Four healthcare breaches expose over 560,000 records
Healthcare data breaches continue to pile up. Four newly disclosed attacks hit more than 560,000 people, with Sunflower Medical Group reporting the biggest incident. The Rhysida ransomware gang took credit for attacks on both Sunflower and Community Care Alliance, while BianLian claimed the breach at Gastroenterology Associates of Central Florida. Stolen data includes Social Security numbers, medical records, and insurance details—some of which hackers tried to sell.
Cyber attack allegedly behind X outages
Elon Musk blamed a “massive cyberattack” on multiple X outages on Monday, while hacking group Dark Storm Team claimed responsibility. According to Downdetector, reports of outages spiked throughout the morning, with peaks at 6 a.m., 10 a.m., and 11:30 a.m. ET, impacting tens of thousands of users. Newsweek and other outlets report that Dark Storm Team, a pro-Palestinian hacking group known for targeting NATO countries and Israel, took credit for the attack via Telegram. While Musk suggested a large, coordinated group or nation-state may be involved, X is still dealing with intermittent issues as of this recording.
Case against MGM ransomware attack dropped
The Federal Trade Commission (FTC) has dropped its case against MGM Resorts International over the company’s handling of personal data stolen in a 2023 ransomware attack, citing a shift in the administration. The agency had sued MGM in 2024 to enforce a Civil Investigative Demand (CID), but after President Trump took office, the FTC withdrew the case. MGM has already paid $45 million to settle lawsuits from the 2019 and 2023 breaches, which exposed 37 million customers’ data and cost the company $100 million in losses.
FTC pays out $25.5 million to victims
Starting later this week, the FTC will begin distributing over $25.5 million in refunds to consumers who fell victim to scams run by Restoro and Reimage. The companies were fined $26 million in 2024 for using deceptive ads and pop-ups that falsely claimed users’ computers had security or performance issues, pressuring them into unnecessary repairs. FTC investigators found that the software always reported problems, even on clean devices, and telemarketers upsold repair plans costing up to $499. For those who think they might have been a victim, make sure to check your email between now and March 13th with instructions on how to redeem the payment within 30 days through PayPal.
Thanks to today’s episode sponsor, Vanta
We know that real-time visibility is critical for security, but when it comes to our GRC programs…we rely on point-in-time checks.
But more than 9,000 companies have continuous visibility into their controls with Vanta. Vanta brings automation to evidence collection across over 35 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, And helps you get security questionnaires done 5 times faster with AI.
Now that’s…a new way to GRC. Get started at Vanta.com/headlines
Switzerland mandates 24-hour cyber attack reporting
Starting next month, Switzerland’s National Cybersecurity Centre (NCSC) will require critical infrastructure organizations to report cyberattacks within 24 hours of discovery. The mandate, part of an amendment to the Information Security Act (ISA), applies to utilities, local governments, and transportation providers, covering incidents like data breaches, extortion attempts, and malware infections.
(Bleeping Computer), (Swiss National Cybersecurity Center)
TRUMP coins lure victims into ConnectWise attack
A phishing campaign is spoofing the cryptocurrency exchange, Binance, luring victims with the promise of up to 2,000 free TRUMP Coins to trick them into downloading the ConnectWise RAT. The attack uses realistic branding and a fake Binance website to distribute malware, giving attackers remote control over victims’ computers within minutes. TRUMP Coins, a meme cryptocurrency launched by President Trump in January 2025, remain volatile but still make for effective bait. The phishing links contain “binance-web3” to appear credible, but the “.ru” domain should raise red flags. Cofense researchers say they are still working to find out who is behind the campaign.
FTC reports record fraud loss
The U.S. Federal Trade Commission (FTC) reported a record $12.5 billion in fraud losses in 2024, a 25% increase from the previous year. Investment scams were the largest contributor, accounting for $5.7 billion in losses, while imposter scams followed with $2.95 billion in reported losses. In a turn of events, younger consumers, particularly those aged 20-29, were the most frequent victims.
Google pays big to bug squashers
Google says they awarded nearly $12 million in bug bounties to 660 researchers through its various vulnerability reward programs last year, bringing its total payouts since 2010 to over $65 million. The company revamped its reward structure, offering up to $300,000 for critical vulnerabilities in mobile apps and up to $250,000 for Chrome bugs. In addition to standard VRP payouts, Google also launched new initiatives like the Cloud VRP and AI bug bounty program, with a significant increase in critical-severity bug reports contributing to higher reward amounts.