Scattered Lapsus$ Hunters Behind Jaguar Hack

Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, teenager wasters behind Jaguar hack, Disney will pay $10 million to settle U.S. child privacy case, PowerSchool sued in Texas and federal prosecutors sue a toy robotics maker. Spain scrapped a Huawei contract, the Pennsylvania attorney general confirmed a ransomware attack. U.S. immigration enforcement resumed a contract with a commercial spyware maker and the city of Baltimore lost $1.5 million to business email compromise.

See Also: Why Cyberattackers Love ‘Living Off the Land’

The band of adolescent hackers behind a string of cyberattacks on major British retailers appears to be responsible for a breach against Jaguar Land Rover.

Known as Scattered Lapsus$ Hunters – an amalgamation of their various handles – the group posted data putatively tied to the luxury carmaker on Telegram before deleting it. The incident followed Jaguar Land Rover’s confirmation earlier this week that an attack had “severely disrupted” its operations (see: Cyberattack Disrupts Jaguar Land Rover Assembly Line).

The company was forced to shut down affected networks, disrupting bookings and vehicle registrations. The Telegraph reported the attack left the automaker unable to sell Range Rover models. ITV reported that Jaguar Land Rover suspended production in assembly lines across the globe, including in the United Kingdom, Slovakia, China, India and Brazil.

The BBC reported contacting a self-described Scattered Lapsus$ Hunters spokesperson who explained how the gang allegedly broke into the car maker’s network.

Scattered Spider has previously been linked to attacks on Marks & Spencer, Co-op, and Harrods in the U.K (see: Retail Sector in Scattered Spider Crosshairs).

Western law enforcement agencies have attempted to crack down on the group. Hacker Noah Urban, a leading Scattered Spider member, was sentenced last month to 10 years in prison in a U.S. federal prison for stealing cryptocurrency from 59 victims. In Great Britain, the National Crime Agency arrested multiple suspects in June, including a 19-year-old Latvian man, two teenage boys and a 20-year-old woman (see: British Police Bust Four Scattered Spider Suspects in England).

The Walt Disney Company agreed to pay a $10 million fine to settle allegations by the Federal Trade Commission that it improperly collected personal data from children viewing its YouTube content.

Federal investigators say Disney failed to correctly designate certain YouTube videos containing child-directed content, using default channel-level settings labeled as “Not Made for Kids.” This misclassification allowed features like autoplay, comments and personalized advertising to remain active, enabling unauthorized data collection from viewers under the age of 13.

Disney had been warned as early as mid-2020 when YouTube corrected over 300 of its videos to “Made for Kids.” Despite the notification, Disney continued to rely on blanket channel labels, neglecting to individually tag videos appropriately, the FTC said.

Under the proposed settlement, Disney will pay the civil penalty and must implement a comprehensive video-review program to ensure proper labeling of future uploads as “Made for Kids.” A mandatory compliance lasts for 10 years, though it may be revoked if YouTube introduces an effective age-assurance system to automatically determine viewers’ ages or video target categories. The settlement is subject to another round of approval following a 30-day public comment period, a step that’s almost always a formality.

Texas Attorney General Ken Paxton filed a lawsuit against education technology provider PowerSchool after a data breach compromised the personal information of more than 880,000 students and teachers across the state.

PowerSchool is a California-based company that provides cloud-based software to K-12 schools and collects and manages sensitive enrollment and employee data. According to Paxton, the breach occurred in December 2024, when a hacker exploited a subcontractor’s account to gain administrative access and exfiltrated large volumes of unencrypted data to a foreign server.

The stolen data reportedly includes names, addresses, Social Security numbers, medical and disability records, special education information, and student bus stop details. Paxton alleged that PowerSchool misled customers about its data security practices and failed to take adequate measures to protect the information entrusted by Texas families and school districts.

The U.S. Department of Justice sued toy maker Apitor Technology, alleging it violated children’s privacy statute by enabling a Chinese third party to collect children’s precise geolocation data without parental notice or consent.

According to prosecutors’ complaint, Apitor’s Android app – required to control its robot toys for kids aged 6 to 14 – collects location data once users enable permissions. The app also embeds JPush, a software development kit from the Chinese company Jiguang, which allegedly gathered the location data of thousands of children since at least 2022, potentially for targeted advertising.

“After Android users enable location permissions for the Apitor app, it begins collecting precise geolocation data in the background and transmitting it to JPush servers,” the complaint said. “At no point does Apitor disclose this collection or obtain verifiable parental consent.”

Under a proposed settlement, Apitor must delete all previously collected personal data, obtain parental consent before collecting future information and ensure third-party partners comply with U.S. child privacy law.

Spain’s government abruptly cancelled a 10 million euro contract awarded to Telefónica for an upgrade of RedIRIS, the national academic and research network serving universities, research institutes and parts of the Ministry of Defense. Telefónica proposed using equipment manufactured by Chinese firm Huawei to expand the fiber optic network across 16,000 kilometers for use in digital services, supercomputing projects and by the military.

A spokesperson for the Ministry of Digital Transformation told El País the cancelation was due to “reasons of digital strategy and technological autonomy.”

The multi-stage upgrade had been tied to Telefónica’s existing 5.5 million euro contract from 2020. Authorities justified the new work by citing a need to enhance resilience against cyberattacks.

The decision reflects mounting pressure from Spain’s NATO and European allies, who have warned about the potential infiltration of Chinese cyber spies into critical infrastructure (see: Breach Roundup: Spain Defies Pressure to Eject Huawei).

The Office of the Pennsylvania Attorney General said a ransomware attack was behind a mid-August outage that left its website offline and disrupted email and phone services.

Attorney General David Sunday said the attack involved an outsider encrypting files to extort payment. The office refused to pay the ransom.

The incident, first disclosed on August 11, forced staff to rely on alternative communication channels. Email and phone lines are partially restored and the public website is now accessible. Courts across Pennsylvania issued orders granting extensions for criminal and civil cases until normal operations resume, though the AG’s office does not expect the disruption to affect prosecutions or investigations.

Officials have not confirmed whether attackers stole sensitive data, but promised to notify affected individuals if exfiltration is discovered. No ransomware group has claimed responsibility.

U.S. Immigration and Customs Enforcement reinstated a $2 million contract with spyware vendor Paragon Solutions, lifting a stop-work order imposed last year under a Biden-era executive order restricting dealings with companies linked to spyware abuse (see: US Limits Government Use of Advanced Smartphone Spyware).

An Aug. 29 notice on a federal contracting site indicates that ICE will continue using Paragon’s services. Paragon has positioned itself as a more ethical alternative to NSO Group but faced scrutiny earlier this year after its Graphite spyware was found on the phones of Italian journalists, migrant advocates and associates of Pope Francis.

The city government of Baltimore lost more than $1.5 million in a business email compromise scam that tricked officials into sending payments to a fraudster’s bank account. The city’s Department of Accounts Payable processed two EFT payments in February and March – totaling $1,524,621.04 – after a scammer gained access to a vendor’s Workday account and altered its banking details, the city inspector general disclosed.

While $721,236.60 was recovered, the city has been unable to retrieve the remaining $803,384.44 and filed an insurance claim. The legitimate vendor was repaid in full.

Investigators found the scam began in December 2024, when a fraudster posed as a vendor employee and submitted fraudulent supplier forms and a fake voided check. AP staff approved the changes without verifying the details, despite inconsistencies.

Other Stories From Last Week

With reporting from Information Security Media Group’s Gregory Sirico in New Jersey and Akshaya Asokan in Kochi, India.