October 2025 was another turbulent month in the world of cybersecurity, with major organisations across industries falling victim to sophisticated breaches and disruptions. From the compromise of Motility Software Solutions and Envoy Air to the Discord data leak and F5’s BIG-IP vulnerability exploit, the month was marked by a mix of ransomware, supply chain, and data exposure incidents that shook both public and private sectors.
Even renowned institutions like Harvard University and global brands like Volkswagen France and WestJet found themselves grappling with the aftermath of cyber intrusions.
The widespread impact of these incidents underscores the evolving tactics of cyber criminals who continue to exploit even the most secure infrastructures. Attacks on Oracle E-Business Suite and Australia Fluid Power further highlighted how critical third-party applications and industrial systems remain prime targets. The October surge serves as a stark reminder that cyber resilience is no longer a choice — it’s an operational necessity.
At Cyber Management Alliance, we help organisations strengthen their defences and prepare for such attacks through our NCSC Assured Cyber Incident Planning and Response training, Cyber Tabletop Exercises, and Incident Response Playbook creation and review workshops. You can also download our free, expert-created Cybersecurity Toolkit and Ransomware Response Toolkit to kickstart your journey towards building a proactive strategy against the relentless onslaught of cybercrime.
|
Date |
Victim |
Summary |
Threat Actor |
Business Impact |
Source Link |
|
October 01, 2025 |
Motility Software Solutions |
Data breach at dealership software provider impacts 766k clients |
Unknown |
Approximately 766,000 customers of Motility Software Solutions had sensitive personal data—full names, portal and postal addresses, email addresses, phone numbers, dates of birth, Social Security numbers, and driver’s license numbers—exposed after a ransomware attack on August 19, 2025; no ransomware group has claimed responsibility |
|
|
October 14, 2025 |
SimonMed Imaging |
SimonMed says 1.2 million patients impacted in January data breach |
Medusa Ransomware |
The January 21–February 5 2025 breach at SimonMed Imaging exposed sensitive data of approximately 1.2 million patients, including ID scans, payment info, and medical reports, with the Medusa ransomware group claiming responsibility. |
Source: Bleeping Computer |
|
October 14, 2025 |
Volkswagen Group France |
Volkswagen reportedly hit by ransomware attack |
Qilin Ransomware |
Volkswagen Group France experienced a ransomware attack attributed to the cybercriminal group Qilin, who claimed to have stolen approximately 150 GB of sensitive data, including personal information of vehicle owners, detailed vehicle data, and internal documents. The group published six documents online as proof of the breach. |
|
|
October 15, 2025 |
Mango Fashion |
Mango fashion chain suffers third party breach, customer data impacted |
Unknown |
The cyber attack on Mango, the global fashion retailer, caused compromise of one of its external marketing service providers, exposing customer contact information such as names, email addresses, phone numbers, postal codes, and countries. No financial data or login credentials were accessed. |
|
|
October 15, 2025 |
Michigan City, Indiana |
Indiana city confirms ransomware hackers behind September incident |
Obscura Ransomware |
The Obscura ransomware gang claimed responsibility for the September 23 attack on Michigan City, Indiana, which forced many systems offline, disrupted employee access, and resulted in the theft and public release of 450 GB of data after the ransom deadline expired. |
|
|
October 16, 2025 |
Australian Fluid Power |
Aussie Fluid Power confirms security incident following ransomware claims |
Anubis Ransomware Group |
The impact of the cyber attack was that “unauthorised access by a third party to a limited number of its IT systems” resulted in the compromise of “certain employee, customer and supplier information” at Australian Fluid Power. |
|
|
October 17, 2025 |
Dairy Farmers of America |
Dairy Farmers of America confirms June cyber attack leaked personal data |
Play Ransomware |
Dairy Farmers of America confirmed a ransomware attack in June 2025, claiming there was no evidence of misuse of the exposed employee data, while the Play ransomware gang claimed responsibility, asserting they had stolen sensitive company and employee information before leaking it online. |
Source: The Record |
|
October 20, 2025 |
UK Ministry of Defence |
Russian Lynk group leaks sensitive UK MoD files, including info on eight military bases |
Lynx Group |
The cyber attack by the Russian Lynx Group resulted in the leak of hundreds of sensitive UK Ministry of Defence contractor files containing staff names, emails, ID documents, visitor logs, and operational details of eight military bases, posing a serious national security and personnel privacy risk. |
|
Date |
Victim |
Summary |
Threat Actor |
Business Impact |
Source Link |
|
October 01, 2025 |
Allianz Life |
1.5 Million Impacted by Allianz Life Data Breach |
Scattered Spider |
Approximately 1.5 million individuals were affected in the Allianz Life data breach, where the Scattered Spider threat actor accessed sensitive personal information—including names, addresses, dates of birth, and Social Security numbers—through a compromise of the company’s cloud-based customer relationship management (CRM) system. |
Source: Security Week |
|
October 01, 2025 |
WestJet |
Data breach at Canadian airline WestJet affects 1.2M passengers |
Scattered Spider |
Roughly 1.2 million passengers had their names, dates of birth, postal addresses, passport and other identity document details, loyalty account info, and travel-related preferences compromised in the WestJet breach carried out by the Scattered Spider threat actor. |
|
|
October 01, 2025 |
Oracle E‑Business Suite |
Clop extortion emails claim theft of Oracle E-Business Suite data |
Clop Ransomware |
Extortion emails in late September 2025 claimed that operators had stolen sensitive documents and private files from Oracle E‑Business Suite instances—threatening to publish or sell the data—and the activity has been linked to the Clop ransomware gang (with at least one related account tied to FIN11), although investigators said the theft claims were still under review. |
Source: Bleeping Computer |
|
October 01, 2025 |
Red Hat Consulting |
Red Hat confirms security incident after hackers breach GitLab instance |
Crimson Collective, ShinyHunters |
Approximately 570 GB of compressed data was exfiltrated from 28,000 internal GitLab repositories used by Red Hat Consulting, including ~800 Customer Engagement Reports (CERs) containing sensitive client infrastructure details, authentication tokens, and network configurations; the breach was claimed by the Crimson Collective, with subsequent extortion attempts escalating through the ShinyHunters group. |
Source: Bleeping Computer |
|
October 01, 2025 |
Allianz Life Insurance Company and Motility Software Solutions |
Millions impacted by data breaches at insurance giant, auto dealership software firm |
Pear Ransomware |
Two major data breaches in the insurance and automotive dealership sectors have compromised sensitive information of over 2.25 million individuals. Allianz Life Insurance Company confirmed that on July 16, 2025, cybercriminals accessed a third-party CRM system, exposing personal data such as names, addresses, dates of birth, and Social Security numbers of 1.49 million customers and employees. Motility Software Solutions, a provider of dealership management software, suffered a ransomware attack on August 11, 2025, which was detected on August 19, 2025. The attack led to the theft of personal information—including names, addresses, Social Security numbers, and driver’s license numbers—of 766,670 individuals. The Pear ransomware group claimed responsibility for the Motility breach, stating they stole 4.3 terabytes of data from Motility’s parent company, Reynolds & Reynolds. |
Source: The Record |
|
October 07, 2025 |
Discord |
Discord says sensitive information stolen during cyber attack on customer service provider |
Unknown |
A cyber attack compromised Discord's third-party customer service provider, exposing sensitive information of an undisclosed number of users who had interacted with Discord's Customer Support or Trust & Safety teams. The breach exposed approx. 70,000 users’ government-ID photos, as well as names, Discord usernames, email addresses, IPs, messages with customer-service agents, last 4 digits of credit cards, purchase history, training materials and internal presentations; the threat actor(s) claimed to have stolen 1.5 TB of age-verification photos (including >2million images) |
Source: The Record |
|
October 08, 2025 |
Williams & Connolly law firm |
Major US law firm says hackers broke into attorneys’ emails accounts |
Unknown |
The incident resulted in unauthorised access to email accounts of a handful of attorneys at law-firm Williams & Connolly, and though the actor is believed to be a China-nexus state-linked threat group, the firm found “no evidence that confidential client data was taken from central databases”. |
Source: The Record |
|
October 13, 2025 |
Nintendo Corp |
Crimson Collective claims to have hacked Nintendo |
Crimson Collective |
The impact of the cyber attack was that the hacker group Crimson Collective claimed access to sensitive production assets, developer files, and backups of Nintendo Co., Ltd.’s internal systems. |
Source: computing.co.uk |
|
October 13, 2025 |
The Harvard University |
Harvard says ‘limited number of parties’ impacted by breach linked to Oracle zero-day |
Cl0p Ransomware |
The Harvard University breach impacted a limited number of parties tied to a small administrative unit via a vulnerability in Oracle E‑Business Suite, with the Cl0p gang claiming responsibility. |
Source: The Record |
|
October 15, 2025 |
Jewett‑Cameron Trading |
Ransomware gang steals meeting videos, financial secrets from fence wholesaler |
Unknown |
The attack on Jewett‑Cameron Trading resulted in stolen video-meeting images and non-public financial data and an encryption of internal systems . |
Source: The Record |
|
October 16, 2025 |
Verisure |
Verisure Unit Hit by Data Breach the Week After Stock Market Debut |
Unknown |
The cyber attack on Verisure's newly acquired Swedish business led to unauthorised third-party access to sensitive data, including customer and employee information, just one week after the company's stock market debut. |
Source: The Wall Street Journal |
|
October 16, 2025 |
Sotheby’s |
Auction giant Sotheby’s says data breach exposed financial information |
Unknown |
Auction giant Sotheby’s suffered a data breach exposing employee full names, Social Security numbers, and financial account details after unauthorised actors exfiltrated sensitive data, though no threat group has claimed responsibility. |
Source: Bleeping Computer |
|
October 17, 2025 |
Envoy Air |
Envoy Air targeted in Oracle-linked hacking campaign |
CL0P Ransomware |
The cyber attack on Envoy Air, American Airlines' largest regional carrier, occurred in recent days prior to October 17, 2025, as part of a widespread extortion campaign exploiting vulnerabilities in Oracle's E-Business Suite applications. The attack was attributed to the cybercriminal group CL0P, which listed American Airlines as a victim on its website. While no sensitive or customer data was reportedly compromised, a limited amount of business information and commercial contact details may have been accessed. |
Source: Reuters |
|
October 20, 2025 |
Prosper Marketplace |
Prosper Confirms Data Breach Impacting 17 Million Users |
Unknown |
The cyber attack on Prosper Marketplace exposed personal data—including names, Social Security numbers, and income details—of approximately 17.6 million users due to unauthorised access via compromised administrative credentials, posing significant identity theft risks. |
Source: Tech Republic |
|
October 21, 2025 |
Radiologic Medical Services (RMS) |
Levi & Korsinsky, LLP Investigates Radiologic Medical Services Data Breach |
Unknown |
The cyber attack on Radiologic Medical Services (RMS) compromised the personal and health information of 56,902 individuals. |
Source: ktsm.com |
|
October 21, 2025 |
Dodo, and iPrimus |
Dodo, iPrimus data breach sees email and SIM cards hacked |
Unknown |
The cyber attack on Dodo and iPrimus, Australian telecommunications providers owned by Vocus, led to the unauthorised access of approximately 1,600 Dodo email accounts, resulting in 34 unauthorised SIM swaps. These SIM swaps allowed cyber criminals to intercept calls and text messages, including two-factor authentication codes, potentially compromising other services used by the victims. |
|
|
October 21, 2025 |
Dukaan, an Indian e-commerce platform |
Shopify rival suffered a million-dollar leak |
Unknown |
A significant data breach at Dukaan, an Indian e-commerce platform, exposed sensitive merchant and customer information—including payment gateway tokens for Stripe, PayPal, and RazorPay—via an unsecured Apache Kafka instance, potentially allowing attackers to access millions of dollars in funds; the security lapse went undetected for over two years, affecting over 3.5 million merchants and 16 million customers. |
Source: cybernews.com |
|
October 23, 2025 |
Toys “R” Us Canada |
Toys “R” Us Canada warns customers' info leaked in data breach |
Unknown |
The breach at Toys “R” Us Canada exposed customer names, addresses, email addresses and phone numbers after data stolen from its systems was posted online on July 30 2025, though the specific threat actor remains unidentified. |
Source: Bleeping Computer |
|
Date |
Victim |
Summary |
Threat Actor |
Business Impact |
Source Link |
|
October 11, 2025 |
Sugar Land, Texas |
Houston suburb says some online services taken down by cyber attack |
Unknown |
The incident disrupted several online services in Sugar Land—including the 311 contact centre, utility billing, permit and inspection scheduling, payments, and building-applications; but no threat actor was publicly named. |
Source: The Record |
|
October 15, 2025 |
Russian IT company, Positive Technologies |
Researchers report rare intrusion by suspected Chinese hackers into Russian tech firm |
Jewelbug-(Earth Alux) |
Chinese state-linked threat actor Jewelbug (also known as Earth Alux) breached the systems of Russian IT service provider Positive Technologies between January and May 2025, compromising its software build and code-repository environments and potentially exposing dozens of Russian companies to further infiltration. |
Source: The Record |
|
October 15, 2025 |
F5’s BIG-IP development environment |
F5 says hackers stole undisclosed BIG-IP flaws, source code |
UNC5221 |
The attack on F5’s BIG-IP development environment resulted in the theft of portions of the source code and internal vulnerability data (including CVE-2025-53868, CVE-2025-57780 and CVE-2025-61955) by the China-linked threat actor cluster UNC5221 (also tied to the BRICKSTORM backdoor). |
Source: Bleeping Computer |
|
October 20, 2025 |
Heywood Hospital in Gardner and Athol Hospital in nearby Athol. |
Cyber attack Disrupts Services at 2 Massachusetts Hospitals |
Unknown |
The cyber attack forced two Massachusetts hospitals to take their IT network offline, divert ambulance patients, and limit radiology and lab services, severely disrupting patient care. |
|
|
October 20, 2025 |
Japanese office supplier Askul |
Malware attack on Japan office supplier Askul halts services of other firms |
Unknown |
A malware attack on Japanese office supplier Askul led to a complete shutdown of its services, disrupting operations across its e-commerce platform and logistics systems. The specific threat actor be
|
Source: japantoday.com |
|
October 21, 2025 |
WatchGuard Firebox appliances |
Over 70K vulnerable WatchGuard Firebox instances exposed on the internet |
Unknown |
The cyber attack on WatchGuard Firebox appliances exploited a critical vulnerability (CVE-2025-9242) in the Fireware OS, allowing unauthenticated remote code execution. Over 75,000 devices worldwide, primarily in the U.S., Germany, and Italy, were exposed to potential compromise due to unpatched systems |
Source: scworld.com |
|
October 21, 2025 |
Organisations across four continents — including U.S. agencies NNSA, HHS, and DHS. |
Sharepoint ToolShell attacks targeted orgs across four continents |
China-linked groups Linen Typhoon, Violet Typhoon, and Storm-2603 |
The exploitation of zero-day "ToolShell" flaws in Microsoft SharePoint led to compromises of organisations across four continents — including U.S. agencies NNSA, HHS, and DHS. |
Source: Bleeping Computer |
|
October 23, 2025 |
Government services in Kaufman County, Texas, La Vergne, Tennessee and DeKalb County, Indiana |
Cyber incidents in Texas, Tennessee and Indiana impacting critical government services |
Unknown |
Critical government services in Kaufman County, Texas, La Vergne, Tennessee and DeKalb County, Indiana were disrupted by separate cyber-incidents this week, including courthouse and payment-system outages. |
Source: The Record |
|
October 24, 2025 |
The European companies |
North Korean hacking group targeting European drone maker with ScoringMathTea malware |
Lazarus group |
At least three European companies — a metal engineering firm in Southeastern Europe, an aircraft components manufacturer in Central Europe, and a defense company in Central Europe — were hit by the Lazarus Group (North Korea-linked) via fake job-offer emails, resulting in theft of proprietary unmanned-aerial-vehicle (UAV) manufacturing know-how with the help of the ScoringMathTea RAT. |
Source: The Record |
|
New Ransomware |
Summary |
|
New Android virus RAT "Klopatra" |
New Android banking RAT "Klopatra"; infected 3,000+ devices via a fake IPTV/VPN, abusing Accessibility and a hidden VNC mode for hands-on control to steal banking and crypto data; suspected Turkish-speaking group. |
|
New phishing technique, “CoPhish” |
A new phishing technique dubbed “CoPhish” weaponised Microsoft Copilot Studio agents to steal OAuth tokens by delivering fraudulent consent requests via legitimate Microsoft domains. |
Sources for the above table: Bleeping Computer and Recorded Future News
|
Date |
New Flaws/Fixes |
Summary |
|
October 07, 2025 |
CVE-2025-61882 |
The FBI and UK National Cyber Security Centre have issued urgent advisories urging organisations to patch CVE-2025-61882, a critical unauthenticated remote code execution vulnerability in Oracle E-Business Suite, which has been actively exploited by the Clop ransomware group since August 2025, leading to data theft and extortion attempts. |
|
October 07, 2025 |
CVE-2025-10035 |
Cybercriminal group Storm-1175 exploited CVE-2025-10035, a critical deserialisation vulnerability in Fortra's GoAnywhere MFT License Servlet, to gain initial access, deploy Medusa ransomware, and maintain persistence via remote monitoring tools like SimpleHelp and MeshAgent, affecting multiple organizations since September 11, 2025. |
|
October 08, 2025 |
CVE-2023-43770 |
Russian hackers are increasingly leveraging artificial intelligence to automate cyber attacks against Ukraine, utilizing AI-generated phishing messages and malicious code, including PowerShell scripts in malware like Wrecksteel, attributed to the UAC-0219 group; they are also exploiting zero-click vulnerabilities such as CVE-2023-43770 in Roundcube, and adopting a "Steal & Go" model for transient data theft, while coordinating cyber operations with missile and drone strikes to amplify disruptive effects. |
|
October 17, 2025 |
CVE-2025-11492 and CVE-2025-11493 |
The vulnerabilities tracked as CVE-2025-11492 and CVE-2025-11493 in ConnectWise Automate allowed adversary-in-the-middle attacks to intercept sensitive RMM traffic and push malicious updates, enabling full compromise of managed systems. |
|
October 20, 2025 |
CVE-2025-9242 |
The flaw tracked as CVE-2025-9242 left over 75,000 WatchGuard Firebox security appliances exposed to unauthenticated remote code execution via specially crafted IKEv2 packets. |
|
October 21, 2025 |
CVE-2025-6542 |
The flaw tracked as CVE-2025-6542 allowed remote unauthenticated attackers to execute arbitrary OS commands on TP‑Link Omada gateways, enabling full device compromise. |
|
October 22, 2025 |
CVE-2025-62518 |
The vulnerability tracked as CVE-2025-62518 in the abandoned Rust library “async-tar” allowed unauthenticated remote code execution by injecting extra archive entries during TAR extraction, enabling attackers to overwrite files and hijack builds. |
Source for the above table: Bleeping Computer, Recorded Future
|
News Type |
Summary |
|
Report |
Jaguar Land Rover (JLR) initiated a phased restart of its manufacturing operations on October 7, 2025, following the massive cyberattack that halted global production since early September; the company also introduced a financing scheme to provide upfront payments to suppliers to mitigate financial difficulties caused by the shutdown. |
|
Report |
Two 17-year-old boys were arrested in Bishop’s Stortford, Hertfordshire, on October 7, 2025, for a cyber attack on the Kido nursery chain, during which hackers stole and published profiles of 10 children online and threatened to release more unless a ransom was paid. |
|
Report |
China-linked hackers have exploited a vulnerable public-facing web application to deploy the open-source Nezha monitoring tool on over 100 systems across Taiwan, Japan, South Korea, and Hong Kong, enabling remote command execution and potential follow-on malware deployment; the use of simplified Chinese and tools like Ghost RAT and AntSword suggests a politically motivated threat actor, possibly linked to Chinese APT groups. |
|
Report |
A report said the hackers, identified as threat actor Storm‑2657, used phishing campaigns to compromise HR/payment systems at U.S. universities and divert employee salaries into attacker-controlled accounts. |
|
Report |
The National Cyber Security Centre reported that the UK faced 429 cyber attacks between September 2024 and August 2025, of which 204 were “nationally significant”—more than double the previous year—with 18 ranked “highly significant” impacting government, essential services or the economy. |
|
Report |
Qantas Airways confirmed that the stolen customer data from its July breach had been published online by the hacker collective Scattered Lapsus$ Hunters, including 2.8 million records with names, email addresses and Frequent Flyer numbers, and 1.7 million with additional details (such as home addresses, dates of birth, phone numbers, gender or meal preferences). |
|
Report |
The UK ICO fined Capita £14 million for failing to protect data in the March 22, 2023 Black Basta ransomware attack, which stole nearly 1 TB of data affecting about 6.6 million people. |
|
Report |
Eight car-insurance firms in New York were ordered to pay US $14.2 million after hackers exploited “pre-fill” quoting tools to steal the personal info of over 825,000 New Yorkers, including driver’s-license numbers and DOBs, which were later used in fraudulent unemployment claims. |
|
Warning |
The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive after a nation-state-linked threat actor gained persistent access to F5 Networks’s systems, exfiltrating portions of the BIG-IP source code and undocumented vulnerability information, posing an “imminent threat” to U.S. federal networks. |
|
Report |
Experian Netherlands was fined €2.7 million (approx. US $3.2 million) for mass-collecting personal data without consent across public and private sources in violation of GDPR. |
|
Warning |
Microsoft warned that identity-based attacks surged 32% in the first half of 2025, with stolen passwords driving over 97% of these breaches. |
|
Report |
MSG, a firm providing emergency medical services in Guernsey was fined £100,000 after a data breach exposed thousands of emails containing sensitive patient health information. |
|
Report |
A third-party data breach involving the archiving system for city-issued messages triggered a preventive review that uncovered a “potentially inappropriate” picture on Lt. Jesus Garcia’s department phone, which then catalyzed an internal affairs probe and his termination from Kissimmee Police Department. |
|
Report |
Between May and August 2025, the hacker group Cavalry Werewolf (aka YoroTrooper/Silent Lynx) used phishing emails masquerading as Kyrgyz government ministries to breach Russian government and industrial‐sector networks, deploying custom malware to exfiltrate data. |
|
Report |
Meta launched new anti-scam tools for WhatsApp and Messenger on October 22 2025, including AI-powered scam detection in chats and screen-sharing warnings, to better protect users from fraud. |
|
Report |
A mid-October 2025 phishing campaign impersonating LastPass’s inheritance process — attributed to CryptoChameleon (UNC5356) — used fake “legacy request” emails and spoof sites to steal master passwords and passkeys, risking access to users’ password vaults and crypto wallets. |
Sources: Bleeping Computer, Recorded Future News, BloombergLaw, Databreaches.net