This month's cybersecurity news digest highlights the importance of cyber resilience, the need to diversify the technology stack, and the necessity of complying with the timely NIS2 Directive requirements.
1. The third major Cloudflare outage in 4 months is a wake-up call for tech diversification
On February 20, 2026, Cloudflare experienced a six-hour global service outage, primarily affecting its Bring Your Own IP (BYOIP) services. This was the third major disruption of their services after the November and December major outages.
The incident was caused by an internal configuration update that led to the unintended withdrawal of customer BGP routes from the Internet, resulting in HTTP 403 errors on the 1.1.1.1 DNS resolver. Approximately 25% of all BYOIP prefixes were impacted, causing disruptions across multiple core products. The recovery process was complicated due to varying effects on customer prefixes.
Cloudflare issued an official apology, acknowledging that the outage compromised its commitment to a resilient network. On the other hand, the recurrence of such incidents related to the tech giant is bound to prompt more companies to reconsider their choice of web security vendor.
2. PayPal data breach exposes sensitive personal information
PayPal reported a data breach caused by a coding error in its PayPal Working Capital loan application, which exposed personally identifiable information (PII) of customers from July 1 to December 13, 2025. The breach was detected on December 12, and affected customers were notified on February 10, 2026.
Sensitive information potentially exposed includes names, email addresses, phone numbers, business addresses, Social Security numbers, and dates of birth, increasing the risk of identity theft and fraud. Some customers experienced unauthorised transactions, for which PayPal issued refunds. The company has rolled back the faulty code, terminated unauthorised access, and enforced password resets.
To assist affected customers, PayPal is offering two years of complimentary credit monitoring and identity restoration services. Customers are advised to monitor their accounts and consider placing fraud alerts or credit freezes. PayPal reminded users not to share account credentials via calls, texts, or emails, as the company would never request that.
3. 815,000 records of Adidas customer data potentially leaked
Adidas is investigating a potential data breach involving an independent third-party partner after a threat actor claimed to have accessed its extranet portal on February 16, 2026. The actor alleges to have exfiltrated around 815,000 rows of sensitive data, including personal and company information, and suggests that additional disclosures are forthcoming.
The recurrence of such incidents highlights ongoing concerns regarding third-party security and supply chain vulnerabilities. Adidas has not confirmed details about the breach while the investigation is ongoing. Security experts recommend implementing strict access controls, multi-factor authentication, and regular audits to enhance security.
4. Booking.com partners and customers targeted by a financial fraud scheme
A new phishing campaign targeting Booking.com is exploiting trust in travel brands to defraud hotels and guests. The campaign begins with seemingly legitimate service messages urging hotel staff to click on links about “complaints” or room queries, leading to fake web pages that capture login credentials. The attack employs look-alike domains and URL tricks to appear authentic. After gaining access to hotel partner accounts, attackers send convincing messages to guests, redirecting them to fraudulent payment pages.
To safeguard against this, hotels should implement MFA, restrict booking portal access, treat unexpected links with caution, and monitor for unusual account activity. Guests are advised not to pay through links in chat apps and to verify issues through official channels. If credentials are compromised, they should change passwords, contact their bank, and check with the hotel regarding account access.
5. AI features blocked on corporate devices in the EU Parliament due to cybersecurity concerns
The European Parliament has disabled built-in AI features on tablets and phones used by lawmakers and staff due to unresolved cybersecurity and data protection risks. Essential applications like email and document editors remain operational. The IT department expressed concerns over the security of AI features that transmit data to cloud services. MEPs were advised to be cautious with third-party AI applications and restrict data-access permissions. This action aligns with a broader EU trend of tightening technology and data security measures (NIS2 Directive), including previous restrictions on TikTok and efforts to reduce reliance on foreign software vendors.
6. Critical MS Office Word zero-day vulnerability actively exploited
A serious zero-day vulnerability in Microsoft Word, identified as CVE-2026-21514, was disclosed on February 10, 2026. The flaw, actively exploited in the wild, allows attackers to bypass OLE mitigations, enabling exploitation through specially crafted Office documents. Criminals use phishing emails to convince users to open these malicious documents, which execute the exploit without warning.
The vulnerability affects multiple versions of Office, including Microsoft 365 apps for Enterprise and Office LTSC 2021 and 2024 editions for Windows and Mac.
Microsoft has released fixes, and organisations are advised to deploy updates, implement email filtering, and educate users on security. It may be beneficial to restrict OLE object execution through Group Policy settings until patches are applied.
7. Microsoft February 2026 Patch Tuesday
Microsoft's February 2026 Patch Tuesday addresses 54 vulnerabilities, including six zero-day vulnerabilities across Windows, Office, Azure, and developer tools.
The security update covers a wide range of products like Windows Remote Desktop Services, Microsoft Defender, Azure services, GitHub Copilot, Visual Studio Code, Microsoft Exchange, and Office apps. Two of the flaws are rated critical; the types include remote code execution (RCE), elevation of privilege (EoP), information disclosure, spoofing, denial-of-service (DoS), and security feature bypass. Users are urged to update their software immediately.
8. Apple Pay users under attack. Be cautious!
A sophisticated vishing (voice phishing) campaign is targeting Apple Pay users through deceptive emails and phone calls to steal sensitive financial information. The attack begins with emails that use the official Apple logo and create panic with urgent subject lines about high-value charges. Victims are prompted to call a support number, where scammers pose as Apple fraud agents and request sensitive information, such as two-factor authentication codes, to gain access to Apple accounts.
Users should be cautious, as Apple does not initiate fraud appointments via email and never asks for sensitive information over the phone. It’s important to verify the sender's address, never share authentication codes or passwords, and monitor accounts for irregular activity. If you think there might be a problem, promptly update your Apple ID password, log out of all current sessions, and keep a close eye on your bank statements for any unusual activity over the next few weeks.
Bonus: Important changes in Bulgaria’s Cybersecurity Law in compliance with the NIS2 Directive! Read more on this page!
Hope your systems will stay safe and compliant with the NIS2 Directive throughout 2026! If you need help, contact us for expert advice!