Weekly Cyber Briefing 16.12.2025
Weekly Cyber Update: 16 December 2025
Collins Aerospace double whammy attack analysis; 5.6 million exposed as 700Credit breach highlights third-party risk; Barts Health discloses data breach
Collins Aerospace double whammy attack analysis
In September, Collins Aerospace suffered two separate cyber incidents in the same week, driven by very different root causes, which require critical distinction. In mid-September, Collins disclosed a ransomware attack that shut down its MUSE passenger processing system, causing significant disruption at European airports and stranding thousands of passengers. That incident was real, operationally impactful, and consistent with a traditional ransomware attack affecting live systems.
A single infostealer infection in 2022 created a vulnerability that was exploited years later
Meanwhile, a different threat actor group, Everest, was quietly exfiltrating data from a Collins Aerospace FTP server. Everest accessed the server using valid credentials, “aiscustomer” and “muse-insecure”, previously identified as being stolen in a 2022 infostealer infection on a Collins Aerospace employee device. Those credentials were never rotated. Three years later, they were reused to access an exposed server and extract a large volume of sensitive data, including 1.5 million passenger records, employee details, SQL databases, and audit logs.
Crucially, Everest’s activity shows no evidence of ransomware deployment or encryption. This was a classic data-exfiltration attack using old, valid credentials. The ransomware outage and the Everest breach were two distinct incidents, overlapping in time but unrelated in execution.
Assured reacts:
Legacy credential exposure remains a dangerous and overlooked risk. A single infostealer infection in 2022 created a vulnerability that was exploited years later, entirely independently of the ransomware event. This pattern of old credentials, never rotated, reused against exposed infrastructure, is increasingly common and repeatedly catastrophic.
Ransomware grabs headlines, but credential hygiene, MFA enforcement, and exposure monitoring are what prevent silent breaches like this one.
- Treat old credential theft as an active threat.
Credentials stolen years ago are still being used today. If they haven’t been rotated, assume they’re compromised. - Credential hygiene matters.
This breach didn’t require malware or exploits; valid credentials were sufficient. Rotate passwords, kill shared accounts, and enforce MFA everywhere possible. - Stop equating ransomware with “the breach.”
The most damaging activity may involve no encryption and no alerts. Monitor credential abuse and data access, not just malware. - Assume incidents can overlap.
Multiple attackers can hit at once. Separate access paths early, or you’ll misdiagnose what’s happening. - Infostealers are a Tier-1 risk.
Endpoint infections today become infrastructure breaches tomorrow. Track exposed credentials continuously. - Legacy systems are high-risk by default.
Old, exposed services with static credentials will be found and reused. Lock them down or isolate them.
5.6 million exposed as 700Credit breach highlights third-party risk
700Credit, a major U.S. credit and identity verification provider widely used by automotive dealerships, has suffered a significant data breach that exposed the personal information of millions of consumers. The incident affected data processed through its 700Dealer platform between May and October 2025, potentially impacting an estimated 5.6 million people. Exposed data includes names, addresses, dates of birth and social security numbers. The organisations that ultimately bore the brunt of the impact weren’t the ones breached. 700Credit sits upstream in the automotive ecosystem, processing highly sensitive identity and credit data on behalf of thousands of dealerships. When 700Credit was compromised, millions of consumers and countless dealerships were exposed simultaneously, even though those dealerships had no direct control over the vulnerable system.
The breach did not involve ransomware or malware. Instead, attackers exploited a weakness in an application interface, enabling unauthorised access and large-scale data extraction without triggering obvious alerts. The exposure was first identified through dark web monitoring before formal disclosure.
700Credit has since engaged external cybersecurity firms, notified regulators and law enforcement, and begun coordinated notifications to dealerships and affected consumers, offering credit monitoring services.
Assured Reacts:
The incident highlights that a single vendor failure can cascade across an entire industry. For businesses relying on such providers, this underscores the need for stronger vendor oversight and recognition that sensitive data exposure, particularly social security numbers (SSNs), has enduring consequences beyond the initial incident.
We encourage you to assume third parties are your largest attack surface. Demand evidence of real security controls, continuously monitor vendor risk, and minimise the data they’re allowed to store. If a provider is aggregating high-value data such as SSNs, treat them as Tier-1 critical infrastructure because, when they fail, so do you.
Barts Health discloses data breach
In December 2025, the leading NHS Trust, Barts Health, confirmed that sensitive data was stolen after attackers exploited a vulnerability in its Oracle E-Business Suite system. The criminal group Cl0p exploited a flaw in Oracle’s enterprise software to exfiltrate files from a business database containing invoicing and financial records. The stolen information, later posted on the dark web, includes names, addresses, and other details tied to patients, former staff, suppliers, and associated services dating back several years.
The organisation is pursuing a High Court injunction to block the publication of the stolen files
Barts Health says its core clinical systems, including electronic patient records, were not affected, and it believes its wider IT infrastructure remains secure. Nonetheless, the organisation is pursuing a High Court injunction to block the publication, sharing or use of the stolen files, even though such legal measures have limited impact on determined cyber criminals overseas.
The breach was detected only when stolen files surfaced online months after the August incident, highlighting how data theft can go unnoticed until publication.
Assured reacts:
Silent data theft via trusted enterprise software is a primary threat, so we advise patching enterprise software aggressively.
- Treat vulnerabilities in ERP, finance, and billing systems as high risk. Apply patches fast or isolate the system until you can.
- Assume data theft before encryption. Don’t rely on ransomware signals. Monitor for unauthorised data access and exfiltration, especially from legacy and third-party platforms.
- Harden non-clinical systems. Attacks often start outside core production systems. Finance, HR and supplier platforms must meet the same security bar as frontline systems.
- Limit data exposure by design. Reduce the amount of sensitive data stored, the time it’s retained, and the number of people who can access it.
- Prepare for disclosure, not prevention alone. Legal action can’t claw back leaked data. Have breach response, comms, and regulatory playbooks ready.
- Treat vendors and software suppliers as an attack surface. Actively track vulnerabilities in widely used platforms (like Oracle), not just your own code.
Topics
- AI
- Application Security
- Authentication
- Aviation
- Business Continuity
- Business Risk
- Car Hacking
- Certification & Accreditation
- ciso
- Cl0p
- Cloud
- Cloud Security
- CNI
- Compliance
- Cyber attacks
- cyber crime
- Cyber insurance
- Cyber Law
- Cyber Resilience
- Cyber Risk
- Data Breaches
- Directors and NEDs
- Diversity
- Encryption
- Ethical Hacking
- Events
- Governance
- government
- Hiring & Firing
- Human Factor Risk
- Incident Response
- Insider Threat
- Internet of Things
- Internet of Things (IoT)
- Interview
- Labour
- Leadership
- Legislation
- Legislation & Regulation
- Malware
- Mental Health
- Microsoft
- multi stakeholder
- Nation State
- network
- network security
- open source
- OS
- Passwords and Authentication
- Phishing
- Policies
- Privacy
- Public Sector
- Quantum
- Ransomware
- Regulation
- report
- reporting
- Salesforce
- security by design
- security foundation
- Social Engineering
- Social Media
- Supply Chain Risk
- Sustainability
- terminology
- Threat Intelligence
- Training & Awareness
- vendor management
- vendors
- Venture Capital
- Vulnerability Disclosure
- Vulnerability Management
- windows
- windows10
- zero-day
- zero-trust
Latest articles
Features 16.12.2025
AI Autopsy: Asahi Beer Runs Dry After Ransomware Breach
As details of Asahi’s ransomware incident poured out, how can CISOs turn these findings into actionable learnings?
Features 12.12.2025
AI Autopsy: How Shai-Hulud 2 Is Rewriting the Rules of Supply Chain Security
A devastating worm is ripping through npm like the sands of Arrakis.
Interviews 11.12.2025
Getting to Know: Helen Rabe, CISO, BBC
Never has a profile interviewee surprised me as much as Helen. It’s an absolute pleasure to present this excruciatingly candid tell-all with Helen Rabe, CISO, BBC.