Cybercrime

Qantas cyber attack sparks customer alert

Qantas is investigating a major data breach that may have exposed the personal details of up to six million customers.

The breach affected a third-party platform used by the airline’s contact centre to store sensitive data, including names, phone numbers, email addresses, dates of birth and frequent flyer numbers.

The airline discovered unusual activity on 30 June and responded by immediately isolating the affected system. While the full scope of the breach is still being assessed, Qantas expects the volume of stolen data to be significant.

However, it confirmed that no passwords, PINs, credit card details or passport numbers were stored on the compromised platform.

Qantas has informed the Australian Federal Police, the Cyber Security Centre and the Office of the Information Commissioner. CEO Vanessa Hudson apologised to customers and urged anyone concerned to call a dedicated support line. She added that airline operations and safety remain unaffected.

The incident follows recent cyber attacks on Hawaiian Airlines, WestJet and major UK retailers, reportedly linked to a group known as Scattered Spider. The breach adds to a growing list of Australian organisations targeted in 2025, in what privacy authorities describe as a worsening trend.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Researchers track financial cyberattacks in Africa and spot new ransomware group

Cybersecurity researchers have identified a series of cyberattacks targeting African financial institutions since at least July 2023. The campaign, attributed to a threat cluster named CL-CRI-1014 by Palo Alto Networks Unit 42, involves using open-source and publicly available tools to maintain unauthorised access to compromised systems.

According to Unit 42, ‘CL’ stands for ‘cluster’ and ‘CRI’ refers to ‘criminal motivation.’ The threat actor is believed to be operating as an initial access broker (IAB), seeking to obtain entry into networks and sell access to other cybercriminals on underground forums.

Researchers noted that the group employs methods to evade detection by spoofing legitimate software, including copying digital signatures and using application icons from Microsoft Teams, Palo Alto Networks Cortex, and VMware Tools to disguise malicious payloads. Tools deployed include PoshC2 for command-and-control, Chisel for network tunnelling, and Classroom Spy for remote access.

While the initial intrusion vector remains unclear, once access is achieved, the attackers reportedly use MeshCentral Agent and Classroom Spy to control machines, with Chisel deployed to bypass firewalls. PoshC2 is propagated across Windows hosts and persisted through various techniques, including services, scheduled tasks, and startup shortcuts. In some cases, stolen user credentials were used to set up proxies via PoshC2.

Trustwave SpiderLabs has reported the emergence of a new ransomware group named Dire Wolf, which has claimed 16 victims across multiple countries, including the United States, India, and Italy, with primary targets in the technology, manufacturing, and financial sectors.

Dire Wolf ransomware was developed in Golang. It includes disabling system logging, terminating a predefined list of services and applications, and deleting shadow copies to hinder recovery. Although details about the group’s initial access or lateral movement techniques are unknown, Trustwave advises organisations to maintain standard cybersecurity practices and monitor for the techniques observed during the analysis.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Nobitex restores wallet access after major hack

Iran’s biggest crypto exchange, Nobitex, has begun restoring wallet access after a cyberattack that stole over $90 million this month. Wallet reactivation is being carried out in phases, starting with verified users and spot wallets, while other wallets will reopen once identity checks are completed.

Users were urged to update their details promptly, as deposits sent to old wallet addresses now risk permanent loss due to a complete system migration.

Nobitex warned that withdrawal, deposit, and trading services for verified users would resume as soon as security checks allow. Timelines may change depending on technical conditions.

Following the breach, Iran’s central bank mandated domestic exchanges to restrict operating hours from 10 am to 8 pm to improve security.

The pro-Israel hacking group Predatory Sparrow claimed responsibility, highlighting rising regional cyber tensions. Nobitex remains central to Iran’s growing crypto market, but the attack has shaken user trust and raised concerns over the country’s financial cybersecurity.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Europol backs Spain in dismantling crypto crime ring

Spanish law enforcement, supported by Europol and agencies from Estonia, France, and the United States, arrested five individuals on 25 June 2025 linked to a global cryptocurrency investment scam. The operation uncovered a vast fraud network responsible for laundering around €460 million taken from over 5,000 victims worldwide.

The suspects were detained following coordinated raids in Madrid and the Canary Islands. Authorities conducted five property searches in total.

Europol has been assisting with the case since 2023, providing technical expertise, financial crime analysis, and on-site support during the final phase of the investigation.

The group allegedly operated through a vast web of international sales agents facilitating fund collection via cash, wire transfers, and cryptocurrencies.

The criminal operation reportedly maintained a corporate and banking structure based in Hong Kong, using shell companies and various digital accounts under false identities to move illicit funds.

Online fraud remains a critical threat to EU security, and Europol warns that it is rapidly growing in scale and complexity. According to Europol’s latest threat report, the rise of AI-powered deception tools is expected to fuel the spread of cyber-enabled fraud further.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Ahold Delhaize breach hits 2 million with data theft

A ransomware attack on Dutch retailer Ahold Delhaize resulted in a significant data breach affecting more than 2.2 million individuals across US businesses.

The breach occurred in November 2024 following network disruptions at supermarket chains, including Giant Food, Food Lion, and Stop & Shop.

The Inc Ransom group claimed responsibility in April 2025, stating it exfiltrated around 6 TB of data. The company confirmed that stolen files included employment records containing sensitive personal and financial information, with some data already posted on the dark web.

Affected individuals are now notified and offered two years of free identity protection services. The compromised data includes names, Social Security numbers, contact details, and medical and employment information.

Supermarkets have become a growing target in recent cyber campaigns. In April, UK retailers such as M&S and Harrods were also attacked, while distributor UNFI faced major disruptions earlier this month.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Ransomware victims still paying, Sophos finds

Nearly half of ransomware victims paid the attackers last year, according to Sophos. In its 2025 survey of 3,400 IT pros, 49% admitted to making payments—just below last year’s record.

Ransom amounts dropped significantly, with median payments falling 50% and demand amounts down a third. Yet backup usage also hit a six-year low, used by just 54% of firms for recovery.

Attackers often exploited known vulnerabilities (32%) or unknown security gaps (40%), highlighting persistent weaknesses. Sophos noted many companies now accept ransomware as a business risk.

CISA warned that CVE-2024-54085 in AMI MegaRAC firmware is under active exploitation elsewhere. The bug allows attackers to bypass authenticating remotely.

Varonis flagged abuse of Microsoft’s Direct Send email feature in a phishing campaign affecting over 70 organisations. Disabling it is advised if not essential.

Rapid7 also found critical vulnerabilities in Brother printers. One flaw rated CVSS 9.8, allows password theft and cannot be patched—users must change defaults.

Finally, Google will roll out new Gemini AI features to Android users starting on July 7, even for those with app activity disabled.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Cybercrime surge hits airlines across North America

According to the FBI and cybersecurity experts, a well-known cybercrime group has launched fresh attacks on the airline industry, successfully breaching the networks of several airlines in the US and Canada.

The hackers, identified as ‘Scattered Spider’, are known for aggressive extortion tactics and are now shifting their focus to aviation instead of insurance or retail, their previous targets.

Airline security teams remain on high alert despite no flights or operations being disrupted. Hawaiian Airlines and Canada’s WestJet have acknowledged recent cyber incidents, while sources suggest more affected companies may step forward soon.

Both airlines reported no impact on day-to-day services, likely due to solid internal defences and continuity planning.

The attackers often exploit help desks by impersonating employees or customers to access corporate systems. Experts warn that airline call centres are especially vulnerable, given their importance to customer support.

Cybersecurity firms, including Mandiant, are now supporting the response and advising firms to reinforce these high-risk entry points.

Scattered Spider has previously breached major casinos, insurance, and retail companies. The FBI confirmed it is working with aviation partners to contain the threat and assist victims.

Industry leaders remain alert, noting that airlines, IT contractors, and vendors across the aviation sector are at risk from the escalating threat.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Hawaiian Airlines confirms flights are safe despite cyberattack

Hawaiian Airlines has reported a cyberattack that affected parts of its IT infrastructure, though the carrier confirmed all flights remain unaffected and are operating as scheduled.

Now part of the Alaska Air Group, the airline stated it is actively working with authorities and cybersecurity experts to investigate and resolve the incident.

In a statement, the airline stressed that the safety and security of passengers and staff remain its highest priority. It has taken steps to protect its systems, restoring affected services while continuing full operations. No disruption to passenger travel has been reported.

The exact nature of the attack has not been disclosed, and no group has claimed responsibility so far. The Federal Aviation Administration (FAA) confirmed it monitors the situation closely and remains in contact with the airline. It added that there has been no impact on flight safety.

Cyberattacks in aviation are becoming increasingly common due to the sector’s heavy reliance on complex digital systems. Earlier incidents this year included cyberattacks on WestJet and Japan Airlines, which caused operational disruptions but did not compromise passenger data.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

BT report shows rise in cyber attacks on UK small firms

A BT report has found that 42% of small businesses in the UK suffered a cyberattack in the past year. The study also revealed that 67% of medium-sized firms were targeted, while many lacked basic security measures or staff training.

Phishing was named the most common threat, hitting 85% of businesses in the UK, and ransomware incidents have more than doubled. BT’s new training programme aims to help SMEs take practical steps to reduce risks, covering topics like AI threats, account takeovers and QR code scams.

Tris Morgan from BT highlighted that SMEs face serious risks from cyber attacks, which could threaten their survival. He stressed that security is a necessary foundation and can be achieved without vast resources.

The report follows wider warnings on AI-enabled cyber threats, with other studies showing that few firms feel prepared for these risks. BT’s training is part of its mission to help businesses grow confidently despite digital dangers.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

NHS patient death linked to cyber attack delays

A patient has died after delays caused by a major cyberattack on NHS services, King’s College Hospital NHS Foundation Trust has confirmed. The attack, targeting pathology services, resulted in a long wait for blood test results that contributed to the patient’s death.

The June 2024 ransomware attack on Synnovis, a provider of blood test services, also delayed 1,100 cancer treatments and postponed more than 1,000 operations. The Russian group Qilin is believed to have been behind the attack that impacted multiple hospital trusts across London.

Healthcare providers struggled to deliver essential services, resorting to using universal O-type blood, which triggered a national shortage. Sensitive data stolen during the attack was later published online, adding to the crisis.

Cybersecurity experts warned that the NHS remains vulnerable because of its dependence on a vast network of suppliers. The incident highlights the human cost of cyber attacks, with calls for stronger protections across critical healthcare systems in the UK.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Diplo chatbot can make mistakes. Consider checking important information.