patterns of rapid sequential login attempts followed by successful account compromise.

Impact

Compromised data includes names, addresses, dates of birth, phone numbers, email addresses, last four digits of payment cards, profile photos, transaction histories, account balances, and password change dates. While sensitive information like government IDs and full financial account numbers remained secure, the exposed data creates risks for identity theft and financial fraud targeting affected customers.

Technical Details

• MITRE ATT&CK Mapping: T1110 (Brute Force) with Initial Access tactics
• Attack Vector: Credential database compilation → Automated login attempts → Account compromise → Data access
• IOCs: Suspicious IP addresses, user agent anomalies, account lockout patterns followed by successful authentication
• Log Artifacts: Event ID 4625 (failed logins) followed by Event ID 4624 (successful logins)
• Scale: Less than 30 confirmed affected accounts, no financial losses reported

Remediation

DraftKings required affected customers to reset passwords and enabled multi-factor authentication for enhanced account security. The company implemented additional technical safeguards including rate limiting, enhanced anomaly detection, and continuous monitoring for suspicious login patterns.

CISO Takeaway

While limited in scope, this incident reinforces the persistent threat of credential stuffing attacks against consumer services. CISOs must prioritize robust authentication controls, implement behavioral analytics for login monitoring, and educate users on password hygiene practices to mitigate credential reuse vulnerabilities.

Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:

FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management 

>>FireCompass Free Trial