Redacted realities: Inside the MoJ hack.

The UK’s Ministry of Justice suffers a major breach. Mozilla patches two critical JavaScript engine flaws in Firefox. Over 200,000 patients of a Georgia-based health clinic see their sensitive data exposed. Researchers track increased malicious targeting of iOS devices. A popular printer brand serves up malware. PupkinStealer targets Windows systems. An Alabama man gets 14 months in prison for a sim-swap attack on the SEC. Our guest is Ian Tien, CEO at Mattermost, sharing insights on enhancing cybersecurity through effective collaboration. Ethical Hackers win the day at Pwn2Own Berlin.

Today is Monday May 19th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The UK’s Ministry of Justice suffers a major breach. 

In the UK, hackers breached the Ministry of Justice’s systems in April, stealing a significant amount of personal data from the Legal Aid Agency (LAA). The stolen data may include names, addresses, birth dates, national insurance numbers, criminal records, and financial details of legal aid applicants since 2010. While the attackers claim to have accessed 2.1 million records, this figure is unconfirmed. The breach was discovered on April 23, but its scale became clear on May 16. The LAA’s digital services were taken offline. Officials blame longstanding vulnerabilities and mismanagement. The MoJ, working with national cybersecurity bodies, urges past applicants to stay vigilant for fraud. The breach follows a wave of recent cyberattacks on UK firms like M&S, Co-op, and Dior, raising concerns about systemic digital security failures.

Meanwhile, BBC Cybersecurity journalist Joe Tidy received a tip on Telegram from hackers claiming responsibility for cyberattacks on M&S and Co-op. Over a five-hour exchange, they provided data samples, confirming their involvement. The hackers, likely linked to the ransomware group DragonForce, were frustrated Co-op refused to pay a ransom. After Tidy alerted Co-op, the company acknowledged the breach publicly. DragonForce operates a ransomware-as-a-service model, offering tools and support to cybercriminals in exchange for a cut of ransoms. Recently rebranded as a cartel, the group has been active since 2023. Though linked to numerous attacks, it remains silent on the retail hacks—possibly due to ransom payments. Some experts suggest the broader Scattered Spider collective may be behind the campaign, but their exact role remains unclear.

Mozilla patches two critical JavaScript engine flaws in Firefox. 

Mozilla has issued an emergency security update for Firefox to patch two critical JavaScript engine flaws (CVE-2025-4918 and CVE-2025-4919) that allow remote code execution. Discovered by security researchers from Palo Alto Networks and Trend Micro’s Zero Day Initiative, the vulnerabilities involve out-of-bounds read/write issues in JavaScript objects. Attackers can exploit them by luring users to malicious websites, requiring minimal interaction. Mozilla urges users to update Firefox immediately to protect against potential system compromise.

Over 200,000 patients of a Georgia-based health clinic see their sensitive data exposed. 

Over 210,000 patients of Georgia-based Harbin Clinic had sensitive data exposed in a breach linked to third-party vendor Nationwide Recovery Services (NRS). The breach, which occurred in July 2024, targeted NRS, a debt collection service provider for Harbin. However, Harbin only began notifying affected individuals in May 2025—nearly 10 months later. Exposed data includes names, addresses, Social Security numbers, birth dates, and financial account details. The delay and the severity of the stolen information raise concerns about identity theft and financial fraud risks. Harbin recommends affected individuals monitor their financial accounts but has not confirmed offering credit monitoring services. The clinic, headquartered in Rome, Georgia, runs multiple locations statewide and employs over 1,400 staff.

Elsewhere, Serviceaide, a California-based enterprise solutions provider, reported a data leak affecting over 483,000 Catholic Health patients to the Department of Health and Human Services. The breach involved an Elasticsearch database that was accidentally exposed online from September 19 to November 5, 2024. While there’s no evidence the data was stolen, Serviceaide can’t rule it out. Exposed information includes names, Social Security numbers, medical and insurance details, and login credentials. Affected individuals are being offered 12 months of free identity protection services.

Researchers track increased malicious targeting of iOS devices. 

A new report from Zimperium warns that iOS devices, often seen as secure, are increasingly targeted through sideloaded and unvetted apps. Attackers exploit flaws in iOS using tools like TrollStore, SeaShell, and vulnerabilities such as MacDirtyCow and KFD to bypass Apple’s protections. These apps may appear benign but can exfiltrate data or compromise devices without detection. Zimperium found over 40,000 apps using private entitlements and 800+ using private APIs, posing serious risks. Organizations—especially in regulated sectors—must adopt stricter app vetting, monitor permissions, and detect sideloaded apps. Zimperium urges proactive defenses to counter these threats. The takeaway: just because an app runs on iOS doesn’t mean it’s safe—its behavior and origin matter more than its appearance.

A popular printer brand serves up malware. 

If you’ve bought a UV inkjet printer from the brand Procolored recently, you might want to scan your system for malware. YouTuber Cameron Coward, known for his DIY tech reviews, first raised the alarm while reviewing a $6,000 printer. His antivirus flagged threats on the included USB—specifically a worm and Floxif, a file infector. When Procolored dismissed this as a false positive, Coward turned to Reddit, catching the attention of cybersecurity firm G Data. Their investigation found malware, including a backdoor and a crypto-stealing Trojan called SnipVex, in official Procolored software downloads. G Data traced around $100,000 in stolen Bitcoin linked to SnipVex. Procolored later admitted malware might have been introduced via USB and has since cleaned up its downloads. Experts now urge users to scan their systems and consider full reinstallation if infected.

PupkinStealer targets Windows systems. 

PupkinStealer is a newly discovered information-stealing malware written in C# and first observed in April 2025. Lightweight and lacking advanced evasion tactics, it targets Windows systems to steal browser credentials, messaging app sessions (like Telegram and Discord), desktop files, and screenshots. The malware exfiltrates data using Telegram’s Bot API, allowing it to hide within legitimate traffic. Despite its simplicity, PupkinStealer is effective, compressing stolen data into a ZIP archive enriched with system metadata. It operates without persistence mechanisms, suggesting a quick “hit-and-run” strategy. Researchers believe it may be distributed via malware-as-a-service (MaaS) and linked to a developer using the alias “Ardent,” possibly of Russian origin. The malware highlights a growing trend of cybercriminals exploiting legitimate services like Telegram for stealthy attacks, posing risks to e-commerce and individual users alike.

An Alabama man gets 14 months in prison for a sim-swap attack on the SEC. 

Eric Council Jr., a 25-year-old from Alabama, has been sentenced to 14 months in prison for a SIM-swap attack that compromised the SEC’s X (formerly Twitter) account in January 2024. Council used a fake ID to obtain a replacement SIM card tied to a government phone linked to the SEC account. He then activated the card, retrieved a password reset code, and passed it to a co-conspirator. The hacker posted a false statement claiming SEC approval of Bitcoin ETFs, briefly spiking BTC prices by over $1,000 before a $2,000 drop when the post was debunked. Council, who was paid $50,000 for his role, pleaded guilty to identity theft and fraud. He must also forfeit the payment and will be on supervised release for three years post-prison, with internet restrictions.

 

Coming up on our Industry Voices segment, I caught up at RSAC 2025 with Mattermost’s CEO Ian Tien. Ian shares insights on enhancing cybersecurity through effective collaboration.

 

Ethical Hackers win the day at Pwn2Own Berlin. 

At Pwn2Own Berlin 2025, cybersecurity talent took center stage, with over $1 million awarded to ethical hackers who uncovered 28 zero-day vulnerabilities across a broad spectrum of technologies. Hosted by Trend Micro’s Zero Day Initiative, the event celebrated the skills of white hat researchers, who earned $1,078,750 for exploits targeting systems from AI platforms to virtualization software. Making history, STAR Labs SG scored the competition’s largest single payout—$150,000—for the first-ever VMware ESXi hack at Pwn2Own. They ultimately walked away with $320,000 and the win. AI was featured for the first time, with $140,000 awarded for hacks on tools like NVIDIA’s Triton Inference Server. Mozilla responded swiftly to $50,000-worth of Firefox vulnerabilities, issuing patches the same day. This event was a powerful reminder of the value—and necessity—of ethical hacking in today’s digital world.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.