Fintech vendor Marquis discloses SonicWall-exploited ransomware breach — Texas-based marketing vendor Marquis notified U.S. financial institutions that an attacker exploited a SonicWall firewall on 14-08-2025 and later triggered a ransomware incident discovered in November, potentially exposing client data (03-12-2025) [US]. The case highlights the need for DFIR teams to treat edge appliances as high-value assets, maintain long-term network telemetry, and scrutinise third-party connectivity when reconstructing intrusion timelines (Source: Reuters, 03-12-2025).

Bank of Cyprus Oncology Centre detects possible data breach — The Bank of Cyprus Oncology Centre reported indications on 01-12-2025 that its systems may have been compromised and has launched a formal investigation into potential data exposure affecting cancer patients (02-12-2025) [EMEA]. Incident responders are working with national authorities to contain the breach, verify what data was accessed, and notify affected individuals, underscoring the sensitivity of healthcare datasets and the value of rehearsed breach playbooks (Source: In-Cyprus, 02-12-2025).

London councils confirm data theft after shared IT cyberattack — A cyber incident against shared IT systems used by Kensington and Chelsea, Westminster and Hammersmith & Fulham councils led to copying of historical data, with authorities warning that some resident information may surface publicly (02-12-2025) [UK]. DFIR teams are working alongside the NCSC and Metropolitan Police to triage affected datasets, restore disrupted services and prepare for downstream phishing and fraud attempts leveraging stolen records (Source: The Register, 02-12-2025).

South Korea busts gang behind 120,000 hacked home and business cameras — South Korea’s National Police Agency charged four suspects for hacking more than 120,000 IP cameras and selling sexually exploitative footage, including material involving minors, via an online platform (01-12-2025) [APAC]. The investigation showcases how weakly secured consumer cameras remain high-value targets and reinforces the importance for investigators of correlating crypto flows, hosting records and illicit content markets to dismantle such networks (Source: SecurityWorld, 01-12-2025).

India’s Supreme Court orders CBI probe into “digital arrest” scam syndicates — India’s Supreme Court directed the Central Bureau of Investigation to lead a nationwide probe into “digital arrest” scams where victims are coerced over video calls, often using spoofed law-enforcement identities and compromised telecom infrastructure (01-12-2025) [APAC]. The order will concentrate investigative resources on linking SIM farms, mule accounts and call-centre infrastructure, offering DFIR teams richer intelligence on social engineering and cross-border fraud TTPs (Source: Indian Masterminds, 01-12-2025).

Coupang confirms data leak impacting tens of millions of South Korean customers — South Korean e-commerce giant Coupang disclosed that a data leak exposed information on roughly 34 million customers, prompting a high-profile police investigation and regulatory scrutiny (01-12-2025) [APAC]. For DFIR and risk teams, the breach illustrates the scale of exposure when cloud access controls misfire and highlights the need for rigorous third-party code reviews and continuous monitoring across sprawling retail platforms (Source: Reuters, 01-12-2025).

Sorbonne Université staff data appears on dark web after claimed breach — Hackers claim to have leaked detailed employee records from Paris-based Sorbonne Université, including banking details, salary data and identity documents, with samples circulating on dark-web forums (01-12-2025) [EU]. The incident underscores the growing targeting of universities for both research and financial data, pushing security teams to harden identity stores, enforce MFA on administrative systems and monitor for data leakage beyond classic perimeter defences (Source: Cybernews, 01-12-2025).

Ransomware takes U.S. CodeRED emergency alert system offline — A ransomware attack against Crisis24’s legacy environment for the OnSolve CodeRED emergency notification platform forced the service offline, disrupting alerts for multiple U.S. cities and counties and triggering data breach notifications (25-11-2025, highlighted 02-12-2025) [US]. Emergency-management operators are rebuilding on a new platform and validating backups, offering a stark reminder that critical public-notification systems need segmented architectures, rigorous patching and tested recovery plans (Source: SecurityWeek / SANS NewsBites, 02-12-2025).

Google patches two Android zero-days already exploited in targeted attacks — Google’s December 2025 Android security bulletin fixed 107 flaws, including CVE-2025-48633 and CVE-2025-48572, which are being actively exploited for information disclosure and privilege escalation on Android 13–16 devices (02-12-2025) [Global]. CISA has added the issues to its KEV list, making timely patching and mobile EDR coverage a priority for defenders who rely on Android fleets in BYOD and frontline operational environments (Source: BleepingComputer / CISA advisories, 02-12-2025).

Akira ransomware claims new batch of U.S. industrial and financial victims — The Akira ransomware group listed fresh victims including Wisconsin Knife Works, Smith Companies, Envirotech Services, Next Generation Logistics and Security First Bank, threatening to leak stolen data if ransoms are not paid (01-12-2025) [US]. The campaign highlights Akira’s appetite for mid-market industrial and logistics firms, reinforcing the need for robust segmentation, offline backups and dark-web monitoring tuned to ransomware leak sites (Source: Dexpose / dark-web reporting, 01-12-2025).

December opens with wave of multi-sector ransomware data leaks — Threat-intel trackers report dozens of new December 2025 postings on ransomware leak portals, spanning engineering, tourism, energy, legal and public-sector organisations across the Americas, Europe and Asia (01-12-2025) [Global]. For SOC and DFIR teams, the clustering of discoveries is a cue to review exposure to listed threat groups, validate backup integrity and ensure that credential hygiene and VPN hardening keep pace with increasingly industrialised extortion operations (Source: BreachSense / DarkwebInformer, 01-12-2025).

Cryptomixer.io seized in Swiss–German crackdown on ransomware laundering — Swiss and German authorities, working with Europol and U.S. partners, shut down the Cryptomixer.io Bitcoin-mixing service, seizing servers, 12TB of data and more than €25 million in cryptocurrency allegedly linked to ransomware and other crimes (01-12-2025) [EU/US]. The takedown gives investigators a rich trove of transaction metadata that could de-anonymise wallets tied to extortion campaigns, reminding defenders that payment flows increasingly carry long-term law-enforcement risk for both criminals and unwary intermediaries (Source: Reuters / Europol briefings, 01-12-2025).

U.S. Justice Department seizes domain tied to Tai Chang crypto scam compound — The U.S. Justice Department announced seizure of a domain used by fraudsters at the Tai Chang compound in Myanmar, where “pig-butchering” cryptocurrency scams defrauded large numbers of American investors (02-12-2025) [US/APAC]. DFIR and fraud teams should expect fresh infrastructure from displaced operators and use the indicators released by authorities to tune anti-phishing, transaction monitoring and user-education campaigns about high-yield “investment platforms” (Source: U.S. DOJ / Times of India, 02-12-2025).

India reports over 16,000 arrests under national cybercrime control initiative — India’s Home Ministry highlighted that its cybercrime reporting and coordination scheme has supported 16,840 arrests and more than 105,000 cyber-investigation assistance requests, targeting scams ranging from investment fraud to online harassment (late-11-2025, reported 01-12-2025) [APAC]. The figures show how centralised cybercrime platforms and techno-legal support units can amplify local investigations, offering a model for other jurisdictions seeking to scale digital forensics and victim support (Source: Press Information Bureau, 01-12-2025).

UK considers national security exemptions to proposed ransomware payment ban — At the FT Cyber Resilience Summit, UK Security Minister Dan Jarvis said ministers are exploring exemptions to a proposed ban on ransom payments for critical national infrastructure, citing scenarios such as hospital shutdowns (03-12-2025) [UK]. CISOs in regulated sectors should watch the evolving legislation closely, as it will shape acceptable incident-response options, board accountability and cyber insurance strategies when life and safety are at stake (Source: Financial Times, 03-12-2025).

Ireland launches 2025 National Cyber Risk Assessment — Ireland’s National Cyber Security Centre released its 2025 National Cyber Risk Assessment, mapping systemic vulnerabilities, sectoral threat trends and priority actions to inform the next National Cyber Security Strategy (02-12-2025) [EU]. The assessment provides a useful template for national and sector-level risk owners, aligning cyber investment, public–private cooperation and crisis-management planning with a clearly articulated threat picture (Source: Government of Ireland, 02-12-2025).

Bank of England flags mounting cyber risk in latest financial stability review — The Bank of England’s latest Financial Stability Report, highlighted in UK business press, warns that cyberattacks and operational disruptions are rising amid geopolitical tension, yet only a minority of companies have board-level cyber accountability (02-12-2025) [UK]. The narrative strengthens the case for dedicated board cyber committees, sharper regulatory expectations and more frequent crisis simulations, especially where cyber resilience is now a core prudential concern (Source: The Times / BoE reporting, 02-12-2025).

EU publishes first Cyber Resilience Act implementation milestones — The European Commission outlined initial implementation steps for the Cyber Resilience Act, including a 01-12-2025 implementing act on technical descriptions for important and critical products and an upcoming delegated act on CSIRTs withholding notifications (01-12-2025) [EU]. Vendors of connected hardware and software should map product portfolios to CRA categories now, building evidence for secure development, vulnerability handling and update processes ahead of future compliance deadlines (Source: European Commission, 01-12-2025).

CAF 4.0 guidance aims to boost UK public-sector cyber resilience — New guidance on the UK National Cyber Security Centre’s Cyber Assessment Framework (CAF) 4.0, published with input from national experts, encourages public bodies to adopt a more proactive and intelligence-led approach to cyber resilience (02-12-2025) [UK]. Security leaders in government and critical infrastructure can use CAF 4.0 as a benchmark for control maturity, supplier assurance and continuous improvement, aligning operational practice with evolving national expectations (Source: Microsoft Security Blog / NCSC, 02-12-2025).

UK firms urged to prepare for Data (Use and Access) Act 2025 enforcement — A new practitioner guide urges organisations to ready themselves for the UK Data (Use and Access) Act 2025, mapping out complaint-handling, transparency and governance steps ahead of key ICO consultation milestones (03-12-2025) [UK]. For compliance and security teams, the DUAA adds another regulatory lens on data-sharing and digital verification services, making integrated privacy, security and records-management controls more critical than ever (Source: Bridewell / ICO guidance, 03-12-2025).

ProxyEarth site exposes Indian citizens’ personal data via phone-number search — An investigation by Indian media found that the ProxyEarth.org website allows anyone to look up personal information on Indian mobile users by entering a phone number, raising alarms over an apparent massive data leak (01-12-2025) [APAC]. The case illustrates how leaked or scraped datasets can be repackaged into “people search” tools, forcing security teams to update fraud models, review KYC procedures and warn users about heightened phishing and SIM-swap risks (Source: India Today, 01-12-2025).

Spyzie stalkerware leak exposes how third-party SDKs amplify surveillance risks — New analysis of the Spyzie spyware app data leak shows that highly sensitive information such as location histories, messages and device identifiers was exposed, with much of the app’s codebase built from opaque third-party SDKs (03-12-2025) [Global]. For mobile security teams and privacy engineers, the incident reinforces the need for strict SDK governance, SBOMs and runtime monitoring to prevent hidden tracking and data exfiltration across consumer and enterprise apps (Source: PureWL research, 03-12-2025).