Cybersecurity Insights series: April 2026 – this month in cybersecurity

Welcome to our Cybersecurity Insights blog, where we examine the incidents shaping today’s evolving threat landscape. April 2026 demonstrated how cyber incidents increasingly blur the lines between criminal monetisation, reputational damage, and geopolitical signalling — impacting public institutions, global brands, and consumer trust alike.

This month, Craig Lusher examines three high-profile incidents that dominated headlines and underscore the growing convergence of cybercrime, influence operations, and data exploitation.

UK Member of Parliament: Website compromised to funnel users to Asian gambling platforms

A UK Member of Parliament’s website was taken offline after a cyber attack inserted malicious code that redirected visitors to Southeast Asian gambling platforms, raising concerns about the misuse of trusted political domains for illicit promotion.

Sir David Davis, Conservative MP for Goole and Pocklington, told Parliament that his website was compromised when attackers embedded malicious redirects into legitimate links. The site was taken offline upon discovery, but following restoration it was hit by a sustained distributed denial-of-service (DDoS) attack, registering approximately 142 million requests and nearly 800GB of traffic in 24 hours.

Davis described the incident as a “direct interference” with a Member of Parliament carrying out his duties, adding that much of the malicious traffic appeared traceable to China, although activity was also observed from other jurisdictions. Parliamentary authorities advised MPs to engage official digital and security services rather than disclosing protective details publicly.

Beyond the political context, the attack highlights a familiar tactic within the gambling and cybercrime ecosystem: compromising reputable websites to covertly route users toward unregulated betting operators, bypassing advertising controls and cross-border enforcement mechanisms.

C8 Secure perspective

This attack illustrates two distinct techniques delivered in sequence, each warranting different defensive controls. The initial compromise (malicious redirects injected into the website’s content) is the type of attack that Web Application Firewalls (WAF) is built to stop. C8 Secure’s SecureEdge WAF applies signature-based detection, AI-driven anomaly detection and bot mitigation against the OWASP and API Top 10, blocking injection attempts and unauthorized content changes before they reach the application. The follow-on DDoS attack, peaking at 142 million requests and nearly 800GB of traffic in 24 hours, sits within the scope of always-on volumetric protection.

C8 Secure operates a multi-layered DDoS mitigation platform with over 5Tbps of on-net scrubbing capacity, typically mitigating attacks within 30 to 60 seconds. Regular Vulnerability Assessment and Penetration Testing (VAPT) closes the loop by identifying the injection vectors attackers look for in the first place. The wider gambling industry angle is also worth flagging: compromising trusted domains to drive users toward unregulated operators undermines licensed markets and the consumer protections they enforce.

Hallmark: Customer and employee data leaked and sold on hacker forums

In April, data allegedly stolen from Hallmark Cards, Inc. surfaced across cybercrime forums after a ransomware-style extortion attempt by the ShinyHunters group escalated into public disclosure and resale.

According to reporting, attackers threatened to release nearly 8 million records tied to Hallmark and its associated digital services, setting an April 2 deadline for negotiations. When no public resolution emerged, the dataset was published on ShinyHunters’ leak site and simultaneously offered for sale by another threat actor operating under a different alias – indicating data proliferation beyond a single criminal group.

Independent analysis confirmed that samples posted on underground forums matched the leaked dataset. The exposed information reportedly includes customer email addresses, physical mailing addresses, phone numbers, internal corporate email accounts, employee names, departmental data, and customer support tickets. Investigators believe the breach may have originated from a Salesforce environment, though this remains unconfirmed by Hallmark.

The combination of customer and internal operational data significantly amplifies the risk of targeted phishing, fraud, and identity-based attacks, especially when enriched with previously leaked datasets.

C8 Secure perspective

Two features of this incident stand out. First, the dataset proliferated to multiple actors almost immediately after disclosure, which is now the default outcome rather than the exception; once data leaves the perimeter, the half-life of containment is measured in days. Second, the suspected origin in a Salesforce environment points to SaaS and third-party platforms as targets in their own right, meaning the monitoring perimeter extends well beyond on-premise infrastructure. The combination of customer records, internal corporate email accounts, employee names and support ticket history is particularly damaging because it provides everything an attacker needs to construct convincing spear-phishing campaigns against both customers and staff.

C8 Secure’s MSOC ingests logs from SaaS platforms, identity providers and endpoints to spot abnormal data access and exfiltration patterns, with our 24/7 SOC team triaging alerts and escalating only what matters. SafeBait delivers ongoing phishing, smishing, vishing and quishing simulations alongside awareness training, which matters more, not less, for organisations whose data has already been exposed. Our Cyber Threat Exchange (CTE) supports operational awareness of leak sites and threat actor activity, allowing security teams to act on exposure before victims do.

Booking.com: Surge in scams driven by compromised hotel accounts

Consumers across the UK and Europe were warned in April about a rise in Booking.com scams, after attackers gained access to legitimate hotel accounts and used the platform’s own messaging system to target customers, according to a BBC investigation.

The scam involves cybercriminals breaching hotel partner accounts on Booking.com and sending messages to guests who already have active reservations. Posing as the property, attackers claim there is an issue with payment and request customers to reenter card details or confirm credentials via external links. Because the messages originate from within Booking.com’s own system, they are often perceived as legitimate.

Victims told the BBC they lost hundreds or thousands of pounds after following the instructions, with some accounts drained within minutes. Booking.com confirmed it had seen an increase in this type of fraud, stating that attackers frequently obtain access to hotel accounts through phishing or malware infections, rather than directly compromising Booking.com’s core systems.

The incident highlights a growing fraud model: platform-mediated social engineering, where criminals exploit both brand trust and existing customer relationships to increase success rates.

C8 Secure perspective

The mechanics here matter for any business that operates through partner ecosystems or marketplace platforms. Attackers did not breach Booking.com itself; they compromised individual hotel accounts through conventional phishing and malware, then weaponized the platform’s legitimate messaging features against guests. Because the messages originated from the genuine domain and arrived inside an active booking conversation, the usual visual cues customers rely on to spot scams were absent. This pattern is now standard across hospitality, travel, gaming affiliates and any sector that depends on partner accounts to reach end users. Three controls move the dial. First, endpoint protection on partner workstations:

C8 Secure’s EDR/MDR uses machine learning, behavioral analysis and external threat intelligence to block credential-stealing malware, with 24/7 response from a managed SOC. Second, mandatory multi-factor authentication on platform accounts paired with monitoring for abnormal login locations and session anomalies through our MSOC. Third, phishing simulation and awareness training for the staff most likely to be targeted: SafeBait covers email, SMS, voice and QR code attack vectors with AI-driven scenarios in over 160 languages, tailored to local language and culture. Mobile Protect extends comparable defenses to the mobile devices that increasingly handle these account credentials.

Final thoughts

April’s incidents reinforce a clear shift in the threat landscape: attackers are no longer just breaching systems — they are exploiting trust at scale.

Whether by hijacking a UK lawmaker’s website to distribute gambling traffic, weaponizing legitimate brand platforms like Booking.com to defraud customers, or leaking and reselling consumer data from global brands such as Hallmark, today’s attackers consistently leverage credibility, familiarity, and existing relationships to maximize impact.

These events also highlight a widening attack surface:

• Websites are being repurposed as criminal infrastructure
• Customer data is rapidly monetised beyond the initial breach
• Third-party accounts and partner ecosystems create systemic risk
• Reputational damage often outpaces technical recovery

Cybersecurity solutions for a safer tomorrow

For more information on how C8 Secure can support your cybersecurity initiatives, email info@c8secure.com or visit our Contact Us page.

Let’s Get Started