Safeguard
Topic

Incident Analysis

In-depth guides and analysis on incident analysis from the Safeguard engineering team.

137 articles

Incident Analysis

Coinbase TaskUs Insider Breach: When the BPO Becomes the Attack Surface

In May 2025 Coinbase disclosed that contractor support agents at TaskUs had been bribed to leak customer data for months. We unpack the insider-threat supply-chain anatomy and what crypto and fintech defenders must change.

Jun 25, 20257 min read
Incident Analysis

Co-op UK DragonForce Breach: When the Helpdesk Becomes the Backdoor

In late April 2025 the Co-operative Group joined Marks & Spencer and Harrods as victims of a DragonForce-affiliated cluster that targeted UK retail through helpdesk social engineering. We unpack the playbook and what retailers must change.

Jun 12, 20257 min read
Incident Analysis

Hitachi Vantara Akira Ransomware: When the Recovery Vendor Goes Down

Akira ransomware forced Hitachi Vantara to take its own servers offline on April 26, 2025. We trace the attack pattern and the implications when an enterprise data-recovery provider becomes the incident.

May 8, 20257 min read
Incident Analysis

Oracle Cloud Classic SSO Incident: rose87168 and the Legacy Endpoint Problem

In March 2025 an actor calling themselves rose87168 advertised six million Oracle Cloud SSO and LDAP records, and Oracle quietly acknowledged a breach of legacy infrastructure. We unpack what happened and what tenants should do.

Apr 22, 20257 min read
Incident Analysis

PowerSchool Breach: 62M Students, $2.85M Ransom, Cascading Extortion

PowerSchool's December 2024 breach exposed data on roughly 62M students and 9.5M teachers through a compromised support-portal credential and triggered downstream extortion of school districts months later.

Mar 12, 20256 min read
Incident Analysis

Patelco Credit Union RansomHub Attack: 1M Records, $7.25M Settlement

RansomHub maintained access to Patelco Credit Union's network from May 23 to June 29, 2024, ultimately exposing data on over one million members and triggering a $7.25M class settlement.

Mar 5, 20256 min read
Incident Analysis

American Water Cyberattack: Largest U.S. Utility Forced Offline

American Water Works discovered unauthorised network access on October 3, 2024, shutting down its MyWater customer portal and billing systems serving 14 million people across 24 states.

Feb 26, 20256 min read
Incident Analysis

Halliburton RansomHub Attack: $35M Loss in Oilfield Services

RansomHub encrypted Halliburton systems on August 21, 2024, exfiltrated proprietary oilfield data, and contributed to a $35M direct response cost disclosed in the company's Q3 10-Q.

Feb 19, 20256 min read
Incident Analysis

SolarWinds Web Help Desk CVE-2024-28987: Hardcoded Credential in Federal Networks

SolarWinds shipped a hardcoded helpdeskIntegrationUser credential in Web Help Desk that CISA added to KEV on October 15, 2024 after federal agency intrusions.

Feb 12, 20255 min read
Incident Analysis

DeepSeek ClickHouse Exposure: When the AI Vendor Forgets the Database

In January 2025 Wiz Research found a wide-open ClickHouse instance belonging to AI startup DeepSeek, leaking chat history, API keys, and internal log streams. We unpack the AI-supply-chain implications.

Feb 10, 20257 min read
Incident Analysis

CDK Global BlackSuit Ransomware: 15,000 Dealerships Offline for 2 Weeks

BlackSuit ransomware encrypted CDK Global's dealer-management cloud on June 18-19, 2024, crippling roughly 15,000 North American auto dealerships and triggering a reported $25M ransom payment.

Feb 4, 20256 min read
Incident Analysis

UnitedHealth Change Healthcare: 190 Million Update and the Long Tail

In January 2025 UnitedHealth revised the Change Healthcare breach count to 190 million people, the largest HIPAA breach in US history. We unpack what changed and the supply-chain lessons that still apply.

Feb 4, 20257 min read
Incident Analysis (Page 6) — Supply Chain Security Blog | Safeguard