TRACE Cyber Intelligence Pulse - 28 November 2025
Cyber threats do not wait for you to catch up. Stay ahead with CyXcel’s weekly threat intelligence foresight, grounded in real-world incident response and powered by our fusion of legal, technical and strategic expertise.
Edited by: Samuel Kudláč, Senior Analyst, and Danny Howett, Technical Director – Digital Forensics and Incident Response.
In Focus
Emergency Alert Systems Disrupted Across the US Following OnSolve CodeRED Breach
This week, Crisis24 confirmed that an Organized Cybercriminal Group compromised its legacy OnSolve CodeRED emergency notification platform, exfiltrated personally identifiable information (PII) and damaged the environment. This prompted decommissioning of the platform and migration of all customers to the new CodeRED system.
The incident has been claimed by INC Ransom group who posted screenshots of customer data, including names, addresses, phone numbers, and passwords, as proof of compromise on their dark web data leak site. US municipal authorities and law enforcement agencies in several states, including Colorado, Minnesota and Pennsylvania, are warning residents to change their reused passwords and monitor for identity theft.
Key Takeaways
The incident affected a mass-notification platform widely used by states, counties, cities and other alerting authorities to issue emergency and public safety messages, typically using only basic contact data, but at a significant scale across the United States.
Crisis24 claims to have contained the breach to the legacy environment and is operating the replacement platform in a separate environment. However, some services, including IPAWS integration, automated weather alerts and certain contact datasets have been degraded with the most recent backups dating to 31 March 2025.
The breach and degradation of a nationwide emergency alert platform during the peak Thanksgiving travel window heightens risks to public safety as it occurs at a moment when emergency communications needs are highest. With a record number of people travelling this Thanksgiving, authorities need the ability to push rapid warnings for severe weather, transport disruption or other active threats. Any loss of automated alerts, degraded contact data, or delayed messaging increases the probability of crisis mismanagement at scale.
At the same time, theft of contact details and passwords from an official messaging platform provides potential threat actors with the opportunity to spoof alerts or phish citizens exploiting one of the most congested travel periods of the year.
Individuals should independently verify any emergency alert email or message by cross-checking the incident through trusted official channels and confirming the sender’s contact details. We recommend that individuals exercise heightened caution with embedded links, preferably accessing government or emergency websites and phone numbers directly rather than via the message itself. It is important to note that legitimate government alerts will not request personal or financial information or direct recipients to click a link to resolve an issue.
Around the Globe
EU: Sweden Increases Cyber Protections Ahead of Elections
Sweden’s government has directed its National Cyber Security Center to strengthen defenses, conduct threat assessments and run crisis simulations ahead of its general elections which will be held in September 2026. Sweden cited the worsening cyber threat landscape and growing disinformation and sabotage activity against elections infrastructure in Europe as the reasons behind this move, aligning with CyXcel’s past reporting.
UK: London Councils Disrupted by Cyber Incidents
The Royal Borough of Kensington and Chelsea (RBKC), the Westminster City Council (WCC) and the London Borough of Hammersmith and Fulham (LBHF) are experiencing service and phone outages following an alleged cyber incident on a third-party service provider. No data has been leaked online at this time.
Local governments are increasingly targeted by cybercriminals because of their limited funding and frequent reliance on outdated systems. The low cybersecurity maturity and access to highly sensitive data make them attractive targets for data theft and extortion, often exposing affected residents to fraud or identity theft.
US: Bank Customer Data Breached in Third-Party Incident
A breach of financial services vendor SitusAMC, which provides mortgage origination technology for real estate lenders, compromised sensitive residential mortgage and loan data belonging to multiple US banks, including JPMorgan Chase, Citi and Morgan Stanley. The incident exposed personally identifiable information (PII) of the banks’ customers and likely also included internal banking data. Stringent regulatory requirements and persistent targeting of the financial services sector make third-party cyber risk management essential for businesses to maintain compliance and mitigate their supply chain exposure.
US: Harvard Investigates Second Breach in Two Months
Harvard University reported a data breach affecting data belonging to its alumni, donors, students and faculties, including personal contact details and donation information. The incident occurred via phone-based phishing, enabling unauthorized access to fundraising and alumni engagement databases.
Phone-based phishing is highly likely to remain a popular initial access vector for cybercriminals targeting the education sector. The risk is further heightened during the pre-holiday and exam periods as stress, time pressure and decision fatigue make students and staff more likely to trust urgent-sounding lures without properly verifying them.
We Can Help
Expand your threat intelligence monitoring capabilities beyond the dark web with support from CyXcel’s TRACE team. Contact our experts today to find out more.
Photo by Abhijeet Gourav on Unsplash.