Incident Analysis
In-depth guides and analysis on incident analysis from the Safeguard engineering team.
137 articles
Coinbase TaskUs Insider Breach: When the BPO Becomes the Attack Surface
In May 2025 Coinbase disclosed that contractor support agents at TaskUs had been bribed to leak customer data for months. We unpack the insider-threat supply-chain anatomy and what crypto and fintech defenders must change.
Co-op UK DragonForce Breach: When the Helpdesk Becomes the Backdoor
In late April 2025 the Co-operative Group joined Marks & Spencer and Harrods as victims of a DragonForce-affiliated cluster that targeted UK retail through helpdesk social engineering. We unpack the playbook and what retailers must change.
Hitachi Vantara Akira Ransomware: When the Recovery Vendor Goes Down
Akira ransomware forced Hitachi Vantara to take its own servers offline on April 26, 2025. We trace the attack pattern and the implications when an enterprise data-recovery provider becomes the incident.
Oracle Cloud Classic SSO Incident: rose87168 and the Legacy Endpoint Problem
In March 2025 an actor calling themselves rose87168 advertised six million Oracle Cloud SSO and LDAP records, and Oracle quietly acknowledged a breach of legacy infrastructure. We unpack what happened and what tenants should do.
PowerSchool Breach: 62M Students, $2.85M Ransom, Cascading Extortion
PowerSchool's December 2024 breach exposed data on roughly 62M students and 9.5M teachers through a compromised support-portal credential and triggered downstream extortion of school districts months later.
Patelco Credit Union RansomHub Attack: 1M Records, $7.25M Settlement
RansomHub maintained access to Patelco Credit Union's network from May 23 to June 29, 2024, ultimately exposing data on over one million members and triggering a $7.25M class settlement.
American Water Cyberattack: Largest U.S. Utility Forced Offline
American Water Works discovered unauthorised network access on October 3, 2024, shutting down its MyWater customer portal and billing systems serving 14 million people across 24 states.
Halliburton RansomHub Attack: $35M Loss in Oilfield Services
RansomHub encrypted Halliburton systems on August 21, 2024, exfiltrated proprietary oilfield data, and contributed to a $35M direct response cost disclosed in the company's Q3 10-Q.
SolarWinds Web Help Desk CVE-2024-28987: Hardcoded Credential in Federal Networks
SolarWinds shipped a hardcoded helpdeskIntegrationUser credential in Web Help Desk that CISA added to KEV on October 15, 2024 after federal agency intrusions.
DeepSeek ClickHouse Exposure: When the AI Vendor Forgets the Database
In January 2025 Wiz Research found a wide-open ClickHouse instance belonging to AI startup DeepSeek, leaking chat history, API keys, and internal log streams. We unpack the AI-supply-chain implications.
CDK Global BlackSuit Ransomware: 15,000 Dealerships Offline for 2 Weeks
BlackSuit ransomware encrypted CDK Global's dealer-management cloud on June 18-19, 2024, crippling roughly 15,000 North American auto dealerships and triggering a reported $25M ransom payment.
UnitedHealth Change Healthcare: 190 Million Update and the Long Tail
In January 2025 UnitedHealth revised the Change Healthcare breach count to 190 million people, the largest HIPAA breach in US history. We unpack what changed and the supply-chain lessons that still apply.