03 Feb Security Report – 30 Jan 2026
Cybercriminals never stand still, constantly reinventing their tactics to exploit trust, familiarity and human instinct. INKY continues to observe threat actors weaponising cloud email platforms and voice‐based social engineering to bypass security controls. A recent example is a phishing campaign that sent hundreds of emails from a compromised SendGrid account linked to OpenAI to issue fraudulent invoices. The OpenAI invoice scam demonstrates how attackers leverage legitimate cloud email services and voice‑based social engineering to bypass security controls. By sending an invoice‑themed email through SendGrid, criminals ensured the message passed SPF/DKIM/DMARC checks and appeared trustworthy. The absence of malicious links allowed the email to evade URL filters, while the urgent call‑to‑action prompted the recipient to contact a scammer who then sought remote access.
Callback phishing is part of a broader trend in which attackers weaponise trusted platforms and remote‑support tools. Advanced email security, vigilance, user education and rigorous verification through official channels remain the most effective defenses against this evolving threat.
Recent Breaches
Australia – Victorian Department of Education – Education
Exploit: Hacking
Risk to Business: Moderate: The Department of Education in Victoria, Australia, has confirmed a data breach that affected current students and inactive past student accounts across more than 1,700 government schools. On January 14, the department said an unauthorised third party breached a school’s network. A follow-up update on January 21 confirmed that the attacker accessed a Department of Education database containing student information. The exposed data includes student and school names, year levels and department-issued email addresses with encrypted passwords. The department stated that no other student data, such as dates of birth, home addresses, phone numbers or family details, was accessed. At this stage, there is no evidence that the data has been publicly released or shared with third parties. The Office of the Victorian Information Commissioner (OVIC) has launched an investigation into the incident.
United States – The Illinois Department of Human Services – Healthcare
Exploit: Hacking
Risk to Business: Moderate: The Illinois Department of Human Services (IDHS) confirmed a data breach that exposed sensitive records of roughly 700,000 individuals, marking one of the largest public-sector breaches in 2026. According to the agency, the breach exposed two separate sets of records. The first involves personal and program-related data tied to more than 672,000 Medicaid and Medicare Savings Program recipients, including addresses, case numbers, demographic details and medical assistance plan names. A second set of records affected around 32,000 customers of the Division of Rehabilitation Services, exposing names, addresses, case details and referral information spanning multiple years. IDHS said the investigation into the incident is ongoing, and officials are still working to determine how the intrusion occurred and whether additional data may have been accessed.
Talk to a TCT team member today about implementing IT strategy plan for your business.
Robert Brown
30/1/2026
Related Articles:
How AI Is Changing Cybercrime
Stable Connection Is Essential for Your Business