DOT Account Breach, Kettering Ransomware Attack, Recruiter Systems Compromised – Cybersecurity News [June 09, 2025]

This week’s cybersecurity round-up covers serious threats hitting various sectors, including transportation, healthcare, and retail. Key cybersecurity incidents include a massive data breach in a governmental department, a ransomware attack crippling life-threatening healthcare operations, and a sneaky job scam targeting recruiters. Major giants from the business world have also confirmed cyberattacks that impacted employees and disrupted critical business workloads. Read on for full details, known risks, and what’s being done in response, strengthening the defence mechanisms.

DOT Account Compromise Breach Exposes 300,000 Crash Records

The Department of Transportation (TxDOT) confirmed a data breach this week involving nearly 300,000 crash records, warning affected individuals about potential misuse of their personal information.

According to them, it happened on May 12, 2025 when a threat actor gained unauthorized access to its Crash Records Information System (CRIS). Suspicious activity was detected that same day, and a follow-up investigation was carried out, which revealed that the threat actors had used a compromised account to download a significant number of crash reports.

They acted quickly by disabling the account and cutting off access but the threat actors had already downloaded crash reports including full names, home addresses, driver’s license, plate numbers, insurance policy details, and in some cases, sensitive descriptions of the crashes or injuries involved. This kind of data can be exploited in targeted phishing campaigns, scams, or social engineering attempts.

The department has set up a support line and advised people to keep an eye and closely monitor their credit activity and consider placing a freeze if needed. TxDOT says the breach has been contained and that it’s working on strengthening its internal systems. No group has formally claimed their responsibility of the incident so far.

Kettering Health Confirms Interlock Ransomware in Recent Cyberattack

Kettering Health has confirmed that a May cyberattack on its network was carried out by the Interlock ransomware group. The Ohio-based healthcare provider manages 14 medical centers, over 120 outpatient sites, and employs more than 15,000 staff, including 1,800 physicians.

The attack forced teams to switch to manual processes after access to electronic systems, including computerized charting and call centers, was cut off. Elective procedures were canceled, but emergency services and clinics continued functioning. In a recent update, Kettering Health stated that its electronic health record system is back online, and efforts are underway to restore patient services like the MyChart app and call support. The organization emphasized that affected systems have been secured, intruder tools removed, and additional safeguards such as stricter access controls and network segmentation are now in place.

Interlock publicly claimed the breach and posted samples of what it says is 941 GB of stolen data (over 700,000 documents) ranging from patient records and payroll files to pharmacy logs and passport scans. Interlock, active since September, has a history of targeting healthcare providers using tactics like fake IT tools and custom malware.

Patients should monitor their personal information closely and watch for suspicious activity.

FIN6 Hackers Use Fake Job Applications to Compromise Recruiter Systems

Recruiters are now the ones being targeted by hackers posing as job seekers. FIN6, a group previously known for financial fraud and ransomware activity, is using fake resumes and phishing sites to trick HR professionals into downloading malware.

Instead of pretending to be recruiters, they now reach out to hiring managers on platforms like LinkedIn and Indeed, using fake job seeker profiles to build rapport. Once a connection is made, they follow up with emails that include a supposed portfolio or resume site. These emails are designed to bypass detection–there are no clickable links, just URLs the recipient must type manually.

The domains are hosted on AWS, which helps them appear legitimate and avoids raising red flags. Only specific users can access the real site. If someone connects through a VPN or non-Windows device, they’re shown harmless content. For others, the site displays a fake CAPTCHA and then offers a ZIP file claiming to contain a resume. Inside is a disguised LNK file that runs a script to install the More Eggs backdoor, a tool used for stealing credentials and dropping ransomware.

As of now, the campaign is ongoing. HR teams should avoid typing in suspicious URLs and confirm identities before downloading resume files.

Sensata Technologies Reports Data Theft in Ransomware Incident

Sensata Technologies also confirmed a ransomware attack that led to a data breach affecting both current and former employees.

They initially revealed there had been data theft, but the exact nature of the stolen information was unclear. However, they have now confirmed that ransomware actors had unauthorized access to its network from March 28 to April 6, 2025. During that window, attackers viewed and extracted internal files, which may have contained sensitive personal information. The compromised data varies by individual but includes full names, contact details, Social Security numbers, driver’s license and passport numbers, financial and payment card information, medical records, and even health insurance details.

Both employees and their dependents have been affected. In response, Sensata is offering one year of free credit monitoring and identity protection to those impacted. It hasn’t shared how many people are involved and has not responded to further queries. No group has claimed responsibility yet. Those affected are urged to stay alert for suspicious activity and fraud attempts.

United Natural Foods Targeted in Major Cyberattack

United Natural Foods (UNFI) was also hit by a cyberattack that disrupted operations and forced parts of its systems offline this week. The organization delivers to over 30,000 locations across the U.S. and Canada, including Whole Foods, and employs more than 28,000 people.

UNFI discovered unauthorized activity on its network and activated its incident response plan, taking many systems offline. This caused immediate order fulfillment issues, and disruptions are expected to continue for some time. UNFI confirmed the incident in an SEC 8-K filing and through a public press release, stating that the attack temporarily impacted business operations, but they’ve since implemented workarounds to keep deliveries going where possible.

Law enforcement was also notified, and external cybersecurity experts were involved in investigating the breach. So far, they have not revealed what kind of attack occurred or if any data was stolen, and no group has claimed responsibility either. The situation surfaced after employees began reporting shift cancellations and outages on social media.

For now, UNFI is focused on restoring systems safely. Customers and partners are advised to remain alert and follow any official communication from the distributor.