Qantas cyberattack exposes customer data amid warnings of aviation targeting

Australian airline Qantas has confirmed a cyberattack that compromised a third-party customer service platform, exposing data for potentially six million customers. The breach, detected on Monday, involved unusual activity linked to a call centre platform, prompting swift containment measures. While Qantas systems remain secure, the airline admits a “significant” amount of data was stolen, including names, emails, phone numbers, birth dates, and frequent flyer numbers. No financial data or login credentials were exposed.

Authorities including the Australian Cyber Security Centre and Federal Police have been notified. The attack shares similarities with campaigns by threat group Scattered Spider, known for phishing, MFA fatigue, and help desk social engineering. Although not confirmed, the incident follows Scattered Spider’s shift toward targeting the aviation sector, with recent hits on Hawaiian Airlines and WestJet.

Organisations are urged to harden identity services and help desk security, as this group continues its sector-by-sector approach to high-impact attacks.

Spanish police arrest duo behind cyberattacks on government and media

Spanish police have arrested two individuals in Las Palmas accused of cyberattacks targeting senior government officials and journalists. The suspects, considered a “serious threat to national security,” allegedly stole and leaked sensitive data to increase its black-market value and build notoriety.

According to authorities, the investigation began when agents discovered the exposure of personal data from high-level political figures and media professionals on social platforms. One suspect is said to have specialised in data exfiltration, while the other managed cryptocurrency transactions and database access sales.

Both were arrested at their homes, where police seized numerous electronic devices that could reveal further evidence or associates. This case is part of Spain’s ongoing crackdown on cybercrime. Recent arrests include a hacker linked to breaches at NATO and the U.S. Army, and a British national tied to the Scattered Spider group. The country’s efforts highlight growing concerns around politically motivated cyber threats.

Critical WordPress Plugin flaw could lead to site takeover

A critical vulnerability in the popular Forminator WordPress plugin could allow unauthenticated attackers to delete key files and take over websites. Tracked as CVE-2025-6463 with a CVSS score of 8.8, the flaw impacts all versions up to 1.44.2 and affects over 600,000 active installations.

The flaw stems from poor input validation and unsafe file deletion logic. Attackers can exploit form fields to mimic a file upload and reference sensitive files like wp-config.php. If deleted—either manually or via auto-cleanup—the site enters setup mode, enabling a full compromise. A patch was issued on June 30 in version 1.44.3.

WordPress users are strongly urged to update immediately. No active attacks have been reported yet, but public disclosure increases risk. Site owners unable to update should deactivate the plugin temporarily.

Ransomware demands surge in South Africa as recovery costs climb

Cybercriminals targeting South African companies have dramatically increased ransom demands, with the median demand skyrocketing from R2.9 million in 2024 to R17 million in 2025, according to Sophos’ State of Ransomware in South Africa Report 2025.

Based on a global survey of 3,400 IT professionals—including over 150 in South Africa—Sophos found that 60% of attacks on South African firms led to data encryption, higher than the 50% global average. On average, 64% of victims paid the ransom demands.

Compromised credentials were the most common attack vector (34%), followed by exploited vulnerabilities (28%) and malicious emails (22%). A lack of in-house expertise and unknown defensive gaps were also key contributors to breaches.

The financial impact is severe: the average recovery cost (excluding ransom payments) hit R23 million. Only 50% of affected companies recovered within a week; 20% took up to six months.

Despite rising costs, 90% of organisations that had data encrypted were able to recover it—often after paying.

International Criminal Court Hit by Targeted Cyberattack During NATO Summit

The International Criminal Court (ICC) confirmed it was the target of a “sophisticated and targeted” cyberattack last week, coinciding with the NATO summit held in The Hague. The court, also based in The Hague, said the threat was detected late in the week and has since been contained. A full impact analysis is underway.

Dutch authorities reported a wave of DDoS attacks against local governments and institutions in the lead-up to the NATO gathering, with pro-Russian hacktivist groups claiming responsibility. While those incidents were limited in impact, they form part of a broader threat landscape surrounding high-profile events.

A separate train network outage that caused widespread disruption is also under investigation, with Dutch officials not ruling out sabotage.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.