Cyber Threat Radar – A new wave of data breach attacks is exposing widespread weaknesses in cloud security. A threat actor using the names Zestix and Sentap is selling access to file-sharing portals belonging to over 50 global companies.
This campaign does not rely on complex malware. Instead, attackers use valid usernames and passwords stolen through infostealers. The stolen credentials were gathered from infected employee devices and exploited to access unsecured portals that lacked multi-factor authentication.
The scale of the breach is extensive. Companies in aviation, defense, finance and healthcare have all been affected. Sensitive files have already been exfiltrated and in some cases, auctioned to the highest bidder.
What the Attackers Took
According to a report from Hudson Rock, the stolen data includes:
- Aircraft safety manuals and maintenance plans
- Military drone designs and fighter jet blueprints
- Medical records linked to military police units
- Critical infrastructure maps and utility blueprints
- Legal case strategies and confidential client information
Among the most significant breaches:
- Pickett & Associates lost 139 GB of infrastructure maps
- Iberia Airlines lost 77 GB of safety documentation
- Maida Health saw 2.3 TB of police-linked patient records taken
- CRRC MA had transit signalling data exposed
This incident follows a previous attack on Iberia Airlines in November 2025, when the Everest ransomware group leaked 596 GB of internal and customer data.
A Preventable Data Breach Attack
The root cause of this data breach attack lies in two failures. First, infostealers like RedLine, Lumma and Vidar infected user devices and harvested saved browser credentials. Second, companies failed to enforce multi-factor authentication on their cloud systems.
In many cases, the compromised credentials had been circulating in malware logs for years. This shows how unmonitored endpoints can leave organisations vulnerable long after an infection has occurred.
The Need for Endpoint-Level Protection
The breach shows how basic gaps in user behaviour and device security can lead to serious exposures. Attackers did not need to break through firewalls. They simply logged in.
While it is unknown whether AI-powered malware played a role in this breach, we know that threat actors increasingly use advanced tools to steal data. These include malware that can take screenshots, apply optical character recognition (OCR), and extract content into structured formats like JSON for rapid exfiltration.
SentryBay’s Armored Client solution prevents this kind of activity at the source
By blocking screen capture and OCR activity on the endpoint, SentryBay’s Armored Client solution ensures sensitive data never leaves the display in a readable format, protecting content before it is vulnerable to theft.
“We are seeing a sharp increase in threats that use stolen visual data,” commented Tim Royston-Webb, CEO of SentryBay. “Attackers know where the gaps are. Without defending the screen, your data is exposed every time it’s viewed.”
As the investigation into this data breach attack continues, organisations must act quickly. Credential hygiene, endpoint protection and MFA are no longer optional. They are the baseline.
