This week in cyber security, attacks are increasingly driven by identity abuse, exposed services, and delayed patching, rather than complex exploits. From GDPR fines for third-party breaches to active zero-day vulnerabilities in mobile management platforms, threat actors are exploiting gaps in authentication, visibility, and operational controls. Security teams must prioritise patch management, access governance, and continuous monitoring to reduce risk and protect critical systems.
For defenders, the priority is clear: strengthen control over who has access, what they can reach, and how quickly abnormal behaviour can be detected and contained.
France Travail Hit with €5 Million GDPR Fine After Partner Account Breach
France’s data protection authority (CNIL) has fined public employment agency France Travail €5 million after a breach impacting 43 million individuals over a period spanning nearly two decades.
Attackers used social engineering to compromise partner Cap Emploi adviser accounts and pivot into France Travail systems, accessing names, dates of birth, national insurance numbers, email and postal addresses, and phone numbers. While financial data and passwords were not exposed, CNIL determined that authentication, logging, and access controls were insufficient.
The regulator has ordered corrective measures and warned that failure to comply could result in additional daily penalties.
Threat Intelligence Takeaway:
Third-party access is now one of the most consistent breach paths. Continuous monitoring of partner authentication, least-privilege enforcement, and rapid anomaly detection are essential to prevent a single compromised identity from scaling into national exposure.
SoundCloud Breach Affects 29.8 Million Accounts
SoundCloud has confirmed that a breach discovered late last year has affected nearly 29.8 million users, following inclusion of the dataset in the Have I Been Pwned database.
Attackers accessed an internal service dashboard and linked email addresses to publicly visible profile information including usernames, avatars, follower metrics, and in some cases location data. The incident has been associated with the ShinyHunters group and followed reported extortion attempts.
Although passwords and financial details were not accessed, the aggregation of identity data significantly increases phishing and impersonation risks.
Threat Intelligence Takeaway:
So-called “non-sensitive” data is highly operational for attackers. SOC teams should treat large-scale identity correlation as a precursor to targeted phishing, credential stuffing, and brand impersonation campaigns.
Ivanti Warns of Active Exploitation of Critical EPMM Zero-Days
Ivanti has disclosed two critical vulnerabilities in Endpoint Manager Mobile (EPMM) — CVE-2026-1281 and CVE-2026-1340 — both rated CVSS 9.8 and already observed in limited active attacks.
The flaws allow unauthenticated remote code execution through code-injection weaknesses in application distribution and Android file transfer components. Temporary RPM mitigations are available but must be reapplied after upgrades until a permanent fix is delivered in version 12.8.
Organisations are advised to patch immediately, review logs, and consider restoration from known-good backups if compromise is suspected.
Threat Intelligence Takeaway:
Edge and mobile management infrastructure now sits in attackers’ initial access playbooks. Rapid patch validation, integrity monitoring, and behavioural detection around administrative systems are critical to limiting blast radius.
800,000 Telnet Servers Exposed to the Internet
Researchers estimate that nearly 800,000 Telnet services remain publicly accessible online. Because Telnet transmits credentials in plain text and is highly susceptible to brute force, it remains a preferred target for botnets and automated compromise.
Many of these systems belong to legacy infrastructure or embedded devices never intended for public exposure. Yet they continue to expand the global attack surface and fuel routine exploitation.
Threat Intelligence Takeaway:
Legacy services are not background risk — they are active entry points. Continuous external attack surface monitoring and aggressive retirement or isolation of outdated protocols are fundamental security requirements.
Analyst Insight: Identity, Exposure, and Accountability
This week’s incidents highlight a shift in how impact is measured. Regulators, customers, and threat actors alike understand that compromised credentials and exposed services can be just as damaging as ransomware.
Whether it’s a partner login enabling access to tens of millions of records, a dashboard leak feeding phishing operations, or an unpatched appliance opening the door to remote execution, fragmentation in visibility and control remains the core weakness.
Defenders must unify telemetry across identity, cloud, endpoint, and infrastructure layers while ensuring they can validate risk quickly and act decisively.
Discover what precision, automation, and agentic execution can deliver for your organisation – Book a bespoke demo designed around your security challenges.
Go Back
