We’re sharing a roundup of notable cybersecurity incidents reported last month. Throughout February, industry communities discussed penalties for data breaches, a large-scale crypto theft, poorly secured cloud environments, benefits fraud, and what could be described as a new prime era of phishing.

The Culprit Identified

What happened: A management oversight at South Korean marketplace Coupang led to the exposure of data belonging to 33.7 million customers.

How it happened: In December 2025, it became known that Coupang had suffered a cybersecurity incident affecting data belonging to nearly two-thirds of the country’s population. The attacker exploited vulnerabilities in user authentication mechanisms to gain access to accounts. As a result of the breach, the intruder obtained customers’ names, email addresses, home addresses, and phone numbers. According to the marketplace’s representatives, bank card numbers, payment account details, and user credentials used for order payments were not affected.

It later emerged that the incident had been unfolding since June, while South Korean authorities only received a report from Coupang in November.

Due to the massive scale of the breach, the issue attracted attention at the highest government level. South Korea’s President expressed outrage that Coupang specialists had failed to detect the breach for five months. The country’s Prime Minister stated that the government would conduct an investigation and take strict action against the company if violations of the law were identified. 

Following these developments, CEO Park Dae-Jung took personal responsibility for the large-scale data breach and resigned.

The investigation revealed that the breach resulted from managerial mistakes by Coupang employees. A former company engineer had been aware of weaknesses in the authentication process and ultimately exploited them to compromise the system. This employee had originally developed and implemented parts of the authentication system, but after his dismissal Coupang failed to revoke his signing key. As a result, for nearly a year after leaving the company, the former engineer continued generating forged tokens to access Coupang’s systems.

Police also suspect the company of deleting certain data and attempting to “limit” the investigation. Coupang did not adjust its automatic access log retention policy, which resulted in the deletion of website access records covering approximately five months.

The investigation is still ongoing. However, Coupang has already faced a tax audit and a lawsuit filed by the country’s parliament against its founder and former executives for failing to appear at parliamentary hearings in 2025.

A Valuable Catch

What happened: Hackers stole $40 million from the DeFi platform Step Finance after compromising an executive’s device.

How it happened: In January, Step Finance specialists detected suspicious transactions and confirmed a data breach within hours. The incident affected both the platform’s finances and user funds, forcing Step Finance to suspend some operations.

Platform representatives stated that one of its senior executives became the victim of a sophisticated social engineering attack. As a result, attackers gained access to the executive’s personal device and stole crypto assets.

Within six hours of detecting the incident, Step Finance contacted law enforcement and engaged external cybersecurity experts to assist with the investigation. Additional details emerged in February.

The investigation showed that before launching the attack, the perpetrators carefully studied publicly available information about the platform’s employees. They then launched targeted phishing campaigns disguised as legitimate work correspondence. One of the executives failed to recognize the phishing attempt, and the attackers subsequently compromised the device.

The device contained critical authentication data that enabled the attackers to bypass multiple layers of the platform’s security and obtain the crypto assets.

Part of the stolen funds – approximately $4.7 million – has since been recovered.

A Million-Record Incident

What happened: Fintech company Betterment experienced a breach affecting 1.4 million accounts.

How it happened: Betterment manages $65 billion in assets belonging to one million clients. On January 9, attackers compromised a platform that Betterment uses for marketing purposes.

Social engineering was used at every stage of the attack: first to gain access to the platform, and later to target the company’s customers. The attackers distributed phishing emails disguised as Betterment promotional campaigns promising to triple investment returns. The emails were sent from a legitimate company subdomain. 

On January 10, Betterment confirmed the incident and warned clients about the fraud. In its statement, the company said the attackers’ access to the internal platform had been blocked and that the technical infrastructure remained unaffected. Moreover, the fintech company stated that, together with experts from CrowdStrike, it had already conducted an investigation and confirmed that no client accounts had been compromised.

However, in February it became clear that the attacker had indeed gained access to customer information stored in the compromised system. Specialists from Have I Been Pwned – a data breach notification service – analyzed the stolen dataset and stated that the incident could have exposed 1,435,174 accounts. The exposed data included email addresses, names, location information, dates of birth, physical addresses, phone numbers, device information, employer locations, and job titles.

Betterment has launched a follow-up investigation and promises to publish a detailed report.

An Unfortunate Mistake

What happened: Organizers of a December financial forum in Abu Dhabi accidentally exposed participants’ personal data – including passports belonging to billionaires, heads of crypto exchanges, and a former UK prime minister.

How it happened: The exposure was discovered by researcher Roni Sukhowski. It turned out that an unsecured cloud storage instance associated with the Abu Dhabi Finance Week (ADFW) investment conference contained scans of more than 700 passports and government identification documents.

Among those whose documents were accessible to any user were also an American investor and a former White House communications director.

ADFW confirmed the existence of vulnerabilities in the data storage system managed by a third-party contractor. Conference representatives claim that the only person who accessed the data was the researcher who discovered the issue.

However, according to Roni Sukhowski, the data could be accessed by any user with a web browser. ADFW secured the server only on February 16 after the researcher reported the incident.

A Fine for Everyone

What happened: Louis Vuitton, Dior, and Tiffany will pay $25 million for data breaches.

How it happened: In 2025, all three brands belonging to the Louis Vuitton Moët Hennessy (LVMH) group suffered data breaches affecting more than 5.5 million customers. Hackers gained access to a cloud-based customer management service, exposing customers’ names, phone numbers, email addresses, mailing addresses, and purchase histories.

The South Korean Personal Information Protection Commission (PIPC) published a report on the incident.

In the case of Louis Vuitton, the breach occurred after an employee’s device was infected with malware, leading to the compromise of one of the company’s services and the exposure of data belonging to 3.6 million customers.

PIPC representatives concluded that Louis Vuitton had failed to properly protect personal data and therefore became a victim of hackers. The regulator imposed a $16.4 million fine and required the company to publicly disclose the penalty on its website.

At Dior, the breach resulted from a phishing attack targeting a customer support employee who was persuaded to grant attackers access to a SaaS system. As a result, data belonging to 1.95 million customers was exposed. Although the company had been using the SaaS platform since 2020, it had not implemented allowlists, did not impose restrictions on bulk data downloads, and failed to review access logs – delaying the breach investigation by more than three months.

The compromise of Tiffany’s system occurred in a similar manner: attackers used voice phishing to convince a support employee to grant access to the SaaS system. Data belonging to 4,600 customers was placed at risk.

This incident clearly demonstrates how social engineering works and how the human factor helps attackers succeed. That is why it is essential to continuously improve employees’ cybersecurity awareness.

The regulator concluded that the companies’ failure to implement adequate security measures resulted in unauthorized access and the exposure of data belonging to more than 5.5 million customers. As a result, Louis Vuitton, Christian Dior Couture, and Tiffany must collectively pay a $25 million fine.

Missed the Warning Signs

What happened: Hackers compromised Odido, the largest mobile operator in the Netherlands, through a phishing attack.

How it happened: Employees in Odido’s support department received fraudulent emails. The phishing attempt went unrecognized, allowing attackers to obtain employees’ account passwords.

The attackers then called the victims, posing as Odido IT specialists, and convinced them to approve a fraudulent login attempt. Using the employees’ credentials, the hackers gained access to the Salesforce system where customer data was stored.

Cybersecurity specialists believe the attackers likely did not manage to download the entire database. Odido is currently conducting an internal investigation.

So far, the operator has not disclosed how much data may have been affected by the incident. However, it has already notified approximately 6.2 million former and current customers that their data may have been exposed.

The company has also reported the incident to the Dutch Data Protection Authority.

Hoping No One Would Notice

What happened: A former Bolton City Council employee diverted nearly £900,000 in municipal benefits payments.

How it happened: Richard Shaw worked in accounting within the financial safeguarding department of Bolton City Council. In 2023, he was first suspended following several violations and later dismissed on suspicion of fraud.

A lengthy investigation revealed that between 2015 and 2023 Shaw transferred £893,296 from benefits recipients’ accounts to himself. He also moved funds between citizens’ accounts in an attempt to conceal the fraudulent activity.

Investigators found that the former employee spent £100,000 on a holiday home and nearly £18,000 on garden landscaping. During a search of Shaw’s residence, authorities seized two BMW vehicles and other valuable assets.

Initially Shaw denied involvement in fraud committed through abuse of his official position. However, in December 2025 he ultimately admitted guilt. In February of this year, the former employee was sentenced to four years and eight months in prison.