Published January 6, 2026 | ← Back to All Threat Intelligence
December 2025 closed the year with a stark reminder that cyber risk is systemic, relentless, and indiscriminate. From global retailers and telecom providers to universities and healthcare supply chains, attackers continued to exploit identity weaknesses and third-party dependencies at scale.
Coupang (Dec 1): South Korea's e-commerce giant disclosed that a former employee with retained system access exposed personal information of nearly 34 million customers, including names, emails, phone numbers, and addresses. The incident highlights the persistent risk of insider threats and inadequate offboarding procedures.
University of Pennsylvania (Dec 1): Clop ransomware operators exploited the university's Oracle E-Business Suite systems, compromising student and staff data. This breach was part of Clop's broader campaign targeting Oracle environments across the education sector.
Freedom Mobile (Dec 5): The Canadian telecom provider confirmed unauthorized access to customer account data, affecting an undisclosed number of subscribers. Attackers leveraged credential-stuffing techniques against customer portal logins.
SoundCloud (Dec 12): The music platform disclosed that a vulnerability in a third-party integration exposed user email addresses and profile data. The breach affected approximately 2.5 million accounts.
DXC Technology / NHS Supply Chain: A ransomware attack on DXC Technology, a critical IT services provider to the UK's National Health Service, disrupted supply chain operations for weeks. The incident highlighted the cascading risk of attacks on shared-service providers in healthcare.
French Interior Ministry: Attackers deployed ransomware against systems used by France's Interior Ministry, temporarily disrupting administrative services. French authorities attributed the attack to a financially motivated group operating from Eastern Europe.
CVE-2025-53770 and CVE-2025-53771 (SharePoint): Researchers discovered that attackers were chaining two critical vulnerabilities in internet-facing SharePoint servers. Dubbed "ToolShell," this exploitation technique allowed remote code execution and was used in targeted attacks against government contractors.
Microsoft Patch Tuesday (Dec 10): Microsoft addressed 72 vulnerabilities including one actively exploited zero-day in the Windows Common Log File System driver (CVE-2025-50158). Organizations were urged to prioritize patching, particularly those running Windows Server environments.
December's incidents reinforce the urgency of CMMC compliance for defense contractors. The SharePoint "ToolShell" exploit chain specifically targeted organizations handling sensitive government data. Contractors who have not completed a gap assessment against NIST SP 800-171 controls remain exposed to these exact attack vectors.
The CGA CMMC Gap Assessment Grant can help your organization identify vulnerabilities before attackers do. Apply today to receive a $5,000 in-kind assessment.
