This Week in Privacy: Apr 20-26, 2026
April proved to be a brutal month for data security. From major breaches at healthcare providers and financial services to a sweeping cyberattack on French government systems, this week reinforced that no sector is immune to sophisticated attacks. The common thread: attackers are exploiting employee access and third-party integrations with alarming success.
Top Stories
France's National ID Agency Suffers Massive Breach
The French government agency responsible for issuing official identity documents confirmed on April 22 that hackers stole approximately 19 million citizen records. The breach at France Titres (ANTS) exposed names, contact details, birthdays, postal addresses, account metadata, gender, and civil status information. A threat actor using the alias "breach3d" subsequently offered the stolen records for sale on a dark web forum. The scale of this breach is staggering: it potentially affects nearly 30% of France's population. Government identity systems are supposed to be among the most secure, making this compromise particularly concerning for citizens whose fundamental identity documents may now be linked to leaked personal data.
Healthcare Sector Under Siege
The U.S. healthcare system faced multiple significant breaches this week. The Department of Health and Human Services announced settlements with four healthcare entities following ransomware investigations that collectively exposed protected health information of over 427,000 individuals. The exposed data included Social Security numbers, diagnoses, lab results, medications, and financial data. Meanwhile, home security company ADT confirmed a breach after ShinyHunters hackers allegedly used voice phishing to compromise an employee's Okta account, then pivoted to ADT's Salesforce system. The attackers claim to have stolen 10 million customer records and are demanding ransom by April 27. These incidents underscore a troubling pattern: attackers are successfully targeting the human element (employees) and leveraging legitimate access tools like single sign-on systems to steal vast quantities of sensitive data.
Supply Chain Attacks Target Cloud Infrastructure
Vercel, a major app and website hosting company, revealed it suffered not one but two separate breaches affecting customer data. The first occurred when a Vercel employee downloaded a compromised app from Context AI, which gave attackers access to internal systems containing unencrypted customer credentials. The attack chain began in February 2025 when malware infected a Context.ai employee's computer through malicious Roblox game cheats. The attacker then used stolen OAuth tokens to access a Vercel employee's Google Workspace account, ultimately stealing customer credentials, API keys, and source code. This sophisticated supply chain attack demonstrates how a single compromised third-party integration can cascade across multiple organizations.
Apple Stonewalls Indian Regulators
India's Competition Commission is pursuing an antitrust case against Apple that began in October 2024, alleging abuse of App Store dominance. Apple has refused to submit required financial data that regulators need to calculate potential penalties, which could reach up to $38 billion by Apple's own estimates. A final hearing is scheduled for May 21, with the regulator offering Apple two additional weeks to file responses. Apple's refusal to cooperate with one of the world's largest smartphone markets signals a high-stakes showdown over platform power and market access.
In Brief
- Eurail disclosed that hackers stole personal data from more than 300,000 customers in December 2025, including passport numbers, and the data is now being offered for sale on the dark web.
- All 500,000 UK Biobank volunteer records were stolen and listed for sale on Alibaba's Chinese e-commerce platform before being removed through international cooperation.
- Tempus AI faces multiple class action lawsuits for allegedly collecting genetic testing results without authorization and sharing them with over 70 pharmaceutical companies.
- A federal judge granted preliminary approval to a $3.3 million settlement between Absolute Dental and 1.2 million affected patients following a 2025 malware breach.
- Hackers calling themselves "Internet Yiff Machine" obtained 93 GB of data containing 8.3 million anonymous tips submitted through Navigate360's P3 platform, exposing tipsters' identities despite anonymity promises.
- The UK High Court ruled that London's Metropolitan Police use of live facial recognition does not violate privacy rights, dismissing a challenge from Big Brother Watch.
- A 45-year-old NSW Treasury official was arrested for allegedly downloading over 5,600 commercially sensitive government documents to an external server.
- Ameriprise Financial disclosed its second breach in six months, affecting 47,876 people after unauthorized access between March 2 and 18.
- Tyler Robert Buchanan, a 24-year-old member of Scattered Spider, pleaded guilty to wire fraud for SMS phishing attacks that compromised Twilio, LastPass, and others, leading to $8 million in stolen cryptocurrency.
- New York Attorney General sued Coinbase Financial Markets and Gemini Titan for allegedly operating unlicensed gambling platforms disguised as prediction markets.
- Amtrak confirmed a breach exposing at least 2.1 million email addresses after ShinyHunters hackers accessed its Salesforce CRM system.
- Canada Life disclosed that ShinyHunters accessed information of up to 70,000 customers through an employee account compromise.
- Rhode Island reached a $5 million settlement with Deloitte following a breach affecting the state's RIBridges health system.
- The SAG-AFTRA Health Plan disclosed a 2024 phishing breach that exposed Social Security numbers and health insurance details of plan participants.
- The Department of Justice intervened to support xAI's lawsuit challenging Colorado's AI discrimination law, arguing it violates equal protection.
- [Elon Musk filed a federal lawsuit against OpenAI and Sam Altman](https://privacywire.org/x-twitter/