Summary
- Total number of incidents disclosed: 33
- Total number of known breached records: 16,023,217,882
- Total number of known breached records excluding the mass credential leak: 23,217,882
Welcome to another monthly round-up of monthly cyber attack and data breach news. In June 2025, IT Governance found 33 publicly disclosed cyber security incidents, including the leak of 16 billion user credentials compiled from years of infostealer malware and previous breaches. Although this was, strictly speaking, not a new data breach, we include it in this month’s round-up as it featured in the news in June and still requires individuals and organisations to take action to secure their accounts.
Excluding this mass credential dump, more than 23 million records were compromised in newly revealed attacks, reflecting the persistent threat of ransomware, phishing and third-party compromise across all sectors.
Although no single new breach matched the scale of previous mega-incidents, June was notable for a surge in ransomware disruption across the healthcare and government sectors, a dramatic hacktivist-led assault on Iran’s financial infrastructure, and a spike in supply-chain and credential-based attacks.
Top three sources of breached data
- Aggregated credential dumps – over 16 billion username/password combinations
- Healthcare service providers and suppliers – over 7.8 million records
- Retail and consumer services – over 2.2 million records
Top 5 incidents by number of records affected
The following are the largest incidents publicly disclosed in June 2025, ranked by known/claimed impact:
1. Mass credential leak – 16 billion records
- Records affected: 16 billion.
- Data: Usernames and password combinations.
- Cause: Aggregation of credentials stolen over many years.
- Status: Discovered in June 2025 across approximately 30 datasets. Not a new data breach, but many major platforms have advised users to reset their credentials and adopt MFA (multifactor authentication).
2. Episource LLC – 5.4 million records
- Records affected: 5,418,866.
- Data: Names, dates of birth, contact information, Medicaid IDs, insurance data, diagnoses, test results and treatment details.
- Cause: Ransomware attack and unauthorised network access between January and February 2025.
- Status: Breach investigation concluded in spring. Public disclosure and victim notification began in June. Credit monitoring is being provided.
3. McLaren Health Care – 743,000 records
- Records affected: 743,000.
- Data: Patient contact information, and insurance and health records, potentially including Social Security numbers.
- Cause: July 2024 ransomware attack by INC Ransom, undisclosed until forensic analysis was completed.
- Status: Victims notified in June 2025, 11 months after the breach. Free identity protection is now offered.
4. Kettering Health – approximately 730,000 records
- Records affected: Approximately 730,000.
- Data: Patient health records and internal financial or operational documents.
- Cause: Ransomware attack by the Interlock gang in May 2025.
- Status: Breach disclosed in June. Internal systems have been recovered and affected individuals are being notified. Class-action lawsuits have begun.
5. Ahold Delhaize (USA operations) – 2.24 million records
- Records affected: 2,242,521.
- Data: Names, contact information, dates of birth, government ID numbers, bank account details and workers’ compensation data.
- Cause: Ransomware attack by INC Ransom in November 2024. Data breach confirmed in 2025.
- Status: Data breach notifications issued in June 2025. Internal and customer payment systems were not affected.
Trends in June 2025
- Hacktivist activity intensified
Iran saw coordinated attacks from the pro-Israel hacktivist group Predatory Sparrow, which disrupted banking services and destroyed $90 million in cryptocurrency by targeting Nobitex and Bank Sepah. - Healthcare remained the most targeted sector
High-impact ransomware incidents affected healthcare providers and suppliers in Ohio, Michigan and across the USA, compromising millions of patient records. - Credential stuffing and supply-chain abuse persisted
Attacks on The North Face and Gluestack demonstrated how credential reuse and malicious code injection remain active and dangerous vectors. - Public sector services were disrupted globally
City and state-level governments in the USA and UK experienced ransomware attacks and outages, and often lacked the resilience or backups needed for rapid recovery. - Ransomware groups continued to use double extortion
Double-extortion tactics remained standard, with threat actors stealing and leaking data whether or not a ransom was paid.
Key vulnerabilities exploited
Several high-profile incidents in June 2025 highlight the continued exploitation of well-known vulnerabilities and attack surfaces:
- Supply-chain compromise
Gluestack’s popular JavaScript packages were injected with malware and downloaded nearly a million times before discovery. - Credential harvesting malware
The 16 billion-record credential dump was built from infostealer logs collected via trojans on compromised devices. - Phishing and social engineering
Targeted impersonation and spear-phishing led to breaches at organisations including Aflac and Illinois HFS. - Third-party access risks
Scania’s data breach occurred after attackers used credentials stolen from a service provider, emphasising the risk of poorly secured partner systems.
List of data breaches and cyber attacks disclosed in June 2025
| Disclosure date | Organisation | Country | Sector | Incident type | Records affected |
| 01 June | City of Durant (Oklahoma) | USA | Government (city) | Ransomware (unspecified gang) | Unknown (city services disrupted) |
| 01 June | Lorain County (Ohio) | USA | Government (county) | Likely ransomware (network intrusion) | Unknown (court operations halted) |
| 02 June | The North Face (VF Corp) | USA | Retail (apparel) | Data breach (credential stuffing) | 2,990 customer accounts |
| 02 June | Cartier | Global | Retail (luxury) | Data breach (unauthorised access) | Unknown (limited client data) |
| 03 June | Puerto Rico Dept. of Justice | Puerto Rico | Government (justice) | Cyber attack (unspecified) | Unknown (services suspended) |
| 04 June | Lee Enterprises | USA | Media (news publishing) | Ransomware – Qilin gang (data theft) | 39,779 individuals |
| 05 June | Kettering Health | USA | Healthcare (14-hospital network) | Ransomware – Interlock gang | ~730,000 patients (estimated) |
| 05 June | United Natural Foods, Inc. (UNFI) | USA | Food distribution | Cyber attack (unspecified, likely ransomware) | Unknown (operational impact) |
| 06 June | Optima Tax Relief | USA | Financial services | Ransomware – Chaos gang (double-extortion) | 69 GB of data (clients & corporate) |
| 07 June | NPM (Gluestack packages) | India / Global | Software (open-source supply chain) | Supply chain attack | Unknown |
| 09 June | Sensata Technologies | USA / Global | Manufacturing (industrial tech) | Ransomware (gang unnamed) | 15,630 individuals |
| 09 June | Texas Department of Transportation (TxDOT) | USA | Government | Data breach – account compromise | 291,000 records |
| 09 June | Illinois Dept. of Healthcare and Family Services | USA | Government | Data breach – phishing | 933 individuals |
| 09 June | SentinelOne | USA | Cyber security tech | Cyber attack – supply chain and APT espionage | None (attempt foiled) |
| 10 June | Yes24 | South Korea | E-Commerce (ticketing & retail) | Ransomware (actor TBD) | Unknown (service outage; investigation ongoing) |
| 12 June | Aflac | USA | Insurance | Cyber attack – social engineering and data theft | Unknown (under investigation) |
| 13 June | Thomasville, NC & Ogeechee Judicial Circuit, GA | USA | Government (city & district attorney) | Cyber attacks –likely ransomware | Unknown (services disrupted) |
| 14 June | WestJet | Canada | Transportation (airline) | Cyber attack (investigation ongoing) | Unknown |
| 15 June | The Washington Post | USA | Media (newspaper) | Data breach – email accounts hacked (APT) | Limited (specific journalists) |
| 17 June | Episource LLC | USA | Healthcare tech (SaaS) | Data breach – Ransomware | 5,418,866 individuals |
| 17 June | Scania AB | Sweden | Manufacturing (automotive) | Data breach | Unknown (thousands of claim files) |
| 17 June | Bank Sepah (Iran) | Iran | Financial (banking) | Cyber attack – Hacktivist (service disruption) | Unknown (service downtime) |
| 18 June | Nobitex (Crypto Exchange) | Iran | Financial (crypto-currency) | Cyber attack – Hacktivist (theft / destruction of assets) | ~$90 million USD in crypto |
| 19 June | Glasgow City Council | UK | Government (city) | Cyber “Incident” – (under investigation) | Unknown (possible data accessed) |
| 19 June | Hawaiian Airlines | USA | Transportation (airline) | Cyber attack – (unspecified; possible ransomware) | Unknown (internal incident) |
| 19 June | Mass Credential Leak – 16 Billion Records | Multiple | N/A (All sectors) | Data leak – Credential compilation (infostealers) | 16 billion credentials (usernames & passwords) |
| 20 June | Viasat Inc. | USA | Telecoms | Cyber espionage – state sponsored (Salt Typhoon) | Unknown (no customer data lost) |
| 21 June | Oxford City Council | UK | Government (city) | Data breach – unauthorised access | Unknown (data from 2001–2022) |
| 22 June | McLaren Health Care | USA | Healthcare (hospital network) | Ransomware (INC Ransom) | 743,000 patients |
| 22 June | Nucor Corporation | USA | Manufacturing (steel) | Cyber attack – (ransomware suspected) | Unknown (“limited” data exfiltrated) |
| 26 June | Ahold Delhaize (USA operations) | Netherlands / USA | Retail (supermarkets) | Ransomware (INC Ransom) | 2,242,521 individuals |
| 30 June | Radix (Swiss health NGO) | Switzerland | Non-profit (public health) | Ransomware – Sarcoma group | Unknown (~2 TB of data claimed) |
Discover your vulnerabilities before attackers do
To avoid falling victim to cyber attacks, it’s critical to understand where you are most vulnerable to attack. Then you can close any security gaps before it’s too late.
Don’t leave your vulnerabilities to chance. Collaborate with a team that understands your risks and delivers actionable solutions.
Contact our penetration testing experts today to discuss your security needs.
