This Week in Privacy: Jun 1-7, 2026

The first week of June 2026 brought a cascade of data breaches affecting millions of Americans, from dental patients to HVAC contractors. Meanwhile, Apple began implementing controversial age verification requirements in Texas, and a federal court decision shielded a Finnish pharmacy from privacy fines on a legal technicality.

Top Stories

ShinyHunters Strikes Twice, Exposing Nearly 3 Million Records

The extortion group ShinyHunters dominated breach headlines this week with two significant attacks. DentaQuest, a dental benefits administrator, confirmed that 2.6 million accounts were compromised when attackers accessed their network and stole over 234 GB of data. The group publicly leaked the stolen information after ransom negotiations failed. Days later, ShinyHunters also claimed responsibility for breaching Baker Distributing Company, an HVAC wholesaler, after extracting data from the company's SharePoint and Salesforce systems in May 2025. That breach exposed information from approximately 103,000 accounts, including email addresses, physical addresses, and customer support tickets. Baker was added to ShinyHunters' "pay or leak" site before the data went public in early June.

These incidents highlight the continued effectiveness of extortion-based breach strategies, where stolen data becomes leverage for payment demands. Both companies serve industries that maintain extensive customer databases, making them attractive targets for criminals who know the reputational and regulatory costs of public disclosure.

Apple Implements Texas Age Verification Law

Starting June 4th, Apple began requiring age verification for new App Store users in Texas, following a federal appeals court decision allowing the state's App Store Accountability Act to take effect. New users must verify they are over 18 using a credit card or government ID, while users under 18 must join a Family Sharing group where parents approve downloads and purchases. The enforcement of Texas law SB 2420 was originally scheduled for January 2026 but was delayed by legal challenges after being signed in May 2025.

The Texas implementation represents a significant shift in how digital platforms handle minors' access to apps and content. While Apple can automatically verify some users' ages using existing account data like payment methods, the requirement for explicit ID verification raises questions about privacy tradeoffs. Critics worry about the privacy implications of mandatory ID collection, while supporters argue it protects children from inappropriate content.

Ring Faces Class Action Over Facial Recognition

Amazon's Ring is facing a class action lawsuit filed June 2nd in Seattle federal court, alleging the company's Familiar Faces feature collects biometric data from millions of Americans without consent. The lawsuit, brought by Virginia resident Charles Sigwalt, challenges Ring's facial recognition system that launched in December 2025 to help users identify regular visitors like family members or delivery workers. While Ring users must opt in to enable the feature, the lawsuit argues that passersby captured by doorbell cameras never consented to having their faces scanned and analyzed. The case could have broad implications for the rapidly expanding home security camera market and how companies deploy facial recognition technology in semi-public spaces.

In Brief

• A theft ring used phishing attacks to steal shipping credentials between October 2025 and April 2026, allowing them to fraudulently pick up nearly $5 million in goods from warehouses before being arrested by Manhattan prosecutors.

• Visual Arts, a Japanese video game publisher, disclosed that attackers stole authentication credentials in April 2026 to access cloud storage and leak an unreleased game, potentially compromising over 10,000 pieces of personal information.

• IMA Diligence Services suffered a breach affecting 525,000 individuals when attackers accessed a legacy server managed by a third-party vendor.

• A medical billing company breach compromised patient information held on behalf of seven medical groups, though details remain limited.

• A Finnish court overturned a €1.1 million fine against pharmacy chain Yliopiston Apteekki for using Google and Meta tracking technologies, ruling that as a public institution, it cannot face administrative penalties despite violating GDPR.

The Big Picture

This week reveals a troubling pattern: organizations continue to struggle with basic security hygiene, leaving millions vulnerable to opportunistic extortion groups. Six of the ten events this week involved data breaches, many stemming from credential theft or inadequate protection of legacy systems. At the same time, governments are experimenting with new regulatory approaches that create their own privacy tensions, as Texas demonstrates with mandatory age verification that requires collecting more personal data to theoretically protect privacy. The ShinyHunters breaches show that extortion-based attacks remain highly effective, while the Ring lawsuit suggests we're entering a new phase of legal scrutiny around passive biometric collection. The question isn't whether our data will be collected, it's who controls it and what happens when those controls fail.