TL;DR

This week saw three major cyber incidents with direct lessons for every business: a ransomware group leaked 630 GB of Apple and Tesla supplier data from Tata Electronics, a supply chain attack through competitive intelligence platform Klue compromised customer data at hundreds of companies including LastPass and Huntress, and two Scattered Spider members were convicted for a $38 million attack on Transport for London. The common thread: attackers are targeting suppliers, integrations, and identity — not your perimeter.

1. Tata Electronics: Ransomware Leaks Apple and Tesla Trade Secrets

On June 22, Indian electronics manufacturer Tata Electronics confirmed a cybersecurity incident after ransomware group World Leaks published over 200,000 files totalling more than 630 GB on the dark web. The stolen data includes proprietary and confidential documents belonging to both Apple and Tesla — two of Tata's largest manufacturing clients.

The leaked files contain employee passport copies (including foreign nationals), multi-year event logs, manufacturing and component design specifications, and engineering drawings. A 52-page Apple document detailing quality inspection standards for iPhone circuit board components was among the files, carrying the footer "This document contains proprietary and confidential information of Apple Inc." Tesla files included a folder labelled "NV36 Chargeport Controller – North America" referencing components for an upgraded Model Y, plus engineering drawings for Project Highland — Tesla's codename for the revamped Model 3 — marked "TRADE SECRET" and dated 2023.

How bad is it: Tata Electronics manufactures approximately one-third of Apple's iPhone production in India. A single compromise exposed the intellectual property of multiple Fortune 500 clients simultaneously. This is the second major Tata Group incident — its subsidiary Jaguar Land Rover suffered ransomware in 2025 that halted production for six weeks.

How it could have been prevented: Supplier-side data isolation is critical. Tata should have segmented client data so that a single intrusion could not traverse across Apple, Tesla, and other customer environments. Encryption of trade-secret documents at rest, strict access controls on engineering repositories, and continuous monitoring for mass data exfiltration would have limited the blast radius. The fact that 630 GB left the network undetected suggests insufficient data loss prevention controls.

What your business should do: Map every third-party supplier that holds your intellectual property or customer data. Ask them: What segmentation exists between your data and other clients? What DLP controls monitor for exfiltration? If they cannot answer, you have a supply chain risk you do not control.

2. Klue Supply Chain Attack: When Your CRM Integration Becomes the Attack Vector

On June 23, competitive intelligence platform Klue disclosed a supply chain attack that compromised Salesforce customer data belonging to hundreds of organisations. The threat actor exploited a compromised Klue Battlecards app to access OAuth tokens used for third-party integrations, including Salesforce connections. From there, they exfiltrated CRM data — customer names, email addresses, phone numbers, physical addresses, support case data, and sales information — from every company that had Klue connected to their Salesforce instance.

The victims list reads like a cybersecurity industry directory: LastPass, Huntress, Recorded Future, Tanium, and others all confirmed customer data exposure. The threat group "Icarus" claimed responsibility and has begun directly contacting affected companies, threatening to publish their data unless ransoms are paid.

How bad is it: LastPass alone was fined £1.2 million by the UK Information Commissioner's Office in 2025 over its 2022 breach, which ultimately cost Ripple co-founder Chris Larsen $150 million in stolen cryptocurrency when attackers exploited vault data. This new Klue-related exposure adds another layer of customer data leakage for a company already under regulatory scrutiny.

How it could have been prevented: OAuth token scope was the root cause. The Klue app had OAuth tokens with broad read access to Salesforce objects — access far wider than what the app needed to function. Principle of least privilege on API tokens, regular token rotation, and monitoring of integration data access patterns would have either prevented the exfiltration or detected it far earlier. Salesforce has since disabled the Klue Battlecards app connection entirely.

What your business should do: Audit every OAuth-connected third-party app in your SaaS stack this week. In Salesforce, Microsoft 365, Google Workspace, and your CRM — review which apps have access, what data scopes they hold, and revoke any that are unnecessary or over-privileged. Set a calendar reminder to repeat this audit quarterly.

3. Scattered Spider Conviction: $38 Million TfL Attack Yields Guilty Verdict

On June 24, two members of the Scattered Spider hacking group were convicted for their roles in the Transport for London (TfL) attack, which caused approximately $38 million in damages. Scattered Spider, known for sophisticated social engineering and SIM-swapping attacks, has targeted major organisations including MGM Resorts, Caesars Entertainment, and Okta in recent years.

How bad is it: The TfL attack disrupted one of the world's largest public transport networks, compromised staff data, and required months of remediation. The $38 million figure covers direct response costs, system rebuilds, and operational disruption — a number that would bankrupt most small to medium businesses many times over.

How it could have been prevented: Scattered Spider's primary attack vector is social engineering — tricking help desk staff into resetting credentials or MFA tokens. The single most effective control against this attack pattern is mandatory callback verification for any password or MFA reset, combined with rigorous help desk training on social engineering indicators. Organisations that verify identity through a secondary channel before processing credential changes stop this attack cold.

What your business should do: Review your password reset and MFA enrolment procedures. If your IT help desk can process a credential reset based on a phone call or email alone — without callback verification — you are vulnerable to the same technique that cost TfL $38 million.

Weekend Action Items

Before Monday morning, take these three steps:

  1. Audit OAuth integrations — Pull the connected apps list from your critical SaaS platforms. Remove anything you do not recognise or no longer use. This takes 15 minutes and addresses the Klue attack pattern directly.
  2. Map your top five suppliers' security posture — Send a brief security questionnaire to your highest-risk vendors. Ask about segmentation, encryption, breach history, and incident response timelines.
  3. Tighten help desk verification — Add a mandatory callback step to your password and MFA reset procedures. Document it. Train staff on why it matters.

FAQ

Q: My business is too small to be targeted by ransomware groups. Should I still worry? A: Yes. Attackers like World Leaks and Scattered Spider target suppliers precisely because smaller organisations often have weaker controls but hold data belonging to larger clients. If you are in any enterprise's supply chain, you are a target.

Q: We use Salesforce. Was our data affected by the Klue breach? A: Only if your organisation had the Klue Battlecards app connected to your Salesforce instance. Check your Salesforce Setup under Connected Apps OAuth Usage. If Klue appears and you have not already been contacted, review your login history and data export logs for the period since June 11, 2026.

Q: What is the single most cost-effective security control for a small business? A: Multi-factor authentication on all external-facing accounts, combined with mandatory callback verification for credential resets. These two controls would have prevented or mitigated all three incidents covered this week.

Q: Should we be concerned about AI-enabled attacks? A: A Five Eyes joint statement this week warned that AI models capable of devastating automated attacks on governments and businesses are "months away." The immediate threat is AI-enhanced social engineering — phishing emails, deepfake voice calls, and synthetic identity attacks are already increasing. Staff awareness training is your first line of defence.

Conclusion

The pattern this week is unmistakable: attackers are not breaking down your front door. They are walking through your suppliers (Tata Electronics), your software integrations (Klue), and your help desk (Scattered Spider). The organisations that survive these attacks are the ones that assume breach and focus on limiting blast radius — segmenting data, minimising OAuth scopes, and verifying identity at every trust boundary.

Start with the three weekend action items above. They cost nothing but time and address the exact vulnerabilities exploited this week. If you need help assessing where your business stands, we can help.

Visit consult.lil.business for a free cybersecurity assessment.

References

  1. Tata Electronics Data Breach Exposes Confidential Apple and Tesla Documents — CyberSecurity News, June 23, 2026
  2. Klue Investigating Supply Chain Attack That Targeted Salesforce Integrations — Cybersecurity Dive, June 23, 2026
  3. LastPass Customer Info Leaked Again After Third-Party Data Breach — Protos, June 24, 2026
  4. Australian Cyber Security Centre (ACSC) — Essential Eight Mitigation Strategies — Australian Signals Directorate
  5. NIST Cybersecurity Framework 2.0 — National Institute of Standards and Technology

Verifier warning: verifier could not run (PluginLlmTrustError).

TL;DR

  • A software company called TriZetto was hacked — and the hackers stayed hidden inside their systems for 10 months [1]
  • 3.4 million people's Social Security numbers and health insurance records were stolen without anyone knowing [2]
  • Your business uses vendors that hold your customers' data too — and when those vendors get hacked, it becomes your problem
  • Three things you can check this week to know whether your vendors are protecting the data you've trusted them with

Imagine Someone Copying Your Spare Key

You gave a spare key to a software contractor years ago. They help run your systems, they do a good job, and you never really think about them.

Then one day you find out: someone broke into the contractor's office, found your spare key, and has been quietly letting themselves into your business every night for 10 months. They weren't stealing cash — they were photographing files. Customer records. Employee details. Insurance information.

You had no idea. The contractor had no idea. And every night, a little more of your data walked out the door.

That is essentially what happened to TriZetto Provider Solutions — a company that processes health insurance paperwork for thousands of doctors and clinics across the United States. Hackers broke in during November 2024. Nobody noticed until October 2025. By then, 3.4 million people's records had been exposed [1].

What Makes This Different From a Typical Hack?

Most people picture a cyberattack like a smash-and-grab robbery. Someone breaks in, grabs what they can, and runs before the alarm sounds.

This was more like a quiet, long-term spy operation. The hackers found a side door, made absolutely sure nobody could see them, and spent almost a year reading everything they could access.

The stolen information included names, home addresses, Social Security numbers, Medicare ID numbers, and health insurance details [2]. This is not the kind of data you can just replace, like cancelling a credit card. Social Security numbers, health records, and Medicare IDs can be used for identity theft for years — sometimes decades — after they are stolen.

The Part That Directly Affects Your Business

TriZetto is not a small startup. It is owned by Cognizant, one of the largest IT companies in the world [1]. And even they took 10 months to notice someone was inside their systems. According to IBM's 2024 Cost of a Data Breach Report, the average time to detect a breach in the healthcare sector is even longer than the global average — and the average healthcare breach costs $9.77 million [5].

Here is what this means for your business: you almost certainly have vendors who hold your customers' data too.

Think about your payroll software. Your customer database. Your email marketing tool. Your cloud file storage. Your accounting platform. Every single one of these holds personal information about real people — your customers, your employees, your business partners. According to Verizon's 2025 Data Breach Investigations Report, 15% of all confirmed data breaches now involve a third-party vendor [6].

If any of those vendors get hacked, your customers' information is at risk. And under Australian privacy law, you have legal responsibilities even when the breach happens at a vendor's end, not your own [3].

Three Things You Can Check This Week

You do not need to become a cybersecurity expert to protect your business here. These three checks are practical, free, and take less than an afternoon.

1. List every vendor that holds your data. Start with payroll, customer databases, accounting software, and email tools. Write them down. Most business owners are surprised — once you count carefully, the average is 20 to 50 vendors.

2. Ask each vendor: "Do you have a SOC 2 or ISO 27001 certification?" These are independent security audits conducted by external experts. A vendor with this certification has had their security independently verified. A vendor without it has not. If they handle sensitive data for your business, the answer to this question matters [4].

3. Check your contracts for breach notification clauses. How quickly does your vendor have to tell you if they get hacked? TriZetto waited 14 months to notify some customers [1]. Make sure your contracts do not allow that kind of delay.

FAQ

TriZetto is a US healthcare IT company that processes insurance eligibility data for doctors and clinics. The reason it matters is the pattern it represents: a software vendor was trusted with millions of sensitive records, failed to detect a breach for nearly a year, and notified affected parties more than 14 months after the intrusion began. The same risk exists with any vendor that processes data for your business [1].

If your data was affected, TriZetto and their notification partner Kroll will send a physical letter explaining what happened and offering 12 months of free credit monitoring and identity protection services. Accept the offer — it is genuinely useful [2].

SOC 2 stands for System and Organisation Controls 2. It is an independent audit that verifies a company's security actually works in practice — not just on paper. A SOC 2 Type II certification means the audit covered a full year of real operations, not a one-day snapshot. When a vendor tells you they are SOC 2 Type II certified, it means a qualified external auditor has confirmed their security controls operate consistently [4].

References

[1] B. Toulas, "Cognizant TriZetto breach exposes health data of 3.4 million patients," BleepingComputer, Mar. 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/cognizant-trizetto-breach-exposes-health-data-of-34-million-patients/

[2] Maine Attorney General, "TriZetto Provider Solutions Data Breach Notification Filing," Maine AG Office, Feb. 2026. [Online]. Available: https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/e2c4cc45-dc81-498d-89f0-28c887808b41.html

[3] Office of the Australian Information Commissioner, "Australian Privacy Principle 11 — Security of Personal Information," OAIC, 2024. [Online]. Available: https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/chapter-11-app-11-security-of-personal-information

[4] AICPA, "SOC 2 — SOC for Service Organizations: Trust Services Criteria," AICPA, 2024. [Online]. Available: https://www.aicpa-cima.com/resources/download/soc-2-trust-services-criteria-including-the-2022-points-of-focus

[5] IBM Security, "Cost of a Data Breach Report 2024," IBM, 2024. [Online]. Available: https://www.ibm.com/reports/data-breach

[6] Verizon, "2025 Data Breach Investigations Report," Verizon Business, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/

[7] COE Security, "Healthcare Supply Chain Under Cyber Siege," COE Security, Mar. 2026. [Online]. Available: https://coesecurity.com/healthcare-supply-chain-under-cyber-siege/

[8] CISA, "Guidance for Addressing Cybersecurity Risk in Third-Party Relationships," CISA, Nov. 2023. [Online]. Available: https://www.cisa.gov/resources-tools/resources/guidance-addressing-cybersecurity-risks-third-party-relationships

Not sure which of your vendors are handling your data responsibly? Most SMBs have 3 to 5 high-risk vendors they have never audited. lil.business can help you identify them and fix the gaps — without needing a full-time security team. Book a free call to find out what your vendor risk actually looks like.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation