November 2025 was yet another defining month in global cybersecurity. It was marked by large-scale data breaches, disruptive infrastructure outages and highly coordinated supply-chain attacks.
The London Councils cyber incident, which forced emergency service changes for over half a million residents, demonstrated how local authorities are vulnerable to systemic operational shutdowns. The spectacular $120M Balancer DeFi hack highlighted the growing maturity of crypto-focused threat actors who continue to exploit logic flaws in widely used protocols. This month also saw sensitive information exposed at some of the world’s most prominent organisations, including The Washington Post, University of Pennsylvania, and real-estate finance giant SitusAMC. Even well-resourced consumer platforms like DoorDash were hit in November, reinforcing that social engineering of employees remains one of the most critical entry points for attackers.
Across all these incidents, several core lessons emerge. First, third-party risk is now one of the most dangerous and least controlled elements of enterprise security. Second, the shift towards data-theft-only extortion means organisations can no longer rely on ransomware encryption as the “signal” of a breach. Silent exfiltration campaigns are now more common and more damaging. And finally, both public and private sector operations demonstrated that even mature environments struggle with timely detection, identity compromise, and segregation of critical systems.
Cyber Management Alliance’s services directly address the gaps illustrated in November’s attacks. Our NCSC-Assured Cyber Incident Planning and Response training course prepares teams to detect and contain attacks rapidly. Our Incident Response Playbooks and Cyber Tabletop Exercises equip organisations with the skills and preparedness to respond decisively to new and evolving threats.
As the threat landscape becomes more interconnected and more aggressive, partnering with us will help you ensure that your organisation stays one step ahead of the next incident.
|
Date |
Victim |
Summary |
Threat Actor |
Business Impact |
Source Link |
|
November 01, 2025 |
University of Pennsylvania |
‘We got hacked’ emails threaten to leak University of Pennsylvania data |
Unknown |
The attack resulted in mass “We got hacked (Action Required)” emails being sent from University of Pennsylvania systems, and the alleged threat actor claimed to have stolen data on approximately 1.2 million students, alumni and donors (names, birthdates, addresses, phone numbers, net worth estimates, donation history, demographic details) after compromising an employee’s SSO account and accessing systems like Salesforce, Qlik, SAP and SharePoint. |
Source: Bleeping Computer |
|
November 04, 2025 |
Swedish IT supplier Miljödata |
Swedish DPA launches investigation into massive data breach affecting 1.5M people |
Datacarry ransomware-group |
Cyber attack on Miljödata exposed personal data of about 1.5 million Swedes including their names, addresses, ID numbers and sensitive health/employee info which was later published to the darknet by the Datacarry ransomware-group. |
|
|
November 05, 2025 |
Nikkei |
Nikkei Says 17,000 impacted by data breach stemming from slack account hack |
Unknown |
Nikkei said that malware-stolen Slack credentials let hackers access its internal Slack workspace and exposed names, email addresses and chat histories of ~17,368 employees and business partners. |
|
|
November 05, 2025 |
Hyundai AutoEver America |
Hyundai AutoEver America data breach exposes SSNs, drivers licenses |
Unknown |
Hackers breached Hyundai AutoEver America (HAEA) by gaining access between Feb 22 and Mar 2, 2025, and exposed personal data including names, Social Security numbers and driver’s license numbers of individuals (primarily about 2,000 current/former employees), putting them at heightened risk of identity theft and long-term fraud. |
Source: Bleeping Computer |
|
November 06, 2025 |
The Congressional Budget Office (CBO) |
U.S. Congressional Budget Office hit by suspected foreign cyber attack |
Silk Typhoon |
The Congressional Budget Office (CBO) was hit by a suspected foreign cyber attack organised by a suspected threat actor Silk Typhoon, potentially exposing sensitive internal emails, policy analyses, economic forecasts and communications between lawmakers and CBO analysts, threatening confidentiality of U.S. fiscal planning. |
Source: Bleeping Computer |
|
November 10, 2025 |
GlobalLogic |
Hitachi-owned GlobalLogic admits data stolen on 10k current and former staff |
Clop Ransomware |
More than 10,000 current and former GlobalLogic employees had personal data — including names, addresses, social-security/tax IDs, passport info, bank account and salary details — stolen after attackers linked to Clop exploited zero-day flaws in Oracle E-Business Suite. |
Source: The Register |
|
November 13, 2025 |
The Washington Post |
The Washington Post data breach impacts nearly 10K employees, contractors |
Clop Ransomware |
The breach exposed personal and financial details including names, bank account and routing numbers, social‑security and tax IDs of about 9,720 employees and contractors at The Washington Post after a zero‑day in Oracle E-Business Suite was exploited between July and August 2025. The intrusion has been linked to the Clop ransomware group. |
Source: Bleeping Computer |
|
November 13, 2025 |
DoorDash |
DoorDash says personal information of customers, dashers stolen in data breach |
Insider threat |
An employee-targeted social engineering attack on DoorDash exposed names, phone numbers, email addresses and physical addresses of customers, delivery workers and merchants, putting them at risk of phishing and other scams while no financial or government ID data was stolen. |
|
|
November 13, 2025 |
Checkout.com |
Checkout.com discloses data breach after extortion attempt |
ShinyHunters |
The breach exposed outdated merchant-onboarding documents and internal operational files from Checkout.com after attackers from ShinyHunters gained access to a legacy third-party cloud storage system while payment processing, merchant funds and card data were not compromised. |
|
|
November 17, 2025 |
Logitech |
Logitech discloses data breach after Clop claims |
Clop Ransomware |
Hackers exploited a zero-day flaw in a third-party software platform used by Logitech to copy internal corporate data. The breach was claimed by Clop with approximately 1.8 terabytes of data exfiltrated. |
Source: The Record |
|
November 20, 2025 |
Almaviva |
Hacker claims to steal 2.3 TB data from Italian rail group, Almaviva |
ByteToBreach |
A hacker group known as ByteToBreach claimed to have breached Almaviva and stolen 2.3 terabytes of internal corporate data affecting the Italian rail group FS Italiane.A hacker group known as ByteToBreach claimed to breach Almaviva and steal 2.3 terabytes of internal corporate data affecting the Italian rail group FS Italiane. |
Source: Bleeping Computer |
|
November 21, 2025 |
Gainsight |
Salesforce instances hacked via Gainsight integrations |
ShinyHunters |
The breach allowed unauthorised access via Gainsight‑published apps connected to Salesforce, potentially exposing CRM data of more than 200 customer organisations, thanks to a supply‑chain attack claimed by ShinyHunters. |
Source: Security Week |
|
November 22, 2025 |
Cox Enterprises |
Cox Enterprises discloses Oracle E-Business Suite data breach |
Clop Ransomware |
Cox Enterprises confirmed that a zero-day flaw in Oracle E‑Business Suite (CVE-2025-61882) was exploited, exposing personal data of about 9,479 individuals; the attack was claimed by the Clop ransomware gang. |
Source: Bleeping Computer |
|
November 24, 2025 |
Harvard University |
Harvard University discloses data breach affecting alumni, donors |
Unknown |
Harvard University confirmed that a voice-phishing attack exposed contact details, addresses, event-attendance data and donor information of alumni, donors, students, staff and faculty, with no specific threat actor identified. |
Source: Bleeping Computer |
|
November 24, 2025 |
SitusAMC |
Real-estate finance services giant SitusAMC breach exposes client data |
Unknown |
The data breach at SitusAMC compromised corporate records and possibly customer data for some of its clients, including accounting documents and legal agreements tied to major banks such as JPMorgan Chase, Citi and Morgan Stanley, causing broad exposure of sensitive loan- and real-estate-related information. |
Source: Bleeping Computer |
|
November 24, 2025 |
Dartmouth College |
Dartmouth College confirms data breach after Clop extortion attack |
Clop Ransomware |
Dartmouth College said a zero day attack on Oracle E Business Suite exposed names, social security numbers and financial account data of at least 1,494 people and the breach was claimed by the Clop ransomware gang. |
Source: Bleeping Computer |
|
November 30, 2025 |
Coupang |
South Korea’s largest e-commerce firm discloses breach of 33.7 million customer accounts |
Suspected former Insider |
Names, emails, phone numbers, addresses, and some order histories were accessed by an unauthorised party starting in June. No payment details were leaked, but authorities launched an emergency probe and warned affected users to guard against phishing. |
Source: Reuters |
|
Date |
Victim |
Summary |
Threat Actor |
Business Impact |
Source Link |
|
November 04, 2025 |
Balancer DeFi protocol |
More than $100 million stolen in exploit of Balancer DeFi protocol |
Unknown |
Hackers stole more than US $120 million from the Balancer DeFi protocol (mainly from its V2 pools), draining tens of millions in ETH-based assets across several blockchains. |
Source: The Record |
|
November 06, 2025 |
State of Nevada |
Nevada government declined to pay ransom, says cyber attack traced to breach in May |
Unknown |
The May 2025 cyber attack on the State of Nevada disrupted services across more than sixty state agencies, exposed thousands of files, caused over one point three million dollars in recovery costs, and the victim refused to pay the ransom, with no confirmed threat actor identified. |
Source: The Record |
|
November 26, 2025 |
Royal Borough of Kensington and Chelsea, Westminster City Council and Hammersmith and Fulham Council |
London councils enact emergency plans after three hit by cyber attack |
Unknown |
The cyber attack on Royal Borough of Kensington and Chelsea, Westminster City Council and Hammersmith and Fulham Council disrupted shared IT systems and phone lines across the councils, forcing shutdown of key services for more than half a million London residents, causing delays and making essential services (like council tax, parking-fine payments and social-care support) unreliable. |
Source: The BBC |
|
November 26, 2025 |
CodeRED Emergency Alert System |
Ransomware attack on OnSolve’s CodeRED emergency notification platform caused major disruptions in the U.S. |
Inc Ransomware Gang |
CodeRED emergency notification platform is widely used by U.S. local governments. Due to the attack, many city and county authorities across over a dozen states couldn’t send alerts about floods, fires, or missing persons. Inc Ransom gang allegedly stole a database of resident contact information (names, addresses, emails, phone numbers). The attackers breached the vendor’s network on November 1 and deployed ransomware on Nov 10, then attempted to extort the company (which refused to pay). Officials scrambled to switch to backup systems as the legacy CodeRED service was shut down and a new platform rolled out. |
|
|
November 28, 2025 |
Upbit |
South Korean authorities reported that $30.4 million in cryptocurrency was stolen from Upbit |
North Korea’s Lazarus Group (Suspected) |
Investigators noted the intrusion’s similarities to past Lazarus heists, and Upbit’s operator halted transactions while inspecting systems. The attack occurred hours before a major corporate acquisition was announced, raising suspicions of strategic timing. |
Source: Reuters |
|
November 28, 2025 |
Asahi |
Japanese beer giant revealed that a late-September ransomware attack may have exposed personal data of about 1.5 million customers |
Qilin Ransomware |
Compromised information included names, addresses, phone numbers, and other contact details of customers, some employees and their families. The ransomware gang alleged that it stole financial records, employee files and forecasts. Asahi had to halt production and distribution for weeks after the attack, causing nationwide beer shortages. The company contained the breach, refused to pay ransom, and is restoring operations while working with authorities. |
Source: The Record |
|
New Ransomware |
Summary |
|
DanaBot malware-(with Windows compatible variant v669) |
DanaBot malware resurfaced in 2025 with a new Windows-compatible variant (v669) full of restored command-and-control infrastructure (including Tor domains and “backconnect” nodes), enabling renewed credential/crypto-wallet theft and other payload delivery despite a prior takedown. |
Source: The Record
|
Date |
New Flaws/Fixes |
Summary |
|
November 01, 2025 |
CVE-2025-61932 |
The vulnerability CVE-2025-61932 in Lanscope Endpoint Manager (versions 9.4.7.2 and earlier) was exploited by China-linked cyber-espionage group Bronze Butler as a zero-day to deploy the Gokcpdoor backdoor with SYSTEM privileges. |
|
November 03, 2025 |
CVE-2025-59287 |
Microsoft’s Oct 23, 2025 patch for Windows Server Update Services (WSUS) fixed CVE-2025-59287 but inadvertently disabled hotpatching for some Windows Server 2025 systems. |
|
November 04, 2025 |
CVE-2025-5397 |
Hackers exploited a critical auth-bypass flaw in the JobMonster WordPress theme (CVE-2025-5397), letting attackers bypass login and hijack administrator accounts on sites using social-login with versions up to 4.8.1. |
|
November 06, 2025 |
CVE-2025-20354 |
Hackers could exploit a critical flaw in Cisco Unified Contact Center Express (UCCX), tracked as CVE-2025-20354, to remotely upload a malicious file and execute arbitrary commands as root on affected systems, giving them full control. |
|
November 09, 2025 |
CVE-2025-31133, CVE-2025-52565, CVE-2025-52881 |
Hackers could exploit three critical flaws in runC to break out of Docker/Kubernetes containers, gain root-level write access to the host, and potentially take full control of the underlying system. |
|
November 10, 2025 |
CVE-2025-21042 |
Attackers used a zero-day in Samsung’s image-processing library (CVE-2025-21042) to deploy the spyware LANDFALL — giving them remote code execution on Samsung Galaxy devices, enabling full device takeover, access to calls, messages, photos, files, location and more. |
|
November 12, 2025 |
CVE-2025-5777, CVE-2025-20337 |
Hackers exploited critical zero-day flaws Citrix NetScaler ADC/Gateway (CVE-2025-5777) and Cisco Identity Services Engine (ISE) (CVE-2025-20337) to deploy custom malware, gain pre-auth root access and persist stealthily on impacted networks. |
|
November 13, 2025 |
CVE-2025-9242 |
Hackers exploited a critical out-of-bounds write flaw in WatchGuard Firebox firewalls tracked as CVE-2025-9242 to achieve unauthenticated remote code execution on vulnerable devices, putting tens of thousands of exposed firewalls at risk of full compromise. |
|
November 13, 2025 |
CVE-2025-20333 and CVE-2025-20362 |
Hackers exploited two critical flaws in Cisco ASA and Cisco Firepower firewalls, tracked as CVE-2025-20333 and CVE-2025-20362, allowing remote attackers to bypass authentication or execute code and fully compromise unpatched devices. |
Source for the above table: Bleeping Computer, Recorded Future
|
News Type |
Summary |
|
Report |
Threat actors deployed legitimate remote monitoring and management (RMM) tools to compromise freight brokers and trucking carriers and hijack physical cargo shipments |
|
Report |
Three U.S. cybersecurity professionals allegedly turned into rogue affiliate attackers for BlackCat/ALPHV, breaching five companies between May–Nov 2023, encrypting systems and demanding millions in crypto extortion. |
|
Report |
Three former U.S. cybersecurity professionals have been indicted for acting as affiliates of BlackCat (ALPHV), allegedly breaching networks of five companies between May–Nov 2023 to steal data, deploy ransomware and extort as much as $10 M, and one victim paid approx. $1.27 M. |
|
Analysis |
Sandworm deployed multiple destructive data-wiping malwares against Ukrainian entities including government, logistics, energy and agriculture, in June and September 2025, crippling systems and targeting the grain sector (a key revenue source) to disrupt Ukraine’s economy. |
|
Report |
Malicious packages on NuGet were found to contain “time-bomb” sabotage payloads as nine packages published by alias “shanhai666” embed hidden code that will randomly crash database-backed .NET apps or corrupt industrial PLC systems (notably via the “Sharp7Extend” package). |
|
Report |
Synnovis; following its June 2024 ransomware attack that has completed a year-long forensic review, restored all pathology services by December 2024, and as of November 2025 is notifying impacted NHS hospitals, GP practices and clinics whose data was stolen, with the notification process expected to finish by 21 November 2025. |
|
Report |
The new Cyber Security and Resilience Bill passed in the UK mandates tougher cybersecurity standards for hospitals, energy, water, transport and related service-providers, forcing IT/managed-service vendors to report incidents within 24 hrs, meet baseline security requirements, and face turnover-based penalties for non-compliance. |
|
Report |
The 2025 cyberattack forced Jaguar Land Rover (JLR) to halt production across its main plants for weeks, caused about £196 million (about US $220 million) in direct quarterly losses and triggered broad disruption across its supply chain. |
Sources: Bleeping Computer, Recorded Future News, Databreaches.net