November 2025: Major Cyber Attacks, Ransomware Attacks, Data Breaches

Date

Victim

Summary

Threat Actor

Business Impact

Source Link

November 01, 2025

University of Pennsylvania

‘We got hacked’ emails threaten to leak University of Pennsylvania data

Unknown

The attack resulted in mass “We got hacked (Action Required)” emails being sent from University of Pennsylvania systems, and the alleged threat actor claimed to have stolen data on approximately 1.2 million students, alumni and donors (names, birthdates, addresses, phone numbers, net worth estimates, donation history, demographic details) after compromising an employee’s SSO account and accessing systems like Salesforce, Qlik, SAP and SharePoint.

Source: Bleeping Computer 

November 04, 2025

Swedish IT supplier Miljödata

Swedish DPA launches investigation into massive data breach affecting 1.5M people

Datacarry ransomware-group

Cyber attack on Miljödata exposed personal data of about 1.5 million Swedes including their names, addresses, ID numbers and sensitive health/employee info which was later published to the darknet by the Datacarry ransomware-group.

Miljödata Data Breach 

November 05, 2025

Nikkei

Nikkei Says 17,000 impacted by data breach stemming from slack account hack

Unknown

Nikkei said that malware-stolen Slack credentials let hackers access its internal Slack workspace and exposed names, email addresses and chat histories of ~17,368 employees and business partners.

Nikkei Data Breach 

November 05, 2025

Hyundai AutoEver America

Hyundai AutoEver America data breach exposes SSNs, drivers licenses

Unknown

Hackers breached Hyundai AutoEver America (HAEA) by gaining access between Feb 22 and Mar 2, 2025, and exposed personal data including names, Social Security numbers and driver’s license numbers of individuals (primarily about 2,000 current/former employees), putting them at heightened risk of identity theft and long-term fraud. 

Source: Bleeping Computer

November 06, 2025

The Congressional Budget Office (CBO)

U.S. Congressional Budget Office hit by suspected foreign cyber attack

Silk Typhoon

The Congressional Budget Office (CBO) was hit by a suspected foreign cyber attack organised by a suspected threat actor Silk Typhoon, potentially exposing sensitive internal emails, policy analyses, economic forecasts and communications between lawmakers and CBO analysts, threatening confidentiality of U.S. fiscal planning.

Source: Bleeping Computer

November 10, 2025

GlobalLogic

Hitachi-owned GlobalLogic admits data stolen on 10k current and former staff

Clop Ransomware

More than 10,000 current and former GlobalLogic employees had personal data — including names, addresses, social-security/tax IDs, passport info, bank account and salary details — stolen after attackers linked to Clop exploited zero-day flaws in Oracle E-Business Suite.

Source: The Register

November 13, 2025

The Washington Post

The Washington Post data breach impacts nearly 10K employees, contractors

Clop Ransomware

The breach exposed personal and financial details including names, bank account and routing numbers, social‑security and tax IDs of about 9,720 employees and contractors at The Washington Post after a zero‑day in Oracle E-Business Suite was exploited between July and August 2025. The intrusion has been linked to the Clop ransomware group.

Source: Bleeping Computer

November 13, 2025

DoorDash

DoorDash says personal information of customers, dashers stolen in data breach

Insider threat

An employee-targeted social engineering attack on DoorDash exposed names, phone numbers, email addresses and physical addresses of customers, delivery workers and merchants, putting them at risk of phishing and other scams while no financial or government ID data was stolen.

DoorDash Data Compromise 

November 13, 2025

Checkout.com

Checkout.com discloses data breach after extortion attempt

ShinyHunters

The breach exposed outdated merchant-onboarding documents and internal operational files from Checkout.com after attackers from ShinyHunters gained access to a legacy third-party cloud storage system while payment processing, merchant funds and card data were not compromised.

Checkout.com Data Breach 

November 17, 2025

Logitech

Logitech discloses data breach after Clop claims

Clop Ransomware

Hackers exploited a zero-day flaw in a third-party software platform used by Logitech to copy internal corporate data. The breach was claimed by Clop with approximately 1.8 terabytes of data exfiltrated.

Source: The Record

November 20, 2025

Almaviva

Hacker claims to steal 2.3 TB data from Italian rail group, Almaviva

ByteToBreach

A hacker group known as ByteToBreach claimed to have breached Almaviva and stolen 2.3 terabytes of internal corporate data affecting the Italian rail group FS Italiane.A hacker group known as ByteToBreach claimed to breach Almaviva and steal 2.3 terabytes of internal corporate data affecting the Italian rail group FS Italiane.

Source: Bleeping Computer

November 21, 2025

Gainsight

Salesforce instances hacked via Gainsight integrations

ShinyHunters

The breach allowed unauthorised access via Gainsight‑published apps connected to Salesforce, potentially exposing CRM data of more than 200 customer organisations, thanks to a supply‑chain attack claimed by ShinyHunters. 

Source: Security Week 

November 22, 2025

Cox Enterprises

Cox Enterprises discloses Oracle E-Business Suite data breach

Clop Ransomware

Cox Enterprises confirmed that a zero-day flaw in Oracle E‑Business Suite (CVE-2025-61882) was exploited, exposing personal data of about 9,479 individuals; the attack was claimed by the Clop ransomware gang. 

Source: Bleeping Computer 

November 24, 2025

Harvard University

Harvard University discloses data breach affecting alumni, donors

Unknown

Harvard University confirmed that a voice-phishing attack exposed contact details, addresses, event-attendance data and donor information of alumni, donors, students, staff and faculty, with no specific threat actor identified.

Source: Bleeping Computer

November 24, 2025

SitusAMC

Real-estate finance services giant SitusAMC breach exposes client data

Unknown

The data breach at SitusAMC compromised corporate records and possibly customer data for some of its clients, including accounting documents and legal agreements tied to major banks such as JPMorgan Chase, Citi and Morgan Stanley, causing broad exposure of sensitive loan- and real-estate-related information.

Source: Bleeping Computer

November 24, 2025

Dartmouth College

Dartmouth College confirms data breach after Clop extortion attack

Clop Ransomware

Dartmouth College said a zero day attack on Oracle E Business Suite exposed names, social security numbers and financial account data of at least 1,494 people and the breach was claimed by the Clop ransomware gang.

Source: Bleeping Computer

November 30, 2025

Coupang

South Korea’s largest e-commerce firm discloses breach of 33.7 million customer accounts

Suspected former Insider

Names, emails, phone numbers, addresses, and some order histories were accessed by an unauthorised party starting in June. No payment details were leaked, but authorities launched an emergency probe and warned affected users to guard against phishing. 

Source: Reuters

Date

Victim

Summary

Threat Actor

Business Impact

Source Link 

November 04, 2025

Balancer DeFi protocol

More than $100 million stolen in exploit of Balancer DeFi protocol

Unknown

Hackers stole more than US $120 million from the Balancer DeFi protocol (mainly from its V2 pools), draining tens of millions in ETH-based assets across several blockchains. 

Source: The Record

November 06, 2025

State of Nevada

Nevada government declined to pay ransom, says cyber attack traced to breach in May

Unknown

The May 2025 cyber attack on the State of Nevada disrupted services across more than sixty state agencies, exposed thousands of files, caused over one point three million dollars in recovery costs, and the victim refused to pay the ransom, with no confirmed threat actor identified.

Source: The Record  

November 26, 2025

Royal Borough of Kensington and Chelsea, Westminster City Council and Hammersmith and Fulham Council

London councils enact emergency plans after three hit by cyber attack

Unknown

The cyber attack on Royal Borough of Kensington and Chelsea, Westminster City Council and Hammersmith and Fulham Council disrupted shared IT systems and phone lines across the councils, forcing shutdown of key services for more than half a million London residents, causing delays and making essential services (like council tax, parking-fine payments and social-care support) unreliable. 

Source: The BBC

November 26, 2025

CodeRED Emergency Alert System

Ransomware attack on OnSolve’s CodeRED emergency notification platform caused major disruptions in the U.S. 

Inc Ransomware Gang

CodeRED emergency notification platform is widely used by U.S. local governments. Due to the attack, many city and county authorities across over a dozen states couldn’t send alerts about floods, fires, or missing persons. Inc Ransom gang allegedly stole a database of resident contact information (names, addresses, emails, phone numbers). The attackers breached the vendor’s network on November 1 and deployed ransomware on Nov 10, then attempted to extort the company (which refused to pay). Officials scrambled to switch to backup systems as the legacy CodeRED service was shut down and a new platform rolled out.

CodeRED Emergency Alert System Ransomware Attack 

November 28, 2025

Upbit

South Korean authorities reported that $30.4 million in cryptocurrency was stolen from Upbit

North Korea’s Lazarus Group (Suspected) 

Investigators noted the intrusion’s similarities to past Lazarus heists, and Upbit’s operator halted transactions while inspecting systems. The attack occurred hours before a major corporate acquisition was announced, raising suspicions of strategic timing. 

Source: Reuters

November  28, 2025

Asahi

Japanese beer giant revealed that a late-September ransomware attack may have exposed personal data of about 1.5 million customers

Qilin Ransomware

Compromised information included names, addresses, phone numbers, and other contact details of customers, some employees and their families. The ransomware gang alleged that it stole financial records, employee files and forecasts. Asahi had to halt production and distribution for weeks after the attack, causing nationwide beer shortages. The company contained the breach, refused to pay ransom, and is restoring operations while working with authorities.

Source: The Record

New Ransomware

Summary

DanaBot malware-(with Windows compatible variant v669)

DanaBot malware resurfaced in 2025 with a new Windows-compatible variant (v669) full of restored command-and-control infrastructure (including Tor domains and “backconnect” nodes), enabling renewed credential/crypto-wallet theft and other payload delivery despite a prior takedown. 

Date

New Flaws/Fixes

Summary

November 01, 2025

CVE-2025-61932

The vulnerability CVE-2025-61932 in Lanscope Endpoint Manager (versions 9.4.7.2 and earlier) was exploited by China-linked cyber-espionage group Bronze Butler as a zero-day to deploy the Gokcpdoor backdoor with SYSTEM privileges.

November 03, 2025

CVE-2025-59287

Microsoft’s Oct 23, 2025 patch for Windows Server Update Services (WSUS) fixed CVE-2025-59287 but inadvertently disabled hotpatching for some Windows Server 2025 systems.

November 04, 2025

CVE-2025-5397

Hackers exploited a critical auth-bypass flaw in the JobMonster WordPress theme (CVE-2025-5397), letting attackers bypass login and hijack administrator accounts on sites using social-login with versions up to 4.8.1. 

November 06, 2025

CVE-2025-20354

Hackers could exploit a critical flaw in Cisco Unified Contact Center Express (UCCX), tracked as CVE-2025-20354, to remotely upload a malicious file and execute arbitrary commands as root on affected systems, giving them full control.

November 09, 2025

CVE-2025-31133, CVE-2025-52565, CVE-2025-52881

Hackers could exploit three critical flaws in runC to break out of Docker/Kubernetes containers, gain root-level write access to the host, and potentially take full control of the underlying system.

November 10, 2025

CVE-2025-21042

Attackers used a zero-day in Samsung’s image-processing library (CVE-2025-21042) to deploy the spyware LANDFALL — giving them remote code execution on Samsung Galaxy devices, enabling full device takeover, access to calls, messages, photos, files, location and more. 

November 12, 2025

CVE-2025-5777, CVE-2025-20337

Hackers exploited critical zero-day flaws Citrix NetScaler ADC/Gateway (CVE-2025-5777) and Cisco Identity Services Engine (ISE) (CVE-2025-20337) to deploy custom malware, gain pre-auth root access and persist stealthily on impacted networks. 

November 13, 2025

CVE-2025-9242

Hackers exploited a critical out-of-bounds write flaw in WatchGuard Firebox firewalls tracked as CVE-2025-9242 to achieve unauthenticated remote code execution on vulnerable devices, putting tens of thousands of exposed firewalls at risk of full compromise.

November 13, 2025

CVE-2025-20333 and CVE-2025-20362

Hackers exploited two critical flaws in Cisco ASA and Cisco Firepower firewalls, tracked as CVE-2025-20333 and CVE-2025-20362, allowing remote attackers to bypass authentication or execute code and fully compromise unpatched devices.

News Type

Summary

Report

Threat actors deployed legitimate remote monitoring and management (RMM) tools to compromise freight brokers and trucking carriers and hijack physical cargo shipments

Report

Three U.S. cybersecurity professionals allegedly turned into rogue affiliate attackers for BlackCat/ALPHV, breaching five companies between May–Nov 2023, encrypting systems and demanding millions in crypto extortion.

Report

Three former U.S. cybersecurity professionals have been indicted for acting as affiliates of BlackCat (ALPHV), allegedly breaching networks of five companies between May–Nov 2023 to steal data, deploy ransomware and extort as much as $10 M, and one victim paid approx. $1.27 M.

Analysis

Sandworm deployed multiple destructive data-wiping malwares against Ukrainian entities including government, logistics, energy and agriculture, in June and September 2025, crippling systems and targeting the grain sector (a key revenue source) to disrupt Ukraine’s economy.

Report

Malicious packages on NuGet were found to contain “time-bomb” sabotage payloads as nine packages published by alias “shanhai666” embed hidden code that will randomly crash database-backed .NET apps or corrupt industrial PLC systems (notably via the “Sharp7Extend” package). 

Report

Synnovis; following its June 2024 ransomware attack that has completed a year-long forensic review, restored all pathology services by December 2024, and as of November 2025 is notifying impacted NHS hospitals, GP practices and clinics whose data was stolen, with the notification process expected to finish by 21 November 2025.

Report

The new Cyber Security and Resilience Bill passed in the UK mandates tougher cybersecurity standards for hospitals, energy, water, transport and related service-providers, forcing IT/managed-service vendors to report incidents within 24 hrs, meet baseline security requirements, and face turnover-based penalties for non-compliance.

Report

The 2025 cyberattack forced Jaguar Land Rover (JLR) to halt production across its main plants for weeks, caused about £196 million (about US $220 million) in direct quarterly losses and triggered broad disruption across its supply chain.