[AMER] Texas officials said more than three million hunting and fishing licence holders had personal data exposed after a breach affecting a third-party licence-sales vendor. Investigators should separate state systems from vendor infrastructure, preserving licence-platform logs, identity-field exports, vendor access records, notification timelines, Kroll enrolment evidence and any indicators showing whether passport or driver-licence data was copied (Source: Houston Chronicle, 22-06-2026).

[GLOBAL] Cybersecurity firms were affected by a Klue supply-chain attack after attackers exfiltrated data from Salesforce instances used by customers including Huntress and Recorded Future. The investigative focus is SaaS provenance, requiring OAuth records, Salesforce audit logs, integration permissions, customer-tenant boundaries, data-export evidence and supplier communications to prove whether compromise stayed inside the application layer (Source: SecurityWeek, 20-06-2026).

[GLOBAL] CryptoBandits malware was reported to operate as both an information stealer and backdoor while abusing Tor and local proxying to hide command-and-control traffic. Investigators should collect SOCKS5 proxy artefacts, Tor process evidence, wallet and browser-theft indicators, persistence keys, outbound connection records and payload staging data to distinguish simple credential theft from continuing remote access (Source: SecurityWeek, 20-06-2026).

[GLOBAL] FortiBleed reporting said tens of thousands of Fortinet firewall and VPN credentials were exposed after earlier brute-force and credential-stuffing activity against internet-facing devices. Investigators need to correlate leaked credential lists with VPN authentication logs, administrative session history, password-reset actions, device configuration exports and post-authentication movement to determine whether credential exposure became network compromise (Source: SecurityWeek, 20-06-2026).

[APAC] Australian Clinical Labs said limited data was taken during the SunDoctors cyberattack, extending scrutiny of healthcare-sector exposure after unauthorised access to dermatology service information. Investigators should preserve clinic-system logs, patient-record access evidence, imaging and billing workflows, supplier links, notification decisions and any segmentation evidence showing how far attackers moved beyond the affected service (Source: Reuters, 18-06-2026).

[AMER] London Hydro confirmed a customer-information leak in Canada after a reported data breach affecting the utility, raising concerns about exposure of account and contact details. The investigation should retain customer-service system logs, meter-account exports, portal access evidence, breach-notification records, vendor involvement and any proof distinguishing unauthorised viewing from bulk exfiltration (Source: CTV News London, 21-06-2026).

[AMER] CISA added the Splunk Enterprise flaw CVE-2026-20253 to its Known Exploited Vulnerabilities catalogue and required federal remediation on an accelerated timeline. Investigators should collect exposed management-interface records, Splunk version evidence, file-write events, scripted input changes, unauthenticated request traces and SIEM self-monitoring logs before patching alters the evidence base (Source: Security Affairs, 19-06-2026).

[GLOBAL] Security reporting warned that attackers were exploiting a Gravity SMTP WordPress plugin flaw to expose API keys and other sensitive mail-configuration material. The evidential priority is to retain plugin versions, WordPress administrator activity, exposed configuration values, SMTP logs, outbound mail anomalies and any API-key rotation records that prove whether disclosure led to abuse (Source: Sodium Cyber, 21-06-2026).

[EMEA] Police reportedly raided malware infrastructure tied to Russia’s Evil Corp and supported cleanup of thousands of SocGholish-infected WordPress websites in a coordinated operation. Investigators should preserve seized infrastructure images, domain records, webshell evidence, infected-site timelines, victim-notification material and links between loader activity, initial access brokerage and downstream ransomware or fraud cases (Source: The Record, 19-06-2026).

[GLOBAL] SecurityWeek reported that roughly 15,000 WordPress websites were cleaned up in a SocGholish botnet takedown linked to coordinated action against malware delivery infrastructure. The enforcement value lies in correlating compromised websites, injected JavaScript, visitor-redirection chains, hosting records, operator infrastructure and victim machines that may have progressed from loader exposure to credential theft or ransomware deployment (Source: SecurityWeek, 20-06-2026).

[APAC] Australia’s ASD published its June 2026 Information Security Manual, updating cyber security principles and practical controls for government, infrastructure and large organisations. The document supports investigative readiness by emphasising governance, asset identification, protection, detection, response and recovery, while reinforcing the need for approved documentation, risk ownership and evidence-aware system management (Source: ASD ACSC, 20-06-2026).

[EMEA] Data-protection commentary in Europe stressed that small businesses are not automatically punished for reporting breaches when they can show proportionate preparation and response. The policy lesson for investigators is that breach records, remedial decisions, controller communications, risk assessments and evidence of reasonable security controls can become central to regulatory judgement after an incident (Source: Bitdefender, 21-06-2026).