This Week in Cyber 16th May 2025

Analyst Insight

This week in cyber, we see advancements on the M&S cyber attack disclosing to the public that customer data was stolen in the attack. We have seen major news about end-user privacy, with Google being fined $1.375 Billion for privacy violations. Multiple critical vulnerabilities patched in Microsoft’s Patch Tuesday and Fortinet patches. Additionally, a man was arrested by Moldovan authorities for conducting a series of ransomware attacks.

In the aftermath of data breaches, many organizations initially reassure customers that their data is safe even when investigations are still ongoing to reduce financial and reputational impact. This backfires when the investigation is concluded, and customer data is found to be affected. This raises the question: Should companies take a more cautious and transparent approach when disclosing data breaches, avoiding assumptions until investigations are complete? Or is early reassurance, even with limited information, a necessary part of disclosing a breach?

M&S Confirms Customer Data Was Stolen in Cyber Attack

This week, M&S confirms customer data was stolen in the recent cyber incident, after initially stating that there is no need for customers to take any action. The stolen data contains customers names, telephone numbers, home addresses, household information, email address and online order history according to the BBC. On Tuesday, an email was sent to all customers reassuring that “there is no evidence that it (the data) has been shared” and “the data does not include usable card or payment details, and does not include account passwords”. M&S has not revealed how many customers have been affected.

May Patch Tuesday: Microsoft Releases Fixes for 72 Vulnerabilities

Microsoft's May 2025 Patch Tuesday has addressed 72 security vulnerabilities across its systems, including five actively exploited zero-day vulnerabilities. The zero-day vulnerability, identified as CVE-2025-32701 and CVE-2025-32706 with a severity score of 7.8 (HIGH), is another elevation of privilege issue in the Windows Common Log File System Driver, this is reoccurring from last month. This vulnerability allows attackers to escalate their permissions on compromised systems, posing significant risks to users. Another zero-day disclosed is CVE-2025-30400, an actively exploited vulnerability in the DWM Core Library that allows local attackers to gain SYSTEM privileges via a use-after-free flaw. More information about this months patch Tuesday can be found on Microsoft MSRC.

Fortinet Patches Critical FortiVoice Vulnerability Exploited in Attacks

Fortinet has patched a critical zero-day vulnerability (CVE-2025-32756) in its FortiVoice Enterprise systems, which was actively exploited in targeted attacks. The flaw, a stack-based buffer overflow in API, allowed unauthenticated remote code execution via crafted HTTP requests. Tracked with a CVS score of 9.6, affecting FortiCamera, FortiMail, FortiNDR, FortiRecorder and FortiVoice. Fortinet urges immediate updates to mitigate risks, as attackers were already exploiting the vulnerability in the wild. More details can be found on Fortinet PSIRT.

Moldovan Authorities Arrest Suspect in Ransomware Attack

Moldovan authorities have arrested a 45-year-old man suspected of executing a series of ransomware attacks against Dutch organizations in 2021. The suspect, whose identity remains undisclosed, was apprehended on May 6th following a coordinated operation between Moldovan and Dutch law enforcement agencies. During the search of his residence and vehicle, officials seized €84,800 in cash, an electronic wallet, multiple devices, and various data storage media. The individual is accused of being involved in a significant cyberattack on the Netherlands Organization for Scientific Research (NWO), which resulted in approximately €4.5 million in damages. The attack, attributed to DoppelPaymer ransomware, disrupted the NWO's operations, leading to the shutdown of its grant application system and the leak of internal documents after the organization refused to pay the ransom.

DoppelPaymer, a ransomware strain that emerged in 2019, is believed to have evolved from the BitPaymer ransomware and has been linked to cybercrime group Evil Corp. The group is known for its double extortion tactics, encrypting victims' data and threatening to publish it unless a ransom is paid. In 2023, international law enforcement agencies, including those from Germany, Ukraine, and the United States, targeted core members of a group using DoppelPaymer, issuing arrest warrants for several individuals believed to be key operatives. The recent arrest in Moldova marks a significant step in ongoing efforts to dismantle the group's operations.

Texas Secures Record $1.375 Billion Settlement from Google Over Privacy Violations

The state of Texas has reached a historic $1.375 billion settlement with Google, resolving allegations that the tech giant unlawfully harvested and exploited users’ private data. The lawsuit, originally filed in 2022, accused Google of covertly tracking users’ locations, recording incognito browsing activity, and collecting biometric identifiers such as voiceprints and facial geometry without proper consent. “To date, no state has attained a settlement against Google for similar data-privacy violations greater than $93 million” states Texas attorney Ken Paxton. “This $1.375 billion settlement is a major win for Texans’ privacy and tells companies what they will pay for abusing our trust.”