Vast majority of companies hit by ransomware pay up, new report reveals

A new report from insurer Hiscox has revealed that 80% of SMEs targeted by ransomware in the past year paid their attackers, though outcomes were often mixed. Of the 5,750 businesses surveyed, 27% suffered ransomware incidents. While most paid a ransom, only 60% successfully recovered all or part of their data, and nearly a third were met with further demands.

The findings come amid a wave of high-profile cyber attacks on firms including Marks & Spencer, the Co-op and Jaguar Land Rover (JLR). The latter has faced a month-long shutdown, with a £1.5bn government loan guarantee issued to protect its supply chain. Hiscox warned that many smaller firms, without such safety nets, face existential threats.

WestJet breach exposes data of 1.2 million passengers

Canadian airline WestJet has confirmed that a cyberattack first disclosed in June led to the theft of personal data belonging to 1.2 million customers. The breach exposed sensitive information including names, dates of birth, mailing addresses, travel documents such as passports and government IDs, complaints filed with the airline, and loyalty programme details. While no credit card numbers, passwords or CVV codes were taken, affected customers are being offered two years of free identity theft protection.

The attack reportedly stemmed from social engineering, with hackers gaining access via a compromised employee password and exploiting WestJet’s Citrix environment. Once inside, they breached both Windows and Microsoft cloud networks.

Although the incident has not been officially attributed, it coincided with a surge in aviation-focused attacks by groups linked to Scattered Spider. WestJet says investigations are ongoing with support from the FBI, as the full scope of the compromise continues to be assessed.

Phantom Taurus: New China-linked espionage group targets governments

A newly identified China-aligned hacking group dubbed Phantom Taurus has been linked to espionage campaigns targeting government and telecommunications organisations across Africa, the Middle East, and Asia. Active for more than two years, the group’s focus includes ministries of foreign affairs, embassies, and military operations, with operations often aligning with key geopolitical events.

First tracked in 2023 as CL-STA-0043 and later reclassified as TGR-STA-0043, Phantom Taurus has now been elevated to a full-fledged threat actor by researchers who say the group’s primary aim is long-term intelligence gathering, with recent operations shifting from email theft to direct database targeting.

Notably, Phantom Taurus employs a bespoke .NET malware suite called NET-STAR, which can infiltrate IIS web servers through backdoors capable of evading detection and even timestomping forensic logs to confuse security analysts and digital forensics tools. The group has exploited known vulnerabilities in IIS and Microsoft Exchange, underscoring its adaptability and persistence in cyber espionage.

Harrods discloses supplier breach impacting 430,000 customers

UK luxury retailer Harrods has confirmed a new data breach after hackers compromised a third-party supplier, exposing 430,000 e-commerce customer records. The company stressed the incident is unrelated to May’s failed cyberattack by Scattered Spider, which used DragonForce ransomware against multiple UK retailers.

In its disclosure, Harrods said affected customers’ names and contact details were accessed, with some records also containing internal marketing labels, such as loyalty card tiers. However, no payment details, passwords, or order histories were compromised. The attackers have reportedly attempted to contact Harrods directly, but the company has refused to engage.

The breach may be linked to the wider Salesloft supply-chain attack, which has affected organisations globally since late summer. Harrods has notified impacted customers and relevant authorities, urging vigilance against phishing attempts. The retailer continues to work with investigators while offering reassurances that sensitive financial information remains secure.

OneLogin flaw exposed OIDC secrets, now patched

A high-severity vulnerability in One Identity’s OneLogin IAM platform has been disclosed, raising concerns over potential exposure of sensitive OpenID Connect (OIDC) client secrets. Tracked as CVE-2025-59363 and carrying a CVSS score of 7.7, the flaw stemmed from an API endpoint misconfiguration that returned client_secret values alongside application metadata.

Clutch Security, which discovered the issue, warned that attackers with valid OneLogin API credentials could have enumerated all OIDC applications within a tenant, retrieving their client secrets to impersonate apps and gain access to integrated services. This would have enabled lateral movement across enterprise environments. The risk was amplified by OneLogin’s broad role-based API permissions and lack of IP allowlisting.

The bug was responsibly disclosed on July 18 and patched in OneLogin 2025.3.0, released last month. One Identity says there is no evidence of exploitation. Security researchers stress that vulnerabilities in identity providers can have cascading effects across entire enterprise stacks.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.