August 2025 delivered another sobering month in cyber defense. Publicly disclosed breaches and attacks climbed, ransomware crews stayed aggressive, and several high-profile enterprises confirmed intrusions tied to third-party SaaS (notably Salesforce). Below is a clear, no-nonsense wrap-up of the month: the numbers, the headline cases, and the practical actions that security leaders should take now.
The Numbers at a Glance
- 30 publicly recorded data breaches/attacks in August, impacting ~17.3 million records worldwide. IT Governance
- Ransomware incidents rose 7% month-over-month (July → August): 506 attacks vs. 473 in July. Comparitech
- Healthcare remained a prime target, with 55 reported breaches and >3.5 million patients affected in the U.S. alone. Compliancy Group
Notable Breaches & Incidents
1) Google: Salesforce-Hosted Database Exposure
Google confirmed a breach of a Salesforce-hosted corporate database, with exposed business contact data later weaponized for social-engineering campaigns. While consumer accounts weren’t directly impacted, the incident underscored third-party SaaS risk and downstream phishing fallout. PKWARE®+1
2) Workday: Fallout from the Salesforce Attack Wave
Workday disclosed a breach on August 18, linked to the same Salesforce-targeting campaign trend. Exposed data included business contact information; customer tenants/data were not impacted. Bright Defense
3) U.S. State & Local Government: Nevada and Others
Nevada reported a major August ransomware attack that spiked follow-on hostile traffic 300% and required a steady restoration effort across public-facing services. The pattern matches wider pressure on state/local entities through August. StateScoop
4) Municipal & Regional Targets
Round-ups captured multiple city/county disruptions (e.g., Spartanburg County, St. Paul claims) illustrating attackers’ continued focus on governments with complex legacy estates and limited EDR/SOC coverage. CM Alliance
5) Healthcare: Another Difficult Month
Regulatory tallies show 55 breaches and millions of affected patients, sustaining 2025’s trend of high-value PHI theft and ransomware extortion against providers and their business associates. Compliancy Group+1
Threat Landscape: Who’s Hitting Whom—and How
- Ransomware momentum: August’s uptick continues a post-June rebound. Campaigns remain diversified across U.S. public sector, manufacturing, and healthcare. Comparitech
- Groups on the leaderboard: Intelligence tracking shows Qilin leading since April (≈18.4% share), Akira also prominent, and a rapid rise of “Sinobi” into third place after only two months—indicative of low barriers to entry and fast-evolving playbooks. Cyble
- Third-party/SaaS exposure: The Salesforce-focused intrusion pattern (Google, Workday) highlights risks in identity, API scopes, and vendor auth flows—especially when CRM data is repurposed for tailored phishing. PKWARE®+1
- AI-enabled tradecraft: August reporting emphasized how readily available AI tooling is lowering the barrier for sophisticated operations (malware authoring, automated recon), accelerating attacker iteration cycles. Anthropic
Why August Looked the Way It Did
- Identity & SaaS sprawl: The concentration of breaches tied to third-party platforms reflects identity over-privilege, uneven conditional access, and limited continuous monitoring for vendor apps. PKWARE®+1
- Operational debt in public sector: State/local agencies continue to be targeted for ransomware due to hybrid legacy estates, asymmetric staffing, and complex procurement lifecycles. StateScoop+1
- Healthcare’s enduring exposure: High-value PHI, sprawling third-party ecosystems, and time-sensitive clinical operations keep providers vulnerable to both initial intrusion and extortion leverage. Compliancy Group
What Security Leaders Should Do Now (Immediate Actions)
1) Clamp down on SaaS/IdP blast radius
- Enforce least-privilege OAuth scopes for third-party apps; review token inventories and stale integrations.
- Require phishing-resistant MFA (FIDO2/WebAuthn) for admin and CRM users; enforce device posture checks.
- Add anomalous OAuth consent detections and impossible-travel/behavioral policies in your IdP and CASB.
(Triggered by the Salesforce-linked breaches.) PKWARE®+1
2) Ransomware-ready hardening (the August profile)
- Egress filtering + DNS security to break C2; macro/script controls and EDR everywhere.
- Tiered backups (immutable/object-lock) with regular restore drills.
- Tabletop exercises with business owners: comms, legal, and payments operations.
(Aligned with August’s rising ransomware stats.) Comparitech
3) Healthcare & public-sector specifics
- Map BAA/BPO vendor chains; require breach-notification SLAs and control attestations.
- Deploy micro-segmentation for clinical and citizen-service networks; prioritize identity for privileged staff.
(Informed by August U.S. disclosures.) Compliancy Group+1
4) AI-age controls
- Implement use-policy and guardrails for internal AI tools; monitor code/signature outputs from AI-assisted development.
- Add detections for automated recon & scripted credential-stuffing signals. Anthropic
Quick Executive Brief
- Scope: ~30 public breaches/attacks; ~17.3 M records exposed in August. Ransomware +7% MoM to 506 incidents.
- Drivers: Third-party SaaS (Salesforce) exposures; identity weaknesses; continued pressure on healthcare and government.
- Action: Lock down IdP/OAuth scopes; enforce phishing-resistant MFA; drill ransomware playbooks and restore tests; tighten vendor security; add AI-era detections. IT Governance+2Comparitech+2
Sources
- IT Governance breach/attack tally for August (≈17.3 M records). IT Governance
- Comparitech ransomware roundup (506 attacks in August, +7%). Comparitech
- Compliancy Group healthcare breaches (55 incidents; >3.5 M patients). Compliancy Group
- Google & Workday disclosures tied to Salesforce-hosted data. PKWARE®+1
- Nevada ransomware aftermath (traffic +300%). StateScoop
- Group activity trends (Qilin, Akira, Sinobi). Cyble
- Additional curated incident roundups for context. CM Alliance+2