Ground control to Kremlin.

Russia’s flagship airline suffers a major cyberattack. U.S. insurance giant Allianz Life confirms the compromise of personal data belonging to most of its 1.4 million customers. A women’s dating safety app spills the tea. NASCAR confirms a data breach. Researchers believe the newly emerged Chaos ransomware group may be a rebrand of BlackSuit. Over 200,000 WordPress sites remain vulnerable to account takeover attacks. Lawmakers introduce legislation to Stop AI Price Gouging and Wage Fixing. States band together to regulate data brokers. My Caveat cohost Ben Yelin explains the impending expiration of the Cybersecurity and Information Sharing Act. Expel missed the mark, but nails the apology.

Today is Monday July 28th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Russia’s flagship airline suffers a major cyberattack. 

Russia’s flagship airline Aeroflot suffered a major cyberattack Monday, causing over 50 flight cancellations and widespread delays, especially on key domestic routes. The airline blamed a “technical failure” but pro-Ukrainian hackers Silent Crow and the Belarusian Cyber-Partisans claimed responsibility. They say they destroyed Aeroflot’s IT infrastructure, stole flight data, and maintained network access for over a year. Disruptions also hit subsidiaries Rossiya and Pobeda, and Aeroflot’s stock dropped nearly 4%. At Moscow’s Sheremetyevo Airport, stranded passengers were given food and asked to leave terminals to reduce crowding. The Kremlin confirmed the breach and prosecutors have opened a case. This is among the most publicly acknowledged cyberattacks in Russia, adding to recent cyber and drone strikes linked to Ukraine’s war effort.

U.S. insurance giant Allianz Life confirms the compromise of personal data belonging to most of its 1.4 million customers. 

U.S. insurance giant Allianz Life has confirmed a mid-July cyberattack that compromised personal data belonging to most of its 1.4 million customers, financial professionals, and some employees. Hackers accessed a third-party cloud-based CRM system using social engineering, the company said in a filing with Maine’s attorney general. While Allianz Life didn’t share how many individuals were affected, it acknowledged the breach impacted the majority of its U.S. stakeholders. The company notified the FBI and said there’s no evidence other systems were compromised. It declined to name the attackers or confirm if a ransom demand was received. This breach is part of a broader wave of cyberattacks hitting the insurance sector. Google researchers recently linked several incidents to Scattered Spider, a hacker group known for exploiting helpdesk vulnerabilities.

A women’s dating safety app spills the tea. 

The women’s dating safety app Tea, which recently topped the App Store, confirmed a data breach that exposed personal data and selfies of thousands of users. The breach stemmed from an unsecured Firebase database, allowing 4chan users to access and post photos, including driver’s licenses and ID selfies. Tea says the exposed data, dating back two years, included 72,000 images—13,000 of which were user-submitted for verification. The company acknowledged some direct messages were also compromised. The data was originally retained to comply with anti-cyberbullying laws. Tea claims the issue is now contained, with no evidence current user data is affected. Security experts have been brought in to investigate. The breach highlights ongoing concerns over data privacy and platform security in apps targeting vulnerable user groups.

NASCAR confirms a data breach. 

NASCAR is notifying individuals that their personal data, including names and Social Security numbers, was stolen in a cyberattack discovered on April 3, 2025. Hackers had access to its network from March 31 to April 3. NASCAR launched an investigation, informed law enforcement, and is offering up to two years of free credit monitoring. While the number of affected individuals remains undisclosed, the Medusa ransomware group claims it stole 1TB of data and demanded $4 million. NASCAR hasn’t confirmed this claim.

Researchers believe the newly emerged Chaos ransomware group may be a rebrand of BlackSuit. 

Cisco Talos believes the newly emerged Chaos ransomware group may be a rebrand of BlackSuit, itself a successor to Royal ransomware. Talos cites similar encryption techniques, ransom note structure, and use of built-in system tools in both Chaos and BlackSuit attacks. Just as Talos released its analysis, law enforcement seized BlackSuit’s Tor-based leak site as part of Operation Checkmate, a global effort involving the U.S., U.K., Germany, and others. BlackSuit had listed around 200 victims by July 2025 and had extorted over $500 million since 2023. The gang targeted sectors like healthcare, education, IT, and government, encrypting Windows and Linux systems and leveraging stolen data for extortion. Royal ransomware, which BlackSuit succeeded, had hit more than 350 organizations by late 2023.

Over 200,000 WordPress sites remain vulnerable to account takeover attacks. 

Over 200,000 WordPress websites remain vulnerable due to an unpatched version of the Post SMTP plugin, exposing them to account takeover attacks. The flaw, CVE-2025-24000, affects versions up to 3.2.0 and stems from weak access controls in the plugin’s REST API, allowing low-level users to access email logs. Hackers could exploit this to reset and hijack administrator accounts. A fix was issued in version 3.3.0 on June 11, but less than half of users have updated, leaving many sites at risk.

Lawmakers introduce legislation to Stop AI Price Gouging and Wage Fixing. 

Reps. Greg Casar [kuh-SAR] (D-TX) and Rashida Tlaib [tuh-LEEB] (D-MI) have introduced the Stop AI Price Gouging and Wage Fixing Act, aiming to ban corporations from using AI surveillance to set prices or wages based on personal data. The bill follows Delta Airlines’ rollout of AI-driven dynamic pricing, affecting 3% of fares, with plans to scale up. Critics argue such practices exploit private consumer data to charge more or lower pay, often without transparency. The FTC has reported that “surveillance pricing” is already happening, with companies using data like device type, location, and shopping history to adjust prices. The bill would empower the FTC, EEOC, states, and private citizens to act against these tactics. However, with Republicans controlling Congress, the legislation faces slim odds of passing despite growing public concern over AI-driven price manipulation.

States band together to regulate data brokers. 

Vermont State Rep. Monique Priestley is leading a multistate initiative to regulate data brokers following the fatal June shooting of a Minnesota lawmaker and her husband. The suspected gunman reportedly had a list of data broker sites. Priestley, a longtime advocate for data privacy, convened a virtual meeting with lawmakers from over 25 states, where 15 expressed immediate interest in legislation. The group discussed three main approaches: creating data broker registries, enabling mass deletion of personal data (like California’s Delete Act), and offering protections for public officials, modeled after New Jersey’s Daniel’s Law. Lawmakers shared personal safety concerns and were alarmed by how easily personal information can be bought online. Despite industry lobbying and skepticism about whether it’s too late, Priestley says the momentum is real. Her working group will continue sharing resources and drafting coordinated state-level legislation to improve data transparency and protect individuals from unchecked data brokerage practices.

 

Expel missed the mark, but nails the apology. 

And finally, researchers at Expel recently issued a heartfelt correction to a blog post about a phishing incident, showing real integrity and commitment to transparency. Initially, the company believed an attacker had bypassed a FIDO passkey-protected login using cross-device authentication. However, after engaging with the security community and reanalyzing the evidence, Expel confirmed that while credentials were phished, the attacker never bypassed MFA or accessed protected resources.

We commend Expel for owning the mistake, openly explaining the error, and updating their review processes. Their appreciation for feedback—especially from the FIDO Alliance and other security pros—shows humility and a genuine dedication to learning. By committing to clearer evidence and deeper scrutiny in future posts, Expel reinforces trust in their work. Mistakes happen, but the way Expel handled this one speaks volumes. Kudos for setting an example of accountability in cybersecurity and for valuing the defender community every step of the way.

 

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.