In partnership with
Welcome back to The CyberSignal Weekly Briefing — your weekly digest of what’s shifting in the global cybersecurity landscape with a focus on the US.
As always, we’re pulling together the most significant developments from last Thursday through today — and this week, it’s all about breaches with ripple effects across marketing, telecom, retail, and industrial sectors.
From marketing and telecom vendors to retail chains, hospitals, and home-care providers, attackers hit the services that keep business and critical infrastructure running.
Meanwhile, Oracle E-Business Suite exploitation by Cl0p and Canadian ICS manipulation alerts signal that enterprise and operational layers alike remain at risk.
Whether you’re a CISO, IT leader, or practitioner on the front lines, this edition delivers the key events, analysis, and next steps to protect your environment.
Let’s dive in.
Find out why 100K+ engineers read The Code twice a week.
That engineer who always knows what's next? This is their secret.
Here's how you can get ahead too:
Sign up for The Code - tech newsletter read by 100K+ engineers
Get latest tech news, top research papers & resources
Become 10X more valuable
🔎 Overview: What Shifted in Cyber Since Last Thursday
Merkle (U.S.) breach disclosed — employee and client data stolen from Dentsu’s global marketing subsidiary. (Security Affairs)
Ribbon Communications (U.S.) breach — nation-state actors accessed systems of major telecom-infrastructure vendor, raising supply-chain concerns. (Reuters)
Canadian ICS/OT alert issued — hacktivists manipulating Internet-exposed control devices in water, energy, and agriculture sectors. (Canadian Centre for Cyber Security)
Toys “R” Us Canada data breach confirmed — personal data stolen; retail identity risk rising. (Cyber Press)
Healthcare trio breaches (ModMed, LifeBridge Health, Right at Home) — millions impacted across EHR, hospital, and home-care systems. (HIPAA Journal)
🔥 Key Incidents & Analysis
U.S.-based Merkle, a subsidiary of Dentsu, confirmed a cyberattack exposing staff and client data. Investigators report credential theft and potential access to sensitive campaign analytics.
Why it matters: Marketing and ad-tech vendors often hold customer datasets, analytics, and PII but are rarely prioritized in security budgets.
Action: Review all marketing, CRM, and analytics vendors. Enforce encryption and data-retention limits; rotate all API keys and OAuth tokens shared across campaigns.
Telecom-infrastructure vendor Ribbon Communications disclosed a breach traced to suspected nation-state actors. The intrusion exposed internal network systems that connect major U.S. and Canadian carriers.
Why it matters: A compromise of a telecom core-component vendor can cascade to thousands of downstream enterprise and consumer connections.
Action: Audit all telecom, carrier, or unified-communications dependencies. Enforce zero-trust controls for vendor access, deploy firmware-integrity checks, and enable out-of-band monitoring for signaling systems.
The Canadian Centre for Cyber Security issued an alert warning that hacktivists have tampered with Internet-exposed industrial control systems in water, energy, and agricultural facilities.
Why it matters: This is a rare, confirmed example of activists moving from IT defacement to physical-process manipulation — underscoring how exposed OT networks remain.
Action: Inventory Internet-facing PLCs, HMIs, and gateways. Disable unnecessary remote access, isolate OT networks, and deploy anomaly-detection analytics between IT and OT layers.
The retailer confirmed unauthorized access to customer records including names, emails, and addresses — though payment data was not compromised.
Why it matters: Even “non-financial” data can enable credential-stuffing and targeted phishing during the holiday shopping surge.
Action: Reinforce MFA on all customer accounts; monitor for brand-impersonation phishing campaigns and leaked customer data on Telegram/marketplaces.
A string of U.S. healthcare providers disclosed breaches this week:
ModMed (EHR vendor) — a network intrusion exposed patient data and system credentials.
LifeBridge Health (Maryland) — phishing attack compromised employee email accounts containing PHI.
Right at Home (home-care provider) — ransomware attack affected operational systems and client records.
Why it matters: Healthcare continues to face compound risks — shared EHR vendors, email-based intrusions, and aging infrastructure amplify impact and recovery costs.
Action: Strengthen endpoint protection on clinical workstations, apply data-loss prevention to email systems, and ensure backup segmentation for EHR servers.
✨ AI Tool Spotlight:
Realtime User Onboarding, Zero Engineering
Quarterzip delivers realtime, AI-led onboarding for every user with zero engineering effort.
✨ Dynamic Voice guides users in the moment
✨ Picture-in-Picture stay visible across your site and others
✨ Guardrails keep things accurate with smooth handoffs if needed
No code. No engineering. Just onboarding that adapts as you grow.
📈 Data & Research Corner
Supply-chain exposure rising: Nearly 28 % of 2025 breaches so far stem from indirect vendor compromise. (Source: IBM X-Force)
OT/ICS risk intensifying: The Canadian alert marks a 42 % quarter-over-quarter rise in North American OT security advisories.
Retail identity leaks: 64 % of exposed retail data is non-financial but still leads to credential attacks within 30 days. (Source: IBM X-Force)
Ransomware groups diversify: Cl0p and BlackCat now exploit business applications rather than simple file encryption.
Healthcare breaches up 36 % YoY — now averaging $10.5 M per incident. (Source: IBM X-Force)
⚠️ Threat & Vulnerability Highlights
Threat / CVE | Summary | Risk |
|---|---|---|
Merkle breach | Marketing vendor compromise exposes client & staff data | High — marketing/CRM supply-chain exposure |
Ribbon Communications breach | Nation-state intrusion into telecom-core vendor | Critical — telecom & downstream infra risk |
Toys “R” Us Canada breach | Customer identity data stolen | Medium — phishing & brand-trust impact |
Canadian ICS alert | Hacktivists tampering with control systems | Critical — OT/physical safety implications |
Healthcare (ModMed/LifeBridge/Right at Home) | Electronic Health Records (EHR) and email compromise | Critical — HIPAA and patient trust impact |
🛡️ Actionable Playbook for CISOs & IT Leaders
Patch Oracle EBS immediately if you haven’t already — disconnect Internet-facing instances until validated.
Harden marketing & analytics vendors — rotate credentials + audit data exposure.
Re-evaluate telecom dependencies — require vendor attestations of intrusion detection coverage.
Segment OT networks — apply firewalls and monitoring between ICS and enterprise IT.
Prepare holiday retail controls — enable MFA and brand-spoofing monitoring before seasonal phishing peaks.
🏛️ Regulatory, Legislative & Structural Shifts
FTC expected to expand its third-party-oversight rulemaking following major vendor breaches.
Canadian CSE/Cyber Centre coordinating incident-response guidance for OT operators.
U.S. CISA updating KEV list with Oracle EBS CVE-2025-61882 and related endpoints.
State AGs tightening breach-notification timelines for retail and vendor incidents.
📊 Poll of the Week
Which of this week’s incidents worries you most?
🔭 Looking Ahead
Expect copycat campaigns exploiting Oracle EBS and SAP instances.
Healthcare breaches may trigger broader HIPAA guidance on third-party vendors.
OT security investment in Canada likely to increase post-alert.
Holiday-season phishing expected to spike as retail identity data circulates.
💡 Pro Tip of the Week
Create a cross-vendor response map linking marketing, telecom, EHR, and cloud partners to the specific data they touch.
When an incident hits, you’ll instantly know who to contact and what to quarantine.
🔒 Conclusion
This week underscored a pattern of interconnected risk — where marketing, telecom, healthcare, and industrial systems all feed the same attack surface.
For security leaders: patch fast, enforce vendor discipline, and treat non-financial identity data as critical infrastructure.
Thanks for reading this edition of The CyberSignal Weekly Briefing.
Till next week,
The CyberSignal Team
📩 Found this roundup useful? Share The CyberSignal with a colleague who needs to stay ahead of cyber threats.
Stay Ahead with Daily CyberSignal Reports
Upgrade to The CyberSignal Daily for morning reports with the latest breaches, CVEs, and actionable insights before your day begins.