[EMEA] France’s national statistics department, Insee, reported a cyberattack that exposed identity and professional contact data for around 12,800 current and former staff and related civil service personnel. Investigators should preserve staff-directory exports, authentication records, access logs, internal notification evidence and data-classification assessments showing why passwords, bank details, social security numbers and health records were excluded from the compromise (Source: Reuters, 26-06-2026).

[APAC] A fire at STT Global Data Centres India’s Delhi facility disrupted recovery for clients including Google Cloud users and Indian firms that feared major historical data loss. Although not a cyberattack, the case is digitally significant because investigators must preserve backup contracts, recovery evidence, service dependencies, incident timelines, system availability records and law-enforcement data-use claims before force-majeure arguments obscure responsibility (Source: Reuters, 24-06-2026).

[AMER] Dark Reading reported that attackers are shifting from direct school compromise toward education software suppliers, increasing risk to many schools through a smaller number of third-party platforms. Investigators should map supplier tenancy, school data flows, administrator access, integration tokens, notification duties and shared logging evidence so one vendor compromise can be correlated across multiple affected education environments (Source: Dark Reading, 25-06-2026).

[APAC] Australian reporting on ransomware detection found many organisations only identify attacks after data theft, with adversaries reportedly maintaining enterprise access for more than two weeks on average. For investigators, the findings reinforce the importance of early network telemetry, identity events, egress records, ransom-contact timing and post-exfiltration artefacts that show when access began, what moved and why detection was delayed (Source: Cyber Risk Leaders, 25-06-2026).

[AMER] San Antonio healthcare providers South Texas Spinal Clinic and Soniva Dental faced proposed class-action lawsuits after the Gentlemen ransomware group claimed attacks involving sensitive patient data. Investigators should preserve patient-record access evidence, ransomware notes, dark-web postings, notification decisions, HHS reporting status, class-action allegations and internal timelines that may show whether encryption, exfiltration and delayed communication occurred (Source: San Antonio Express-News, 26-06-2026).

[AMER] Dark Reading reported continuing Salesforce data thefts linked to the Klue application compromise, expanding concern over SaaS integrations and customer data exposure. Investigation teams should retain OAuth authorisation logs, connected-app permissions, Salesforce audit trails, export records, tenant boundaries, supplier breach communications and any Icarus or actor leak claims needed to distinguish platform compromise from customer-environment intrusion (Source: Dark Reading, 23-06-2026).

[AMER] CISA added two newly exploited vulnerabilities to its Known Exploited Vulnerabilities catalogue, directing federal agencies and defenders to prioritise remediation based on evidence of active exploitation. Investigators should preserve exposed asset inventories, vulnerability-management tickets, exploitation indicators, compensating controls, patch-approval records and post-remediation validation so later reviews can determine whether compromise preceded containment (Source: CISA, 25-06-2026).

[AMER] Dark Reading reported that attackers exploited a Cisco SD-WAN vulnerability roughly two months before disclosure, showing how pre-disclosure activity can reshape timelines for enterprise network investigations. Evidence collection should include controller logs, edge-device access records, configuration changes, unusual management-plane activity, network segmentation records and telemetry needed to test whether exploitation occurred before vendor fixes were available (Source: Dark Reading, 24-06-2026).

[EMEA] Europol reported that Operation Endgame disrupted SocGholish, Amadey and StealC malware networks in a global cyber strike on criminal malware infrastructure. Investigators should preserve seized server images, botnet panel records, malware configuration files, loader-to-victim mappings, credential-theft indicators and cross-border legal process records linking infrastructure operators to downstream ransomware or fraud activity (Source: Europol, 25-06-2026).

[AMER] The U.S. Justice Department announced seizure of a cloud-computing account allegedly used by Huione Group subsidiaries to support cryptocurrency investment fraud, cyber scams and laundering. The evidential value lies in cloud metadata, hosted infrastructure, customer records, domain mappings, payment flows and wallet identifiers that may connect Southeast Asian scam operations to banking conversion and victim-payment trails (Source: U.S. Department of Justice, 23-06-2026).

[APAC] CERT-In updated its vulnerability notes and cyber security guidance pages, including material covering smart city infrastructure and space systems, as India expands security expectations for connected public-sector environments. The policy relevance for investigators is stronger documentation around asset ownership, platform dependency, telemetry retention, incident reporting and sector-specific control evidence when infrastructure systems become part of a cyber investigation (Source: CERT-In, 25-06-2026).

[EMEA] The UK NCSC continued promoting software supply-chain dependency checks after warning that attackers are compromising open-source packages to distribute malware into downstream environments. For investigative readiness, organisations should retain dependency inventories, package-lock files, build logs, signing evidence, developer account records, repository events and change-approval trails so suspected supplier compromise can be scoped quickly (Source: NCSC, 04-06-2026).