European Space Agency confirms breach of external servers

The European Space Agency (ESA) has confirmed a cyber security incident involving servers located outside its corporate network, following claims by a threat actor on the BreachForums hacking forum. The attacker alleged access to ESA systems for around a week and shared screenshots suggesting visibility into JIRA and Bitbucket environments.

In a statement, ESA said the affected servers supported unclassified collaborative engineering activities within the scientific community and that only a very small number of external systems were impacted. A forensic security analysis is currently underway, and measures have been implemented to secure any potentially affected devices. ESA added that all relevant stakeholders have been notified and further updates will be provided as the investigation progresses.

While ESA has not confirmed data theft, the threat actor claims to have exfiltrated more than 200GB of data, including private Bitbucket repositories. The incident follows a previous breach in late 2024, when ESA’s official web shop was compromised using malicious code to steal customer and payment information.

Former incident response staff plead guilty to BlackCat ransomware attacks

Two former employees of cyber security incident response firms Sygnia and DigitalMint have pleaded guilty to involvement in BlackCat (ALPHV) ransomware attacks against US organisations in 2023. Ryan Clifford Goldberg, a former Sygnia incident response manager, and Kevin Tyler Martin, previously a ransomware negotiator at DigitalMint, admitted to conspiracy to obstruct commerce by extortion. Both now face sentencing in March 2026 and could receive up to 20 years in prison.

Court documents show the pair worked with a third accomplice as BlackCat affiliates, breaching multiple US companies between May and November 2023. Victims included organisations in the pharmaceutical, engineering, healthcare, and drone manufacturing sectors. Ransom demands ranged from $300,000 to $10 million, with at least $1.27 million confirmed as paid.

US authorities said the case highlights the growing insider risk, particularly where trusted cyber security expertise is abused for criminal gain.

Ransomware attack disrupts Romania’s largest coal energy producer

Romania’s largest coal based electricity producer, Oltenia Energy Complex, has been hit by a ransomware attack that disrupted its IT infrastructure on the second day of Christmas. The company confirmed that multiple systems were impacted, including ERP platforms, document management applications, email services, and its public website, after files and documents were encrypted.

While the incident partially affected business operations, Oltenia Energy Complex said electricity production and the stability of the national energy system were not put at risk. IT teams immediately began rebuilding affected systems on a new infrastructure using existing backups, and an investigation is ongoing to determine whether data was exfiltrated before encryption.

The attack has been reported to Romania’s National Cyber Security Directorate, the Ministry of Energy, and DIICOT. The Gentlemen ransomware group is believed to be responsible. The incident follows other recent ransomware attacks on Romanian critical infrastructure, underlining the continued exposure of the energy and public sectors to cyber threats.

Aflac data breach exposes personal data of 22.6 million people

Insurance giant Aflac has confirmed a major data breach that resulted in the theft of personal information belonging to approximately 22.65 million individuals. The company detected suspicious activity on its US network on 12 June 2025 and publicly disclosed the incident on 20 June, attributing it to a sophisticated cybercrime group targeting the insurance sector.

Aflac said the attack was quickly contained and that third party cyber security specialists were engaged to support the incident response. The company confirmed that ransomware was not deployed and business operations were not disrupted. Following a detailed investigation, completed shortly before Christmas, Aflac began notifying affected individuals.

The compromised data includes names, addresses, Social Security numbers, dates of birth, government issued identification details, and medical and health insurance information. Aflac said it is not currently aware of the stolen data being misused and is offering 24 months of free credit monitoring, identity theft, and medical fraud protection. The breach is believed to be part of a wider campaign against insurance firms.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.