The Week in Breach News: 04/16/25 – 04/22/25    

Exploit: Hacking

Industry: Manufacturing

JPW Industries, Inc. has confirmed a data breach that may have exposed highly sensitive personal information, including names, Social Security numbers, government-issued IDs and financial account details. The company became aware of the incident on February 3, 2025, and their investigation has revealed that a computer virus had locked parts of JPW’s systems as well as allowing bad actors to steal confidential data. JPW has not disclosed the number of people impacted but is taking steps to notify those affected.

Exploit: Misconfiguration

Industry: Business Services

Blue Shield of California announced a privacy breach on April 9, revealing that user data was unintentionally shared with Google Ads due to a misconfigured Google Analytics setup. The breach, which occurred between April 2021 and January 2024, may have exposed members’ sensitive information, including names, insurance details, medical service data and doctor search activity to Google’s advertising platform. The company stated the connection between Google Analytics and Google Ads was severed in January 2024, and no further data sharing has occurred since.

Exploit: Ransomware

Industry: Entertainment

The Medusa ransomware gang has claimed National Association for Stock Car Auto Racing (NASCAR) as its latest high-profile victim, demanding a $4 million ransom in exchange for not leaking sensitive internal data. The group released 37 images as proof of compromise. Initial analysis of the samples reveals a variety of internal materials, including corporate branding assets, raceway facility maps, employee contact spreadsheets, internal notes and photographs. The exposed data allegedly contains names, email addresses, job titles and potentially credential-related information, as well as detailed maps of race grounds. Medusa warned that the full trove of information would be published if NASCAR fails to meet the ransom demand.

Exploit: Hacking

Industry: Non-Profit

United Domestic Workers (UDW) of America, American Federation of State, County and Municipal Employees (AFSCME) Local 3930 has disclosed that it has experienced a data breach. The union said that on or around January 17, 2025, UDW 3930 discovered an unauthorized third party on its IT network. They confirmed the third party accessed and possibly acquired private and confidential personal information from the UDW system.  The data breach affected up to 200,000 individuals. The personal information in the compromised files may have included names, addresses and Social Security numbers.

Exploit: Hacking

Industry: Manufacturing

Nevro, a California-based medical device company known for its HFX spinal cord stimulation (SCS) platform, reported a data breach that potentially exposed sensitive personal information. The company determined that between November 21, 2024, and December 1, 2024, an unauthorized third party may have gained access to personal data. The compromised files could include names, Social Security numbers, driver’s license numbers, financial information (account or credit/debit card numbers), medical information and health insurance details. Nevro is currently working to assess the full scope of the breach and notify affected individuals.

Exploit: Hacking

Industry: Travel & Leisure

Rental car giant Hertz is the latest company to fall victim to the Cleo file transfer software exploit. The breach exposed the data of customers of Hertz and its subsidiaries Dollar and Thrifty car rental outlets in the U.S., Canada, the U.K., the E.U., and Australia. Affected information includes names, contact details, dates of birth, driver’s license and payment card details. For U.S. customers and employees, credit card data, workers’ compensation claims info, and for a small number, Social Security/government ID numbers, passport info and vehicle accident claim details were also snatched. U.K., Australian and E.U. customers may have had passport information compromised. In addition, Canadian employees may have had government ID numbers and injury or workers’ compensation claim data exposed.

Exploit: Hacking (Nation-State)

Industry: Government

Morocco’s Caisse Nationale de Sécurité Sociale (CNSS) confirmed a major cyberattack that exposed sensitive personal data on Telegram. Hackers bypassed security to steal internal documents, and early investigations suggest the breach was politically motivated, linked to tensions between Morocco and Algeria. Hackers claimed the attack was retaliation for alleged Moroccan “harassment” of Algeria on social media and warned of further strikes if Algerian platforms are targeted.