Nike Confirms Investigation Into 1.4TB Internal Data Breach
Nike disclosed that it is investigating unauthorized access that resulted in the extraction of approximately 1.4 terabytes of internal data. The incident involves a large volume of files taken from internal systems, which signals sustained access rather than a short-lived intrusion.
What Data Was Exposed:
Nike has not published a complete data inventory. Based on breach size and enterprise breach patterns, the exposed data is likely to include:
- Internal business documents and reports
- Employee-related records and internal communications
- Technical documentation, system files, or configuration data
- Archived backups or shared repositories
A data volume of 1.4TB strongly suggests that the exposure went beyond surface-level records. Even if customer information is limited, internal context and operational data can carry long-term risk due to how it can be reused.
Company Response:
Nike confirmed that it has launched a formal investigation to assess the scope and impact of the breach. This includes forensic analysis to understand how access occurred and what data was accessed or removed.
The company has stated that it is taking steps to secure systems and review internal access controls. Further disclosures may follow once the investigation reaches a clearer conclusion. At the time of reporting, no customer notifications or regulatory filings had been publicly detailed.
Key Lesson:
Large-scale data exposure rarely starts with one major failure. It usually grows due to limited visibility into active access paths and data reachability.
Knowing where data exists is not enough. Organizations must also know:
- Who can access it
- How access is used over time
- Whether exposure remains active or inactive
Without this clarity, data can be accessed quietly and extracted in bulk before alarms are raised.
OnSolve CodeRED cybersecurity incident
OnSolve CodeRED recently informed us that they have been impacted by a cybersecurity incident that effects its customers nationwide where user data was potentially compromised. The affected data is limited to contact information: name, address, email address, phone numbers, and associated passwords used to create user profiles for receiving alerts. If users have the same password for any other personal or business accounts, those passwords should be changed immediately.
OnSolve CodeRED informed us that it promptly took steps to secure its systems, launched an investigation, and engaged external cybersecurity experts to assist. They decommissioned the OnSolve CodeRED platform and are in the process of moving all customers to a new CodeRED platform.
The new CodeRED platform, we are informed, was not part of this cybersecurity incident. Additionally, the new system resides in a completely separate environment and has undergone extensive security auditing and testing. The City of Salem will be utilizing this new CodeRED system going forward.
Marquis confirms data breach
Marquis, a US fintech company building software for banks and credit unions, has confirmed suffering a ransomware attack and losing sensitive customer data, but shifted the blame onto its firewall provider, SonicWall.
In mid-September 2025, SonicWall warned its firewall customers to reset their passwords after unnamed threat actors brute-forced their way into the company’s MySonicWall cloud service. This tool allows SonicWall firewall users (typically businesses and IT teams) to back up their firewall configuration files, including network rules and access policies, VPN configurations, service credentials (LDAP, RADIUS, SNMP), or admin usernames and passwords (if stored in config).
At first, SonicWall claimed fewer than 5% of its customer base was affected but later concluded that everyone lost their backups to hackers.
Melwood Discloses Data Breach Following Ransomware Attack
Melwood disclosed a data breach after a ransomware attack led to unauthorized access within its internal network. The incident involved threat actors gaining entry to systems, extracting data, and then deploying ransomware to disrupt operations.
The organization identified suspicious activity and launched an internal investigation with external forensic experts. Findings confirmed that certain files were accessed and copied without authorization before containment steps were completed. This pattern aligns with modern ransomware operations, where data extraction occurs prior to encryption to increase pressure on victims.
What Data Was Exposed:
Based on Melwood’s disclosure, the compromised data of thousands may include:
- Full names
- Social Security numbers
- Dates of birth
- Driver’s license or state ID numbers
- Financial account details in limited cases
- Employment and benefits-related information
The exact data types varied by individual, depending on their relationship with Melwood, such as employees, program participants, or contractors.
Company Response:
Following confirmation of the incident, Melwood took several actions:
- Isolated affected systems to stop further unauthorized access
- Engaged third-party cybersecurity and forensic specialists
- Notified law enforcement agencies
- Issued breach notifications to impacted individuals
- Offered credit monitoring and identity protection services
The organization also stated that it reviewed internal security practices and implemented additional safeguards to reduce future risk.
Key Lesson:
This incident highlights that ransomware groups actively target organizations of all sizes, including nonprofits.
Key takeaways include:
- Data access often occurs before service disruption becomes visible
- Personal and employment records remain highly valuable to attackers
- Early detection directly limits the scale of exposure
- Clear asset awareness and access governance reduce impact
SNP Transformations Data Breach Exposes Social Security Numbers
Incident Overview:
SNP Transformations, Inc., a U.S.-based subsidiary of SNP Group, disclosed a security incident involving unauthorized access to internal systems. The issue was identified after unusual activity was detected within parts of its network environment. A subsequent investigation confirmed that an external party gained access to files containing personal information.
The organization formally notified regulators and impacted individuals after completing an initial review. Public disclosure filings indicate that the access was not authorized and that sensitive records were viewed or acquired during the incident window. While technical specifics have not been publicly detailed, the breach reflects weaknesses in internal access controls and monitoring across enterprise systems.
What Data Was Exposed:
The compromised information included highly sensitive personal identifiers, specifically:
- Full names of individuals
- Social Security numbers (SSNs)
- Driver’s license numbers
Company Response:
Following detection, SNP Transformations engaged external cybersecurity specialists to investigate the incident. The company reported that affected systems were secured, access points were reviewed, and additional safeguards were implemented.
Impacted individuals received written notifications outlining the exposed data types. The company also offered guidance on monitoring financial and identity records, along with credit protection services where applicable.
The response focused on containment, regulatory reporting, and customer communication rather than public technical disclosure.
Key Lesson:
This incident reinforces a critical point: sensitive identity data remains a prime target, even within organizations that are not consumer-facing brands.
Enterprises handling SSNs must enforce strict access governance, continuous monitoring of internal systems, and rapid response workflows. Visibility gaps around who can access regulated data and how that access is tracked continue to create real-world risk.
Preventing exposure requires sustained control over identity data flows, not one-time audits.
Grubhub Data Breach Linked to Ransom Demand in Salesforce-Related Attack Chain
Incident Overview:
Grubhub confirmed a data breach after unauthorized access was detected within a third-party customer support environment connected to its internal operations. The incident surfaced as part of a wider campaign where attackers targeted companies using customer relationship platforms, including environments integrated with Salesforce.
What Data Was Exposed:
Grubhub stated that the exposed information depended on the type of user record involved. Based on official disclosures, the compromised data included:
- Full names
- Email addresses
- Phone numbers
- Partial payment card information, limited to card type and last four digits
- Order-related and customer support interaction details
Grubhub confirmed that full payment card numbers, CVV data, bank account details, and account passwords were not accessed. However, the exposed contact and transaction metadata still carries risk when combined with impersonation attempts or targeted fraud.
Company Response:
Grubhub reported taking immediate action once the intrusion was identified. Key response measures included:
- Revoking access to the affected third-party support systems
- Rotating credentials and access tokens associated with support workflows
- Engaging external cybersecurity specialists for investigation
- Notifying affected users and relevant authorities
- Reviewing and tightening third-party access permissions
The company emphasized that additional controls were applied to limit external system access and reduce similar exposure going forward.
Key Lesson:
This incident highlights a recurring issue across large organizations. Even when core platforms remain secure, connected systems such as customer support tools, vendor access, and long-lived credentials often become the weakest entry points.
Security programs that focus only on applications or infrastructure often miss exposure created by:
- Third-party integrations
- Support tooling access
- Excessive permissions
- Weak identity controls
Discover more from Information Security Blogs
Subscribe to get the latest posts sent to your email.
