🚨 Major Breaches & Incidents - Navia breach hits 2.7 million, P3 police-tip breach claim raises public-safety concerns, Kaplan discloses exposure of sensitive identity data

🛠️ Emerging Threats & Vulnerabilities - Cisco zero-day tied to ransomware, SharePoint RCE under active exploitation, Ivanti auth bypass joins the exploit pile

🔐 Privacy Watch - LexisNexis confirms legacy-data breach, Aura discloses vishing-linked data exposure

🕵️ APTs and State Sponsored Attacks - Russian-linked actors target messaging apps, China-linked espionage campaign hits Southeast Asian militaries

🤖 AI in Cyber - AI-powered phishing compromises hundreds of organizations, Akamai warns AI and API attacks are converging

🔁 Story Follow-Ups - Stryker response drives Intune hardening guidance, infostealer credentials may explain the intrusion path

🏥 Navia data breach impacts 2.7 million
Navia said attackers accessed its environment between late December 2025 and mid-January 2026 and stole personal and health-plan data affecting nearly 2.7 million people. That puts this well beyond routine breach territory, because benefits-administration data can be rich with identity, financial, and healthcare-adjacent details.
👉 Key takeaway: Big breach volume is bad, but big breach volume plus benefits data is where cleanup gets especially ugly.

🚔 Hacker claims theft of 8+ million confidential police tips from P3 Global Intel
Reuters reported that a hacker claimed access to more than 8 million confidential law-enforcement tips from P3 Global Intel, a platform used to search hotline messages. Even with attribution and total impact still developing, the sensitivity here is the story. This is not just personal data exposure - it potentially touches investigations, informants, and broader public-safety concerns.
👉 Key takeaway: When breach fallout can move from the database to the street, the risk profile changes fast.

🎓 Kaplan reports breach affecting more than 230,000
Kaplan disclosed filings showing at least 230,941 people were affected, with exposed data including Social Security numbers and driver’s license numbers. The incident itself dates back to late 2025, but the scale and sensitivity still make it worth surfacing now. Well-known brands leaking identity-grade data remains one of the more reliable ways to ruin a lot of people’s week at once.
👉 Key takeaway: Education-sector breaches keep proving that student and consumer data is every bit as valuable to criminals as enterprise records.

🔥 Interlock ransomware exploited Cisco Secure FMC flaw as a zero-day
Amazon threat intelligence said the Interlock ransomware gang exploited CVE-2026-20131 in Cisco Secure Firewall Management Center for more than a month before Cisco patched it on March 4. The flaw is an unauthenticated remote code execution bug in software that lives in a very sensitive enterprise control point. Confirmed ransomware use turns this from a technical advisory into a boardroom-relevant patching failure story.
👉 Key takeaway: If your firewall management platform was exposed and unpatched, this was not a harmless delay.

📂 CISA warns of active exploitation of SharePoint RCE CVE-2026-20963
CISA added the critical SharePoint deserialization flaw to KEV and required federal agencies to remediate quickly. The bug affects SharePoint Server 2016, 2019, and Subscription Edition and allows unauthenticated remote code execution. Public detail on the attacks may still be limited, but “active exploitation” and “widely deployed enterprise platform” is enough to keep defenders very busy.
👉 Key takeaway: SharePoint keeps finding new ways to stay on patch-priority lists everywhere.

🧱 Ivanti Endpoint Manager auth-bypass flaw now confirmed exploited
CISA added CVE-2026-1603 to KEV, confirming real-world exploitation of a high-severity authentication bypass flaw in Ivanti Endpoint Manager. Ivanti products have spent enough time in enterprise incident write-ups that even familiar headlines still deserve attention. For defenders, this is less a surprise and more another item on the recurring “please patch this now” calendar.
👉 Key takeaway: When a vendor keeps reappearing in exploit news, “known issue” stops being comforting.

🗃️ LexisNexis confirms breach of legacy data after hacker leak
LexisNexis said attackers accessed a limited number of servers containing mostly legacy data from before 2020, including customer names, user IDs, business contact information, product-use details, support tickets, and survey IP addresses. The company framed the breach as contained, but “legacy data” is not the same thing as “risk-free data.” Old records still have a nasty habit of remaining useful to attackers long after companies stop thinking about them.
👉 Key takeaway: Data does not become harmless just because it is old enough to have opinions.

📞 Aura discloses data breach affecting 900,000 records after vishing-linked compromise
Aura said a targeted phone-phishing attack against an employee led to data theft from a marketing platform, with roughly 900,000 records implicated overall and 35,000 customers’ personal information stolen. The story stands out because it combines privacy exposure with one of the more stubbornly effective attack methods: talking a human into helping. SaaS-heavy organizations keep learning that voice phishing is still very much employed.
👉 Key takeaway: Attackers do not need a zero-day when an employee picks up the phone.

Learn how HubSpot's engineering team achieved 15-20% productivity gains with AI

Learn how AI-driven emails achieved 94% higher conversion rates

Discover 7 ways to enhance your marketing strategy with AI.

📱 FBI and CISA warn Russian intelligence-linked actors are targeting Signal and other messaging apps
U.S. agencies said hackers tied to Russian intelligence services have successfully compromised thousands of messaging-app accounts and are focusing on current and former government officials, military personnel, political figures, and journalists. The significance here is strategic as much as tactical. The emphasis is shifting toward account compromise and collection from trusted communications channels rather than just dropping traditional malware and hoping for the best.
👉 Key takeaway: Encrypted apps are helpful, but they are not magical once the account itself is compromised.

🛰️ China-linked espionage campaign hit Southeast Asian military organizations
Palo Alto Networks said a China-linked group tracked as CL-STA-1087 targeted Southeast Asian military organizations and maintained long dwell times in victim environments. That patient operational tempo is part of what makes the campaign notable. Quiet, persistent access to defense-sector networks tends to matter long after the first headlines move on.
👉 Key takeaway: The most damaging espionage campaigns are often the ones that stay boring and quiet the longest.

🎣 AI-powered phishing campaign compromises hundreds of organizations
Huntress told CyberScoop that a phishing campaign tied to Railway infrastructure compromised hundreds of organizations and may ultimately have affected thousands. Researchers suspect AI-generated lures because the emails and domains lacked the repeated patterns defenders often rely on to spot campaigns quickly.
👉 Key takeaway: AI is making phishing less repetitive, less obvious, and more expensive to ignore.

🤖 Akamai report: AI, APIs and DDoS are converging in coordinated attacks
SecurityWeek’s coverage of Akamai’s 2026 report says API attacks are rising alongside agentic AI adoption and that criminals are using AI as a force multiplier to make attacks cheaper, stealthier, and harder to attribute. This is more trendline than single incident, but it earns its place because it reflects where operational reality is heading. The messy overlap of AI tooling, API dependence, and DDoS pressure is not exactly calming news for defenders.
👉 Key takeaway: AI is not replacing old attack methods, its helping attackers stack them more efficiently.

🏭 Stryker says attack contained; U.S. agencies push Intune hardening after incident
This is the strongest follow-up angle on the Stryker incident because it moves beyond disruption headlines and into practical defensive guidance. CISA urged organizations to harden Microsoft Intune configurations after the March 11 attack affected order processing, manufacturing, and shipments.
👉 Key takeaway: The best incident follow-ups are the ones that turn someone else’s mess into your control checklist.

🧪 SecurityWeek reports infostealer credentials may have enabled the Stryker breach
SecurityWeek reported evidence suggesting Stryker administrator credentials harvested by infostealer malware may have been used to access Microsoft Intune and wipe devices. That adds likely intrusion mechanics to the broader story and sharpens the lesson around stale privileged credentials. It is a useful reminder that some “advanced” intrusions still begin with depressingly familiar credential theft.
👉 Key takeaway: Fancy incident response write-ups still too often boil down to “someone stole the creds and nobody noticed.”