It was time for our monthly roundup of both “classic” and unexpected cybersecurity incidents. November brought a vengeful ex-employee sabotaging his former employer’s IT infrastructure, yet another insider data theft at Intel, and a new case of phishing slipping past staff at a major Japanese media group.

$254,000 Lost in a BEC Scam

What happened: A U.S. school district fell victim to a business email compromise and lost USD 254,000.

How it happened: Excelsior Springs School District was overseeing the construction of Cornerstone Elementary and ordered new AV systems from its long-time contractor, KCAV. After receiving a USD 254,000 invoice, the district processed the payment – but KCAV never received the money.

Police found that the funds had been redirected to an account belonging to Anne Strong and her company, DK Global Services. The attack started when a KCAV employee fell for phishing, giving the attacker access to internal correspondence. Strong then impersonated KCAV’s CFO and emailed the school district fake payment instructions, claiming that KCAV now accepted ACH transfers. The email even ended with a signature from Oprah Winfrey but the accountant missed the red flags and transferred the funds.

Police spent three years tracking Strong down. The money was never recovered: most of it had been converted into cryptocurrency. KCAV and the district had to split the loss. A warrant has been issued for Strong’s arrest, but court hearings have already been postponed four times.

Crypto Mining on Borrowed Wind

What happened: An engineer secretly connected cryptocurrency miners to his employer’s infrastructure – while the company was dealing with the aftermath of a cyberattack.

How it happened: A Nordex wind farm operator discovered that an engineer had installed mining equipment at two power stations and connected it directly to Nordex network routers. The miners ran undetected from August to November 2022.

The company had just suffered a cyberattack, and the court ruled that the engineer likely exploited weakened infrastructure on purpose, worsening the impact on Nordex.

He was convicted of electricity theft, system intrusion, and abuse of access privileges. He was sentenced to 120 hours of community service.

Moonlighting CTO Accused of Corporate Espionage

What happened: NetApp accuses its former CTO of stealing trade secrets for a competing firm.

How it happened: Jón Thorgrimur Stefánsson spent more than eight years at NetApp, serving simultaneously as CTO and Senior VP. He worked on cloud-data algorithms and cloud product integrations and had deep access to confidential information.

He resigned on June 27. One week later, he founded a startup called Red Stapler. A few months afterward, competitor VAST Data acquired Red Stapler and appointed Stefánsson General Manager of Cloud Solutions.

In November 2025, NetApp filed a lawsuit alleging that prior to leaving, Stefánsson solicited employees, stole trade secrets, and developed competing technology.

NetApp claims he violated agreements prohibiting competing activities, employee poaching for one-year post-employment, and misuse of confidential information. Evidence allegedly includes early recruitment conversations, internal messages about soliciting staff, and a GitHub account (“redstapler-is”) active while he was still employed, suggesting development began long before the startup was founded.

After receiving cease-and-desist letters, Stefánsson relocated to Iceland. NetApp must now wait for legal proceedings to continue.

The (Un)Catchable Avenger: Intel Insider Strikes Again

What happened: A fired Intel engineer stole confidential data before leaving the company.

How it happened: After nearly 10 years at Intel, engineer Jingfeng Luo was laid off in July 2024. A week before termination, he tried to copy files to an external device but Intel’s protection tools blocked the attempt. Three days later he tried again and succeeded, transferring the data to his NAS.

Intel says he stole tens of thousands of files, including documents marked Intel Top Secret.

For three months, the company attempted to contact him – phone calls, emails, even letters – with no response. Intel filed a lawsuit seeking USD 250,000 in damages.

Intel has seen similar incidents before – in 2025, a former engineer received a suspended sentence and USD 34,000 fine for stealing data later used to secure a job at Microsoft.

WASTED: Contractor Wreaks Havoc After Termination

What happened: A disgruntled contractor retaliated after being dismissed – by wiping access for thousands of employees.

How it happened: Waste Management fired IT contractor Maxwell Schultz. Angry about his dismissal, he impersonated another contractor to obtain credentials and executed a PowerShell script resetting roughly 2,500 passwords nationwide. Thousands of employees were locked out of their workstations.

To cover his tracks, he deleted PowerShell event logs.

The attack cost the company USD 862,000 in downtime, service disruption, and recovery expenses. Schultz admitted guilt. He now faces up to 10 years in prison and a USD 250,000 fine.

Déjà Vu: Another Data Leak at Nikkei

What happened: Confidential data from the Japanese media group Nikkei leaked through a compromised Slack account.

How it happened: In September, malware infected an employee’s computer, allowing attackers to use his credentials to access corporate Slack. Hackers obtained names, emails, and chat history – affecting more than 17,000 employees and partners.

Nikkei reset passwords and terminated suspicious sessions. Editorial content was not affected, but business communications may have been exposed.

This is not Nikkei’s first incident:

• In 2022, its Singapore office was hit by ransomware.
• In 2019, a Nikkei employee fell for BEC and transferred USD 29 million to scammers.

You’ve Got (Too Much) Mail: Data Leak at Princeton University

What happened: A Princeton University employee's mistake led to unauthorized access to sensitive records.

How it happened: An employee fell for a phishing attack, giving cybercriminals access to a database containing personal information on alumni, donors, faculty, staff, students and even parents.

The database did not contain financial data or credentials, but the volume of personal information accessed was significant. Princeton blocked the attackers immediately after detecting suspicious activity.

Other Ivy League schools were also targeted recently: the University of Pennsylvania disclosed a data breach earlier in November where 1.71 GB of internal documents were stolen via compromised employee credentials.

A Preschool’s Budget Blown on… Everything

What happened: A kindergarten employee spent more than USD 10,000 of organizational funds on personal shopping.

How it happened: Fuzzy Bear Ministry (Indiana) announced it was shutting down, sparking a financial audit that uncovered widespread misuse of funds.

Aurora Dawson, who managed finances for six years, used the budget to buy a computer desk, washing machine, mattress, patio loungers, cat food, incense sticks, eclipse glasses – even pay her utility bills and car repairs.

Law enforcement confirmed the purchases and the investigation continues.