The State of Incident Response 2026: Insights from 630 Investigations — Eye Security published a Europe-focused incident response analysis drawn from 630 anonymised investigations, detailing common entry vectors, dwell time, containment outcomes, and the operational impact of MDR coverage [EMEA]. For DFIR teams, the dataset is a practical benchmark for triage playbooks, helping prioritise identity controls and logging depth where real-world cases repeatedly show failures and delayed detection. (Source: Eye Security, 28-01-2026).

Mandiant pushes organisations to drop NTLMv1 by publishing a way to crack it — Google’s Mandiant published a lookup approach intended to demonstrate how trivially NTLMv1 challenge-response material can be cracked, explicitly framing it as “tough love” to accelerate retirement of the legacy protocol [AMER]. This matters because DFIR investigations still routinely encounter NTLMv1 residue in authentication flows, and the new tooling shifts the risk calculus by making credential recovery faster for both defenders validating exposure and attackers weaponising weak paths. (Source: CSO Online, 29-01-2026).

Over 100 organisations targeted in ShinyHunters phishing campaign — Researchers attributed a broad targeting set to ShinyHunters-linked activity using infrastructure and domains suggesting pursuit of high-value enterprise brands across SaaS, gaming, and biotech [AMER]. The investigative value is in the victimology and domain indicators, which enable proactive hunting for pre-compromise signals (lookalike domains, helpdesk impersonation patterns) before stolen credentials become extortion leverage or access-broker inventory. (Source: SecurityWeek, 27-01-2026).

Education-themed malicious domains linked to bulletproof hosting — An investigation highlighted education-themed lures and a traffic distribution system (TDS) connected to bulletproof hosting, designed to funnel victims toward phishing pages and malware payload delivery [EMEA]. For investigators, the key is how TDS-layered redirection obscures true landing infrastructure, so collecting full redirect chains, DNS history, and hosting artefacts becomes essential for attribution and takedown prioritisation. (Source: CyberPress, 30-01-2026).

Nike says it is investigating possible data breach — Nike said it is investigating an alleged breach after an extortion group claimed to have leaked a large volume of company data, with public verification of the dataset still unclear [AMER]. The incident is material because “leak-only” extortion continues to pressure disclosure and crisis comms timelines, and organisations must validate what was taken (design/IP vs PII) to scope regulatory exposure, partner impact, and downstream fraud risk. (Source: Reuters, 26-01-2026).

Maritime bulletin reports DDoS disruption impacting the Port of Rotterdam — Reporting indicated the Port of Rotterdam faced DDoS-driven disruption attributed to pro-Russian hacktivist activity, continuing a pattern of pressure against Dutch maritime infrastructure [EMEA]. Even short-lived outages matter because ports are time-sensitive logistics hubs, and DDoS events increasingly pair with influence messaging—forcing operators to align cyber response, business continuity, and public narrative management under geopolitical scrutiny. (Source: CyDome, 29-01-2026).

Panera Bread reportedly hit by breach exposing ~14 million records — Reports tied a Panera Bread incident to ShinyHunters, alleging exposure of millions of customer records and signalling possible access via identity/SSO pathways rather than classic perimeter intrusion [AMER]. This is significant because it reinforces that consumer-facing data loss can originate from enterprise identity compromise, so incident scoping must include IdP telemetry, MFA resilience, and helpdesk/social-engineering controls—not only endpoint and network indicators. (Source: TechRadar, 29-01-2026).

CISA adds Ivanti EPMM CVE-2026-1281 to Known Exploited Vulnerabilities — CISA added CVE-2026-1281 (Ivanti Endpoint Manager Mobile) to the KEV catalogue, citing active exploitation and directing federal agencies to remediate within mandated timelines [AMER]. The operational impact is immediate because mobile device management sits at the control plane for endpoints, so exploitation can translate into fleet-wide compromise and forced credential resets unless organisations apply vendor fixes and validate for post-exploitation persistence. (Source: CISA, 29-01-2026).

Fortinet PSIRT: Administrative FortiCloud SSO authentication bypass (CVE-2026-24858) — Fortinet disclosed CVE-2026-24858 as an in-the-wild exploited FortiCloud SSO authentication bypass affecting FortiOS, with malicious FortiCloud accounts implicated and mitigation/upgrade guidance provided [APAC]. This matters because firewall admin-path exposure is high-blast-radius, enabling policy tampering and configuration exfiltration that can degrade segmentation and VPN trust, so defenders should patch fast and audit for unexpected admin accounts and SSO-linked access changes. (Source: Fortinet, 28-01-2026).

Microsoft Office CVE-2026-21509 active exploitation analysis — Sophos documented active exploitation of CVE-2026-21509, a Microsoft Office bypass of OLE mitigations that can be triggered when users open specially crafted documents [EMEA]. The practical risk is that email-borne document workflows remain common, so rapid patching plus attachment hardening reduces a reliable initial access vector that can escalate into credential theft and lateral movement in environments where Office is deeply integrated with identity and file shares. (Source: Sophos, 27-01-2026).

RAMP ransomware/cybercrime forum apparently seized — Reporting indicated the FBI seized infrastructure associated with the Russian-language RAMP cybercrime forum, replacing pages with a seizure notice and disrupting a venue used by ransomware actors and access brokers [AMER]. This matters because forum disruption can displace criminal trade into smaller channels, so defenders should anticipate short-term fragmentation (more outreach, scams, re-branding) while investigators can exploit the churn for attribution, intelligence collection, and victim notification. (Source: The Record, 30-01-2026).

US indicts additional defendants in ATM “jackpotting” scheme — The US Department of Justice announced additional indictments in a large ATM “jackpotting” case, alleging coordinated cash-out operations that abused ATM ecosystems and cash logistics [AMER]. The case matters operationally because jackpotting increasingly blends cyber intrusion, money-mule coordination, and rapid monetisation, so banks and responders should tighten endpoint/remote access monitoring around ATMs, review vendor access controls, and integrate fraud telemetry with cyber IR workflows. (Source: U.S. DoJ, 26-01-2026).

Germany will “strike back” against Russian cyber attacks, minister vows — Germany’s interior minister signalled a lower threshold for retaliatory cyber countermeasures and a more assertive posture against hostile activity linked to state-backed actors [EMEA]. This matters because policy shifts toward offensive or disruptive responses can change attacker incentives, raise escalation risk, and drive new compliance expectations for critical sectors—especially around incident reporting, cross-agency coordination, and evidence preservation standards needed to support attribution. (Source: Financial Times, 26-01-2026).

Top UK data protection & cyber security developments for 2026 — UK-focused analysis highlighted 2026 changes affecting incident reporting, security expectations, and supply-chain accountability, with emphasis on contractual flow-down of cyber obligations [EMEA]. The relevance is that policy and regulator posture increasingly treats “reasonable security” as demonstrable governance, so CISOs should align controls, vendor oversight, and breach readiness to meet rising scrutiny—particularly where AI vendors and processors widen the accountability surface. (Source: Gowling WLG, 28-01-2026).

NIST Preliminary Draft of Cyber AI Profile open for comment through 30 Jan — NIST’s CSRC reiterated that the Preliminary Draft Cyber AI Profile is open for public comment through 30 January, framing it as a community profile aligned to the Cybersecurity Framework for AI deployments [AMER]. This matters for compliance programmes because it foreshadows audit-ready mappings between AI system risks and control outcomes, enabling organisations to start gap assessments now and avoid “bolt-on” governance once the profile becomes a de facto benchmark in procurement and assurance. (Source: NIST CSRC, 29-01-2026).

ENISA Single Programming Document 2026–2028 — ENISA published its 2026–2028 programming document, outlining priorities and planned workstreams that influence EU-wide cybersecurity capability building and guidance outputs [EMEA]. For compliance and risk leaders, the roadmap is a forward indicator of where European expectations will land next (e.g., operational guidance, sectoral support), so aligning internal roadmaps to these themes can reduce future retrofit costs as NIS2-era assurance and reporting norms mature. (Source: ENISA, 27-01-2026).

ShinyHunters claims stolen user data tied to major dating apps — ShinyHunters claimed to have obtained and listed data allegedly tied to dating platforms including Hinge, Match.com and OkCupid, pointing to marketing analytics exposure as the suspected upstream source [AMER]. This matters because third-party tracking/attribution tooling can centralise high-value identity and behavioural data, so consumers face elevated phishing and account-takeover risk while organisations must treat marketing supply chains as security-critical and enforce least-privilege data sharing. (Source: The Register, 29-01-2026).

149 million usernames and passwords exposed by unsecured database — Wired reported a massive exposed database containing 149 million credential pairs, spanning major consumer services (email, social, crypto) and likely reflecting aggregation from infostealer activity [AMER]. The significance is that credential reuse turns “old” stolen pairs into current account compromise, so organisations should expect higher credential-stuffing pressure and consumers should rotate passwords, enable phishing-resistant MFA, and monitor for unusual login patterns across their most sensitive accounts. (Source: WIRED, 24-01-2026).