This Week in Privacy: Jun 8-14, 2026
A single insider breach affecting two-thirds of South Korea's population dominated privacy news this week, culminating in the largest data protection fine in the country's history. The incident exposed systemic weaknesses in access controls at major platforms and triggered enforcement action that will reverberate throughout the e-commerce industry.
Top Stories
Record-Breaking Fine for Coupang Breach
South Korea's Personal Information Protection Commission imposed a $412 million penalty on Coupang, the country's largest e-commerce platform, following a data breach that compromised nearly 34 million customer accounts. The breach occurred when a former employee maintained unauthorized access to customer data for several months without detection. Regulators found that inadequate security systems, poor management of authentication keys, and negligent access controls enabled the exposure of names, email addresses, phone numbers, delivery addresses, and order histories.
The fine was split into two parts: 423.6 billion won for the data leak itself and 201.1 billion won for unauthorized collection of online activity records from 11.17 million users, including tracking which websites and applications they visited without permission. The size of the breach is staggering: it affected approximately two-thirds of South Korea's entire population. What makes this case particularly notable is that regulators determined the breach resulted from basic security failures rather than sophisticated hacking, raising questions about fundamental data protection practices at major platforms.
Universities Under Attack: Oracle Vulnerabilities Exploited at Scale
The ShinyHunters extortion gang exploited vulnerabilities in Oracle PeopleSoft servers to steal data from over 100 organizations, primarily targeting educational institutions. The attackers used what they describe as a combination of old and zero-day vulnerabilities to access both cloud-based and on-premises systems. The University of Nottingham confirmed that hackers accessed its student records system, exposing data belonging to 454,600 current and former students across its UK, Malaysia, and China campuses. ShinyHunters posted over 40GB of stolen documents on their dark web leak site as proof of the breach.
Separately, the University of Oxford disclosed that attackers breached its CareerConnect platform operated by third-party provider Group GTI, exposing names, email addresses, and encrypted passwords for users not protected by Single Sign-On authentication. The coordinated nature of these attacks highlights how threat actors increasingly target shared infrastructure and third-party services to maximize their reach.
Meta AI Tool Flaw Enables Mass Account Hijacking
Between April and May 2026, attackers exploited a vulnerability in Meta's AI-powered High Touch Support tool to hijack over 20,000 Instagram accounts. The flaw allowed unauthorized password resets by obtaining reset links without verifying email ownership, but only worked on accounts without two-factor authentication enabled. Meta discovered the breach on May 31 and responded by disabling the vulnerable support system and invalidating all password reset links it had generated. The incident demonstrates how AI-powered customer service tools can introduce new attack surfaces when not properly secured.
Canada Proposes Strict Social Media Age Limits
The Canadian government introduced the Digital Safety Act (Bill C-34) on June 10, legislation that would ban social media access for children under 16 and establish safety standards for AI chatbots. Companies failing to comply could face penalties of up to 3% of global revenue or C$10 million, whichever is greater. The bill would create a Digital Safety Commission to enforce regulations and require platforms to remove sexually exploitative content within 24 hours. Officials cautioned the legislation could take over a year to pass Parliament and 18 months to implement after passage.
In Brief
- Pharmaceutical giant Novo Nordisk disclosed a cybersecurity incident in which unauthorized parties copied de-identified patient data from certain clinical trials, including patient ID numbers, year of birth, sex, and health biomarkers.
- Apple agreed to pay $250 million to settle a shareholder lawsuit alleging the company misled customers by advertising Apple Intelligence AI features that were not available at iPhone 16 launch.
- Google updated its Privacy Policy with a new European requirements section consolidating GDPR-specific disclosures and a detailed table mapping processing activities to legal bases under EU/UK law.
- CISA ordered all civilian federal agencies to patch a Check Point vulnerability by June 11 after the Qilin ransomware group actively exploited the flaw in remote access tools, firewalls, and VPNs.
- Discord notified 180 users that their personal information was exposed in March 2023 when a threat actor compromised a third-party customer support agent's account.
- Microsoft restricted internal employee access to Anthropic's Claude Fable 5 AI model due to data retention requirements that differ from other Claude models, which retain user prompts for 30 days.
- Microsoft shut down more than 70 of its GitHub repositories after discovering planted malware designed to harvest developer credentials when opened in AI coding tools.
- Law firm Fox Rothschild is facing a class action lawsuit after a May 2026 data breach attributed to the Silent Ransom Group exposed names and Social Security numbers.
- The FTC ordered Illuminate Education to implement stronger security measures after a 2021 breach exposed information belonging to 10.1 million students and the company delayed notifying some school districts for nearly two years.
- Massachusetts lawmakers unanimously passed the Consumer Data Privacy Act, which grants residents rights to access and delete personal data and prohibits the sale of sensitive information without explicit consent.
- Apple announced new parental control features requiring children under 13 to have accounts with built-in age-based restrictions when setting up devices.
- A man was convicted of four terrorist offences related to seeking out leaked Police Service of Northern Ireland data that exposed information on over 10,000 officers and staff.
The Big Picture
This week's events reveal a troubling pattern: insider threats and basic security failures continue to cause some of the most dam