November 2025 Cybersecurity Round-Up
November often marks the point where businesses shift their focus to year-end operations, holiday demand, and code-freeze periods, which also means security teams are stretched thin. Attackers pushed hard this month though, exploiting human lapses, vulnerabilities, legacy infrastructure, and high-value supply-chain touchpoints. This article rounds up November 2025’s most notable cyber-attacks and CVEs.
Notable Cyber Attacks and Incidents November 2025
London City Councils
Multiple London borough councils: Kensington & Chelsea, Westminster and Hammersmith & Fulham, reported a coordinated cyber-attack in November. Their shared IT infrastructure and back-office systems went down, including phone lines and public services. At least one borough acknowledged that the intruders to their systems managed to copy “historical data”.
Attackers target local councils because they know these environments are often running aging infrastructure, fragmented oversight, and chronic underinvestment in cybersecurity. The public tends to assume that government systems are hardened by default, but at the local level, the opposite is often true. Councils and municipalities are an attractive target precisely because they depend on legacy back-office platforms, rarely have modern identity and segmentation controls, and operate shared networks where compromise in one borough can spill into another.
DoorDash
DoorDash, one of the largest food-delivery platforms in the US, confirmed in November that attackers accessed internal systems after successfully social-engineering an employee. The breach exposed personal data including names, emails, phone numbers, and physical addresses of customers, delivery drivers (“Dashers”), and merchants across multiple regions. No financial information was taken, but the exposed data is enough to power targeted scams and account takeover attempts.
For large customer-facing platforms, this is the low-cost, high-reward path attackers increasingly rely on. DoorDash’s breach illustrates that human vectors remain the easiest way in. One employee, one convincing social-engineering message, and millions of user records were suddenly in play. That asymmetry is what makes human-targeted attacks so attractive to threat actors because the return on effort is huge, and the defensive overhead is always higher.
The Washington Post
The Washington Post disclosed in November 2025 that nearly 10,000 employees and contractors had sensitive payroll and financial information stolen. This info included bank account details, routing numbers, and taxpayer identifiers. Crucially, the breach stemmed from a vulnerability in Oracle’s E-Business Suite, placing it among a growing list of organizations hit through the same flaw.
ERP suites like Oracle EBS are sprawling, decades-old platforms glued together through layers of modules, customizations, and often poor visibility. When attackers weaponize a flaw in such a system, they can breach many of the companies that depend on it. The ShinyHunters threat group, who have been prolific this year, were responsible. The flaw they exploited was remotely exploitable without authentication, but it has since had a patch released.
SitusAMC
Banks rely on SitusAMC to process loan data, manage commercial real-estate portfolios, and handle documentation workflows worth billions. It might not be a household easily recognizable name, but it’s still an important backbone provider to financial services. When the company confirmed in November that attackers accessed sensitive files, including mortgage records, legal agreements, and corporate documents, the shockwaves hit major US banks.
Banks appear diverse from the outside, but behind the scenes they run on many of the same operational arteries. When one of those arteries is breached, the exposure can become systemic. Financial services have spent decades de-risking portfolios in the wake of the Global Financial Crisis, but haven’t applied the same discipline to operational resilience, especially cyber-related.
High-Profile CVEs November 2025
There were several interesting and severe CVEs in November 2025. Here’s a round-up of the main notable ones.
Wrap-Up
November’s attacks cut across councils, delivery platforms, media organizations, and financial vendors. But there was an unmistakable commonality of complex systems being breached at certain weak links. Security can’t stop at patching or policy. The real differentiator is pressure-testing the weak links and improving knowledge or defenses before someone else does. At DIESEC, our social engineering and pen testing services are built around exactly that idea: identifying the human, architectural, and vendor pathways an attacker would likely exploit at your business.
