Breach Roundup: The Qilin Hack That Fell Short

Each week, Information Security Media Group compiles a summary of significant cybersecurity incidents globally. Recent reports reveal that the Qilin group did not successfully breach a Spanish tax agency, the ongoing situation between chipmaker Nexperia and the Dutch government could affect car manufacturing, Envoy Air has acknowledged an Oracle data breach, and Experian Netherlands faced a €2.7 million fine due to privacy violations.

See Also: On Demand | Global Incident Response Report 2025

Spanish tax agency, Agencia Tributaria, has denied allegations of a breach by the Qilin group, a ransomware-as-a-service operation, despite the group’s claims of data theft. The announcement was made through the Spanish state newswire on Wednesday.

The extortion outfit included the tax agency on their dark web site on October 15, claiming to have acquired 60 GB of sensitive data. However, Agencia Tributaria clarified that the leak samples posted by Qilin originated from an unrelated entity, ensuring that their systems were uncompromised.

A thorough examination of the leaked data did show documents such as personal tax forms linked to a third-party business based in Valladolid. This incident underscores a recurring pattern among Russian-speaking cybercriminals misidentifying targets, as previously observed with the LockBit group’s erroneous claims of breaching the U.S. Federal Reserve.

Global automobile manufacturers are expressing anxiety as the Dutch government has imposed restrictions on the Chinese ownership of Nexperia, a crucial semiconductor supplier. The Japan Automobile Manufacturers Association reported potential disruptions in chip deliveries could halt production lines.

Earlier this month, the Dutch authorities invoked an economic security statute, resulting in the Chinese stakeholders being barred from operations. While General Motors is actively collaborating with their supply partners to mitigate interruptions, emerging reports indicate that major players like Volkswagen might face significant uncertainties in the near future.

Envoy Air, a subsidiary of American Airlines, has confirmed a security incident involving its Oracle E-Business Suite following claims from the Clop ransomware group. As the attackers began leaking what they allege is stolen data, Envoy insisted that no sensitive customer information was compromised, attributing the breach to exploitations of a zero-day vulnerability in Oracle’s system.

This incident is part of a larger campaign targeting Oracle clients that surfaced in August, highlighting the vulnerabilities that can be exploited by threat actors. The implications of such breaches can be severe, not only for the affected companies but also regarding customer trust and potential regulatory repercussions.

Experian Netherlands has been fined €2.7 million by the Dutch Data Protection Authority for multiple breaches of the General Data Protection Regulation (GDPR). Investigations revealed unauthorized collection of personal data from various sources without individual consent, resulting in the firm’s use of this data to influence critical financial outcomes.

In light of these violations, Experian has opted not to contest the ruling and has announced its intention to exit the Dutch market. The firm is set to delete its database of personal records by the end of 2025, as part of its response to the regulatory actions taken against it.

Threat actors associated with China have reportedly leveraged the ToolShell vulnerability within Microsoft SharePoint, identified as CVE-2025-53770, to breach several notable targets across the globe. Victims included various telecommunications and government entities in multiple regions, with cyber researchers outlining the potential espionage objectives behind these attacks.

Microsoft had previously alerted users to the risks posed by such vulnerabilities. Reports indicate that the exploited vulnerabilities could enable unauthorized access and the deployment of sophisticated malware, emphasizing the need for organizations to heighten their cybersecurity measures in response to ongoing threats.

Researchers have identified multiple vulnerabilities in TP-Link’s Omada and Festa VPN routers, which could allow attackers to execute arbitrary commands, gaining unauthorized root access. These flaws stem from inadequately addressed patches from previous vulnerabilities, emphasizing the necessity for continuous cybersecurity diligence in hardware.

Forescout reported that the identified issues create substantial risks, including potential exploitation via the router’s management interface, leading to unauthorized control over network functionalities. Both vulnerabilities have been communicated to TP-Link, which has initiated the release of relevant firmware updates.

Wojeski & Company, a New York-based accounting firm, has settled for $60,000 after experiencing two data breaches that exposed the private information of over 4,700 clients. The investigation, conducted by the New York Attorney General’s office, revealed failures in safeguarding client data and delayed notifications to affected individuals.

As part of the settlement, the firm is mandated to enhance its cybersecurity framework, including encryption of sensitive data and offering credit monitoring services to affected clients. This incident highlights the critical importance of maintaining robust cybersecurity practices to protect against data breaches affecting personal information.

Other Noteworthy Incidents from Last Week

Reporting contributions from Information Security Media Group’s Gregory Sirico and David Perera.