This Week in Privacy: Mar 16-22, 2026

This week brought an avalanche of data breaches affecting millions of people, from healthcare patients to banking customers to online service users. Meanwhile, law enforcement's data collection practices faced scrutiny, and Instagram announced a major reversal on message encryption that could affect billions of users worldwide.

Top Stories

Instagram to Remove End-to-End Encryption from Private Messages

Meta quietly announced that Instagram will stop encrypting private messages between users starting May 8, 2026. The company disclosed this significant privacy rollback through updates to its help page rather than a major announcement, marking a reversal after years of expanding encryption features. This decision follows sustained criticism from law enforcement and child safety groups who argued that encryption hindered investigations into illegal activity. The change will affect Instagram's massive user base, potentially exposing private conversations that were previously protected from outside access, including from Meta itself.

Telus Digital Confirms Massive 1 Petabyte Data Breach

Telus Digital acknowledged that hackers successfully breached its systems and accessed approximately 1 petabyte of data. To put that in perspective, one petabyte equals roughly one million gigabytes, enough to store hundreds of millions of documents or years of video footage. The company publicly confirmed the breach on March 18, though details about what specific information was accessed or how many individuals were affected remain unclear. This stands as one of the largest data breaches by volume disclosed this year.

FBI Confirms Purchasing Americans' Location Data Without Warrants

During a Senate Intelligence Committee hearing, FBI Director Kash Patel confirmed that the agency purchases commercially available information to track individuals' movement and location without obtaining warrants. Patel defended the practice as consistent with the Constitution and federal privacy laws. However, Senator Ron Wyden criticized this as circumventing the Fourth Amendment and the landmark 2016 Carpenter v. United States ruling, which requires law enforcement to obtain warrants for location data from cell service providers. By purchasing data from commercial brokers instead, the FBI may be exploiting a loophole to access information that would otherwise require court approval.

In Brief

• Aura disclosed a breach affecting 903,080 email addresses, primarily from a marketing tool associated with a previously acquired company, exposing names, phone numbers, and addresses but not financial information.

• CarGurus faces class action lawsuits after a breach exposed personal information of approximately 1.2 million consumers.

• Marquis, a bank software vendor, revealed that its August 2026 breach impacted more than 670,000 individuals across at least 74 financial institutions.

• Three Tennessee teenagers sued xAI, alleging the company's Grok AI tool created child sexual abuse material using their photos.

• French courts upheld a €40 million GDPR fine against advertising technology company Criteo.

• Several healthcare organizations reported breaches: MedPeds Associates of Sarasota, OpenLoop Health (68,160 Texans affected), and CommonSpirit Health patients through a vendor breach.

• Multiple breach settlements were announced: Fidelity agreed to pay $2.5 million, Geisinger and Nuance reached a $5 million settlement, and a community bank settled for $2.4 million.

• Intuitive Surgical confirmed a phishing-related breach, while Lotte Card faced a $6.5 million penalty for a major breach.

• A Baltimore watchdog uncovered fraudulent billing and a confidential data breach in a youth crimefighting program.

• Encyclopedia Britannica filed suit against OpenAI over AI training data usage.

The Big Picture

This week reveals an uncomfortable reality: personal data breaches have become so routine that 17 separate incidents in one week barely registers as unusual. More concerning is the erosion of privacy protections happening through both corporate decisions and government practices. Instagram's encryption rollback and the FBI's acknowledged purchases of location data suggest a broader retreat from privacy safeguards, whether driven by law enforcement pressure or commercial convenience. As multi-million dollar breach settlements become standard business expenses and petabyte-scale data theft becomes possible, the question is no longer whether your data will be exposed, but when and how many times.