6 major cyber attacks & data breaches in March 2025

The standout cyber attacks and data breaches in March 2025

Add bookmark
Listen to this content

Audio conversion provided by OpenAI

Michael Hill
Michael Hill
03/28/2025

cyber security padlock

Cyber attacks and data breaches are wreaking havoc on organizations and users around the globe.

From ransomware and distributed denial-of-service (DDoS) attacks to accidental and third party data exposures, businesses face ongoing, complex cyber security risks.

Here’s a breakdown of some of the standout cyber attacks and data breaches that made the headlines this month.

Contents:


6 million records exfiltrated from Oracle Cloud

Security vendor CloudSEK uncovered a major breach targeting Oracle Cloud, with 6 million records exfiltrated via a suspected undisclosed vulnerability. More than 140,000 tenants were impacted with the attacker demanding a ransom and marketing sensitive data online. The data includes JKS files, encrypted SSO passwords, key files and enterprise manager JPS keys.

“While the threat actor has no prior history, their methods indicate high sophistication, CloudSEK assesses this threat with medium confidence and rates it as High in severity,” CloudSEK said.


Fake banking app targets Android users via Telegram

A sophisticated malware dropper was spotted mimicking the IndusInd Bank app and targeting Android users in a phishing scheme to steal sensitive financial information. Displaying a fake banking interface, the malicious app tricks users into entering information such as PAN and Aadhaar numbers as well as banking credentials.

After the victims submit the data, it is sent to both a phishing server and a Telegram-controlled command and control (C2) channel.


Cyber attack hits Ukrainian railway

A “large-scale” cyber attack on Ukraine’s railway forced online services offline. Ukrzaliznytsia, the country’s national railway company, described the attack as “very systematic, complex, and multi-level.” It took down its online portal, rendering the online sale of tickets impossible for a period of time, although trains were still able to operate.

“The key objective of the enemy failed: train traffic remains stable, running on schedule without delays, and all operational processes have been switched to backup mode,” read the latest update from Ukrzaliznytsia. “The railway continues to operate despite physical attacks on infrastructure, and even the most devious cyber attacks cannot stop it. As Ukrzaliznytsia has previously been a target of enemy cyber attacks, backup protocols have been implemented within the company.”


Trusted websites exploited for malicious redirects

Another campaign exposed by ANY.RUN saw attackers abusing redirect functions on long-standing, trusted domains to reroute users to phishing pages. By exploiting weak redirect validation, threat actors turned safe-looking URLs into a launchpad for malicious sites. Since users believed they were still on legitimate pages, or moving between them, they were far more likely to fall for the scam.


Supply chain attack compromises GitHub Action

A supply chain attack compromised the popular tj-actions/changed-files GitHub Action, impacting over 23,000 repositories. Attackers retroactively modified multiple version tags to reference a malicious commit, exposing CI/CD secrets in workflow logs. The vulnerability existed between March 14 and March 15, 2025, and has since been mitigated.

The attack involved modifying the tj-actions/changed-files GitHub Action to execute a malicious Python script. This script extracted secrets from the Runner Worker process memory and printed them in GitHub Actions logs, making them publicly accessible in repositories with public workflow logs.

“This CVE impacts public GitHub repositories with GitHub Actions enabled. All versions were impacted,” said Dimitri Stiliadis, CTO and co-founder of Endor Labs. “For organizations that build software, they will likely need to reconfigure their pipelines if they are using the compromised Action.”


Thousands of New South Wales court files leaked

Some 9,000 court files – including sensitive documents such as apprehended violence orders and affidavits – were leaked in a data breach of the New South Wales (NSW) court system’s online registry. Police were alerted to the breach to the NSW Online Registry Website with cyber crime detectives from the NSW State Crime Command launching an investigation involving the state’s Department of Communities and Justice (DCJ).

Names and addresses of victims and offenders, as well as accounts of alleged offending, could be included in the exposed documents, it was reported.

NSW Attorney-General Michael Daley said the department and police were taking the incident seriously and working to ensure the integrity of the system following the significant leak. “They are also working to urgently identify and contact affected users and the public will be kept updated as more information becomes available,” he added.


RECOMMENDED