
October 2025 brought significant cybersecurity developments affecting businesses across multiple sectors. From supply chain breaches at major technology vendors to regulatory enforcement actions and new compliance deadlines, the month highlighted persistent threats and evolving requirements for data protection. The following stories demonstrate the scope of current cyber risks and the regulatory response shaping business obligations in the months ahead:
F5 Says BIG IP Breached by Nation-state Hackers
Cybersecurity vendor F5, Inc. published an alert on October 15, 2025 regarding an incident where a suspected nation-state actor breached their network and gained “persistent access” to multiple systems. This included a development environment for F5’s BIG-IP product line, which are widely integrated with networking and security ecosystems around the world – though F5 has claimed that there is no evidence that customer data was stolen, files pertaining to BIG-IP’s source code were accessed during the period where the infiltration was confirmed to have happened. The issue is serious enough that the U.S. Department of Justice requested the vendor to avoiding disclosing the breach when they discovered it in August, and the Cybersecurity and Infrastructure Security Agency (CISA) released an alert directing all federal agencies to patch any BIG-IP or F5 systems and devices in their technology stacks.
NY AG Collects Over $14M from Car Insurance for Data Breaches
The Office of New York Attorney General Letitia James and the New York State Department of Financial Services (DFS) announced the collection of $14.2 million from eight car insurance companies as part of a settlement where the OAG NY found each company failed to protect the data of New Yorkers. This decision came as a result of data breaches experienced by each of the eight companies which exposed the personal information of over 825,000 New Yorkers, including driver’s license numbers and dates of birth, and which were also used to commit several cases of fraud. The OAG found that the hackers had exploited “pre-fill” functionality from the companies quote form tools, and with the DFS concluded that they had not taken adequate steps to protect the data collected by these forms.
NJ Lenders Corp. Being Sued for August 2025 Breach
Attorneys working with ClassAction.org announced on October 15, 2025 that they are investigating a potential class action lawsuit against NJ Lenders Corp., a New Jersey-based mortgage company licensed in 22 states. The suit is being brought against the company on behalf of customers affected by a data breach that occurred around August 2025, when NJ Lenders Corp. discovered there had been unauthorized access within their network. Further investigation found that Social Security numbers and other sensitive details of NJ Lender Corp.’s customers had been compromised by the attackers, though this information was not uncovered until almost a month after the initial breach.
NYCRR Part 500 MFA Requirement Goes into Effect November 2025
Continuing with enforcement actions applied since the latest phase in 2023, 23 NYCRR Part 500 of the New York Insurance Regulations will be entering its final implementation phase on November 1, 2025. Part 500, first established in March 2017 by the New York Department of Financial Services (NY DFS), will now require the deployment of enhanced multifactor authentication (MFA) for entities covered by the DFS in the finance sector. The November 2025 phase mandates that small businesses use MFA for remote access and privileged accounts, while all other covered entities must implement MFA for any individual accessing any information system. Failure to comply with these new amended requirements in the event of a data breach could see severe penalties, as seen with previous enforcement actions by the DFS regarding NYCRR nonconformance.
Fort Wayne Medical Education Program Alerts Patients of 2024 Breach
On October 3, 2024, the Fort Wayne Medical Education Program notified the public of a confirmed breach in their network that was discovered on December 17, 2024. After taking initial actions to secure their systems and engaging “cybersecurity professionals” to conduct an investigation, FWMEP was able to conclude by September 9, 2025 that the data of nearly 30,000 people had been compromised and began taking steps to help remediate the damage. This compromise affected both patients and employees as well as dependents, and the information accessed included Social Security numbers, driver’s licenses, medical history, health insurance information, and banking details.
Protect Your Business from Evolving Cyber Threats
The October cybersecurity landscape reflects ongoing challenges facing businesses of all sizes, but SWK Technologies provides comprehensive cybersecurity solutions designed to address these evolving risks. From multifactor authentication deployment to breach response planning, our team helps your business implement the controls you need to meet regulatory requirements and defend against sophisticated threats.
Contact SWK here to assess your cybersecurity posture and ensure your business is prepared for current and emerging threats.