Industry Privacy News

The ShinyHunters ransomware group breached American insurance company Kemper Corporation in April 2024 through social engineering attacks on its Salesforce environment, compromising data from 269,299 accounts. The leaked information included email addresses, names, phone numbers, physical addresses, and partial payment card details including the last four digits, expiry dates, and card brands. Kemper confirmed the incident and reported engaging cybersecurity experts and law enforcement.

A Romanian national was sentenced to 56 months in federal prison for hacking into Oregon's Department of Emergency Management network in 2021 and selling access to buyers, along with stolen personal data including names, email addresses, birth dates, and passport numbers of individuals in the system. He also sold access to nearly a dozen other U.S. victims' networks, resulting in at least $250,000 in total losses. The case highlights ongoing risks to government systems and the trafficking of ...

California Attorney General Rob Bonta is suing Chrome Holding Co., the successor to 23andMe, over a 2023 data breach that exposed sensitive genetic information of nearly seven million users through a credential-stuffing attack. The breach revealed genetic predispositions, ancestry data, and information about biological relatives, with hackers specifically advertising stolen data from Asian American Pacific Islander and Jewish users on the dark web. The lawsuit alleges 23andMe failed to implem...

California lawmakers are advancing legislation (SB 354) that would modernize insurance data privacy laws, giving consumers more control over how their personal information is collected, used, and shared by insurers and third-party service providers. The bill would authorize the state insurance commissioner to investigate violations and impose penalties ranging from $5,000 to $1 million, addressing gaps in oversight as insurers increasingly use sophisticated technologies to process sensitive c...

Oklahoma Attorney General Gentner Drummond filed a lawsuit against online marketplace Temu alleging the company collects consumers' sensitive data without their consent and transfers it to the Chinese government. The lawsuit, filed in Cleveland County, also accuses the Boston-based company, owned by Chinese firm PDD Holdings, of illegally selling merchandise bearing Oklahoma trademarks including those of the Oklahoma City Thunder and state universities. Temu has denied the allegations and sta...

Lithuania's State Enterprise Center of Registers was hacked, exposing over 600,000 real estate registry records containing names, identification numbers, dates of birth, and property information. Attackers allegedly accessed the system through compromised credentials from the Migration Department, with connections traced to a foreign state. Lithuanian officials are particularly concerned the breach could endanger Russian and Belarusian political exiles living in Lithuania by exposing their re...

UK Visa Portal, a third-party immigration service website, exposed at least 100,000 passports and selfie photos of visa applicants through a publicly accessible Amazon storage server due to a misconfiguration. The exposed documents included location data that in some cases revealed applicants' home addresses, and the company responded to disclosure by sending lawyers rather than immediately fixing the security flaw. The breach highlights risks of sensitive identity documents being inadequatel...

Dutch police arrested a 35-year-old man suspected of repeatedly accessing Ajax football club's computer systems through an unpatched vulnerability disclosed in March. The breach exposed email addresses of several hundred people and limited personal information of individuals with stadium bans, though some reports suggest it may have affected over 300,000 registered supporters and 42,000 season tickets. The incident highlights the growing trend of cyberattacks targeting sports organizations, w...

Dutch government blocks sale of DigiD operator Solvinity to US tech firm due to data security concerns

Hackers breached Unimed, a billing service provider for German hospitals, stealing patient data from at least six university medical centers in mid-April. The compromised information includes names, addresses, and in some cases health records and billing details linked to diagnoses, affecting over 100,000 patients - mostly those with private insurance or self-paying arrangements. No attackers have claimed responsibility, and affected hospitals have suspended data transfers to the provider whi...

Trump Mobile confirmed it exposed customers' personal data - including names, email addresses, home addresses, and phone numbers - to the open internet through a third-party platform provider. The company claims no breach of its own systems occurred and found no evidence that financial information was compromised. Trump Mobile is still evaluating whether to notify affected customers, despite YouTubers and a researcher unsuccessfully attempting to alert the company about the exposure earlier t...

Beacon Mutual Insurance Company, a workers' compensation insurer and state vendor in Rhode Island, confirmed it experienced a ransomware attack on January 14 that compromised its systems, though its live production environment remained unaffected and operations resumed by January 20. The Warwick-based company is conducting a forensic investigation to determine what personal information may have been stolen and has stated it will notify any individuals whose data was affected. As the third-par...

Alera Group, a national insurance brokerage firm, agreed to a $2 million settlement after unauthorized individuals accessed its computer systems between July and August 2024, potentially exposing sensitive personal and medical information of employees, dependents, clients, and partners. Affected individuals were not notified until nearly a year after the breach occurred, prompting criticism from officials over the delayed disclosure. Eligible U.S. residents who received breach notification ca...

A January ransomware attack on Beacon Mutual Insurance, Rhode Island's workers' compensation administrator, exposed personal information of approximately 132,000 Rhode Islanders, including about 4,500 current and former state employees. The breach affected around 162,000 people total across multiple states, though Beacon confirmed that compromised systems did not connect to state networks. The company disclosed the incident to Rhode Island's Attorney General in May and is directly notifying a...

In January 2021, the parody site Windows93 suffered a data breach affecting its Myspace93 sub-site when attackers exploited a beta application to download server files containing 46,000 user accounts. The compromised data, leaked in June 2021, included email addresses, IP addresses, usernames, and passwords stored in plain text. Users who had accounts on Myspace93 should immediately change their passwords, especially if they reused the same credentials on other sites, and enable two-factor au...

A data breach targeting the Canvas educational platform in early May potentially compromised the personal information of approximately 1,700 people in Canada's Northwest Territories, including teachers, education staff, government employees, and contractors. The exposed data includes names, email addresses, and enrollment or training information, though the territorial government confirmed no passwords or financial information were accessed. The parent company Instructure reportedly reached a...

The Federal Trade Commission settled with Cox Media Group and two marketing firms for nearly $1 million after they falsely claimed their "Active Listening" service could target ads based on audio recordings from consumers' smart devices. The FTC found the companies were not actually collecting voice data as advertised but were simply reselling consumer email lists at marked-up prices while misrepresenting that consumers had consented to audio collection. The settlement requires the companies ...

A cyberattack on Canvas, a widely used learning management platform, potentially exposed personal information including names, email addresses, student numbers, and messages of 275 million users across thousands of universities worldwide. The parent company Instructure reached an agreement with the hacking group ShinyHunters, which claimed to have returned and destroyed the stolen data and promised not to extort customers. The breach affected educational institutions globally, including schoo...

GitHub confirmed that hackers from the TeamPCP cybercrime group gained unauthorized access to approximately 3,800 internal code repositories after compromising an employee's device through a malicious VS Code extension. The Microsoft-owned platform stated that the breach was limited to internal repositories and did not affect customer data, though the stolen code is now being offered for sale on cybercrime forums for $50,000. GitHub has rotated critical credentials and is conducting a full in...

The California Supreme Court ruled that plaintiffs can sue over medical record data breaches without proving their information was actually viewed by unauthorized parties. However, the court dismissed a student's lawsuit against educational contractor Illuminate Education over a 2022 breach, finding the company did not qualify as a healthcare provider under state confidentiality laws and that student educational assessments do not constitute medical information. The decision clarifies when Ca...

Grafana suffered a data breach after hackers used a GitHub workflow token that was not rotated following the TanStack npm supply-chain attack, allowing unauthorized access to private repositories. The attackers stole source code and business contact information, including names and email addresses used in professional relationships, but Grafana states no customer production data or systems were compromised. The breach occurred despite an initial incident response that rotated most tokens, wit...

Nucor Corp. reached a class action settlement over a May 2025 data breach that exposed personal information, offering affected individuals up to $8,200 in compensation for documented expenses and losses. Class members who received breach notification letters in June 2025 can claim reimbursement for out-of-pocket costs like credit monitoring and bank fees (up to $700), lost time (up to $75), and extraordinary losses from identity theft (up to $7,500). The total settlement fund is capped at $20...

The Police Service of Northern Ireland (PSNI) has paid almost £40 million in compensation to over 5,000 officers and civilian staff following a 2023 data breach that accidentally released personal details of all 9,400 PSNI personnel. Each claimant who accepted the universal settlement offer received £7,500, while several hundred additional claims remain ongoing. Stormont ministers set aside £119 million total to address the breach, which a law firm described as unprecedented in scale for Nort...

Endue Software Agrees to $870,000 Data Breach Settlement

Texas Attorney General filed a lawsuit against Netflix alleging the company misled users about data collection practices, including falsely claiming paid subscribers wouldn't face data-driven advertising and that children's profiles don't collect behavioral data. The lawsuit also accuses Netflix of using addictive design features like autoplay to extend viewing sessions, particularly affecting children. The AG seeks to stop the alleged unlawful data collection, require autoplay to be disabled...

Texas Attorney General filed a lawsuit against Netflix under the Texas Deceptive Trade Practices Act on May 11, 2026, alleging the company collected personal information, including from children, through misleading disclosures. The lawsuit also claims Netflix used dark patterns to make its platform addictive. The action represents enforcement of state consumer protection laws against a major streaming platform's data collection practices.

7-Eleven confirmed a data breach after the hacking group ShinyHunters demanded ransom, claiming to have stolen over 600,000 Salesforce records containing personal information and corporate data. The breach affects customers whose personal details were stored in 7-Eleven's Salesforce system. This incident is part of a broader pattern of attacks by ShinyHunters, which has also been linked to recent breaches at other major companies.

Texas Attorney General Ken Paxton filed a lawsuit against Netflix on May 11, alleging the streaming service illegally collects and tracks viewing habits, preferences, and behavioral data from users including children without their knowledge or consent, then sells this information to other companies for profit. The lawsuit claims Netflix violated the Texas Deceptive Trade Practices Act and seeks to stop the data collection practices and require the platform to disable autoplay by default on ch...

Grafana Labs confirmed a data breach after hackers used a compromised token to access the company's GitHub environment and download its source code. The company stated that no customer data or personal information was accessed, and it declined to pay the ransom demanded by the attackers, a cybercrime group called Coinbase Cartel. Grafana has reset the compromised credentials and is conducting a forensic investigation into the incident.

NYC Health + Hospitals, the largest public health system in the United States, disclosed a data breach affecting at least 1.8 million people after hackers accessed its network for three months through a compromised third-party vendor. The stolen data includes medical records, health insurance information, Social Security numbers, driver's licenses, and irreplaceable biometric data such as fingerprints and palm prints. The breach primarily impacts uninsured New Yorkers and Medicaid recipients ...

Canvas, an educational platform used by schools nationwide, suffered data breaches on April 29 and May 7 that exposed usernames, email addresses, student ID numbers, and communications from over 275 million users at nearly 9,000 schools. The hacking group ShinyHunters claimed responsibility for the April breach, and Canvas owner Instructure reached an agreement with the attackers to return and destroy the stolen data. In Pittsfield, Massachusetts, the breach disrupted the grade reporting syst...

Vimeo confirmed a data breach affecting approximately 119,000 users after a security incident at third-party analytics vendor Anodot, which was linked to cloud platform Snowflake. The breach exposed user names, email addresses, video titles, and metadata, but did not compromise video content, login credentials, or payment information. Affected users face increased phishing risks as hackers can use the verified contact data for social engineering attacks.

The alleged main administrator of Dream Market, one of the largest dark web marketplaces before its 2019 shutdown, was arrested in Germany and indicted in the US on money laundering charges after allegedly moving millions in cryptocurrency commissions and converting them to gold bars. German authorities recovered approximately $1.7 million in gold bars and $1.2 million in suspected Dream Market proceeds during searches of his residence. The marketplace facilitated the sale of hundreds of kilo...

Canvas, an educational platform used by thousands of universities, suffered a ransomware attack that locked out students and teachers and resulted in stolen personal data. Although the parent company Instructure paid the ransom for system recovery and data deletion, a former White House cyber official warns the stolen information may still be circulating and could be used to target young people. Experts note the attack involved AI technology and represents a growing threat, as many ransomware...

NVIDIA confirms GeForce NOW data breach, pledges full support for investigation

In May 2026, real estate services firm Cushman & Wakefield was targeted by the ShinyHunters extortion group, which publicly leaked data affecting over 310,000 accounts after issuing a "pay or leak" demand. The exposed information consisted primarily of business contact data including email addresses, names, job titles, company addresses, and phone numbers from both Cushman & Wakefield employees and external corporate contacts. The breach primarily compromised professional rather than personal...

Community Bank, operating in Pennsylvania, Ohio, and West Virginia, disclosed to the SEC that it improperly submitted customer data - including names, dates of birth, and Social Security numbers - into an unauthorized AI application. The bank filed the disclosure due to the volume and sensitivity of the exposed information and is now investigating the incident while notifying affected customers as required by law. The bank did not specify which AI application was used or provide details about...

Texas Attorney General Ken Paxton sued Netflix, alleging the streaming company collects user data without consent and merges on-platform user information with off-platform data from ad-tech partners like Google and The Trade Desk. The lawsuit, filed under state consumer protection law, seeks to force Netflix to delete unlawfully collected data, stop using it for targeted advertising without explicit consent, and pay civil fines of up to $10,000 per violation. Netflix called the lawsuit meritl...

$870,000 Endue Software data breach class action settlement - Class Action Lawsuits

Texas Attorney General Ken Paxton sues Netflix over alleged collection of user data without permission

Oklahoma Attorney General Gentner Drummond filed a lawsuit against Temu alleging the shopping app illegally accessed users' cameras, microphones, and location data without their knowledge or consent. The complaint also claims Temu used deceptive sign-up schemes that promised prizes that never materialized and failed to disclose its use of forced labor in violation of U.S. trade policies. Temu denies the allegations and says it intends to defend itself vigorously.

Canvas, a widely-used learning management system, suffered a cyberattack that exposed usernames, email addresses, course names, enrollment information, and messages belonging to students, teachers, and staff across multiple school districts. Instructure CEO Steve Daly confirmed that core learning data like course content, submissions, and credentials were not compromised, and apologized for inadequate communication during the incident. School districts have warned users to watch for phishing ...

The UK's Information Commissioner's Office fined South Staffordshire Water £964,900 after a 2022 Cl0p ransomware attack exposed personal data of over 600,000 customers, including names, birthdates, bank details, and some medical information. The attack succeeded because hackers gained initial access through a 2020 phishing email and remained undetected in the company's systems for 20 months before being discovered. The ICO cited significant failures in data security practices that left custom...

Texas Attorney General Ken Paxton has sued Netflix, alleging the streaming service operates a large-scale surveillance program that collects data from users and children without proper consent. The lawsuit claims Netflix aims to monetize this data for profit, though the company has previously stated it does not sell user data to third parties. Netflix previously settled a 2011 privacy lawsuit for $9 million over alleged data sharing.

Texas AG Sues Netflix, Claiming The Streaming Service Collects User Data Without Consent

Texas Attorney General Ken Paxton filed a lawsuit against Netflix alleging the company collects and shares detailed user data - including viewing habits, locations, and children's behavior - with advertisers and data brokers without proper consent. The lawsuit claims Netflix has publicly denied data collection practices while internally describing itself as a "logging company that occasionally streams movies" and collecting approximately 5 petabytes of user behavior data daily. Texas is seeki...

Canvas Online Learning Platform Disabled for Hours After Breach by Hackers

In April 2026, fashion retailer Zara was targeted by the ShinyHunters extortion group through a compromise of the Anodot analytics platform, resulting in the exposure of 197,376 customer email addresses along with support ticket records, order IDs, product SKUs, and geographic locations. Parent company Inditex confirmed that passwords and payment information were not affected in the breach. The incident was part of a larger "pay or leak" campaign that affected multiple organizations and led t...

Hackers accessed databases belonging to a former technology provider of Spanish fashion retailer Zara, exposing personal information of approximately 197,000 customers including email addresses, purchase histories, geographic locations, and support ticket data. The ShinyHunters cybercrime gang claimed responsibility and leaked 140GB of stolen data, though Zara's parent company Inditex stated that names, phone numbers, addresses, passwords, and payment information were not compromised. The bre...

NVIDIA confirmed that GeForce NOW user data was exposed in a breach affecting Armenian users between March 20-26, caused by a compromise at regional partner GFN.am's infrastructure. The exposed information includes names, email addresses, phone numbers, dates of birth, and usernames, though passwords were not compromised and users who registered after March 9 are unaffected. A threat actor offered the stolen database for $100,000 on hacker forums before the post was removed.

Portland Public Schools warn of data breach from online learning system

Cleveland says Flock cameras secure after Dayton ditches system following data breach

Personal information of 2.9 million Alberta voters - including phone numbers, home addresses, and voter identification numbers - was leaked to a separatist group called the Centurion Project, which posted the data on its website before a court-ordered injunction forced its removal. Elections Alberta is investigating the breach, but recent legislative amendments have limited what the election commissioner can publicly disclose and raised the threshold for launching investigations. The incident...

CMS students, employees impacted by nationwide Canvas data breach

Western Orthopaedics P.C., a Denver-based orthopedic surgery practice, disclosed a data breach that exposed personal and health information of at least 409 patients after unauthorized access to its systems between September 17-25, 2025. The compromised data included Social Security numbers, financial account information, health insurance details, and medical billing information, with a ransomware group called PEAR claiming responsibility for the attack in October 2025. The practice is offerin...

Décimas fined €120,000 by Spanish watchdog after data breach

The Federal Trade Commission reached a settlement banning data broker Kochava and its subsidiary from selling Americans' precise location data without explicit consent, resolving a 2022 lawsuit that alleged the company sold geolocation information tracking visits to sensitive locations like healthcare clinics and places of worship. Under the proposed court order, Kochava must establish privacy safeguards including a sensitive location data program, verify consumer consent through suppliers, a...

Ireland's Data Protection Commission has opened an investigation into Shein to determine whether the fashion retailer properly complied with EU data protection rules when transferring European user data to China. The probe will assess Shein's adherence to GDPR requirements governing international data transfers from its Dublin headquarters. This investigation adds to Ireland's active enforcement of cross-border data cases, including a similar ongoing matter involving TikTok's data transfers t...

Gaming community Reborn Gaming suffered a data breach in April 2026 through a vulnerability in cPanel and WebHost Manager, exposing 126 email addresses along with IP addresses and Steam IDs. The breach affects users of the gaming platform who now face potential risks from their exposed contact information and gaming identifiers. Reborn Gaming self-reported the incident to Have I Been Pwned, a breach notification service.

Edtech Firm Instructure Discloses Data Breach Amid Hacker Leak Threats - SecurityWeek

Cybersecurity firm Trellix disclosed that attackers gained unauthorized access to a portion of its source code repository, affecting a company that protects over 200 million endpoints for 50,000 business and government customers worldwide. The company is investigating with forensic experts and has notified law enforcement, stating it has found no evidence the source code was exploited or altered. Trellix has not yet disclosed whether customer or corporate data was stolen or when the breach wa...

Trellix reports data breach following unauthorized access to source code repository

Educational technology company Instructure confirmed a data breach exposing personal information of users at affected institutions, including names, email addresses, student ID numbers, and private messages between students and teachers. The ShinyHunters extortion gang claimed responsibility for the attack, alleging they accessed data on 275 million individuals across nearly 9,000 schools worldwide through a now-patched vulnerability in Instructure's systems. Instructure states no passwords, ...

SitusAMC Holdings Corp., a mortgage industry services provider, suffered a data breach in November 2025 that compromised customer records including accounting data and legal agreements, potentially affecting clients of JPMorgan Chase, Citi, and Morgan Stanley. A federal judge has consolidated eight class-action lawsuits into one case, with plaintiffs alleging the company failed to adequately protect their personal information through negligent security practices. The company completed its for...

New York regulators fined Delta Dental $2.25 million after the company failed to adequately protect consumer data and delayed reporting a breach that exposed names, Social Security numbers, financial details, and health information of New Yorkers. Investigators found Delta Dental did not address a known vulnerability in MOVEit Transfer servers despite state warnings in June 2023, allowing hackers to exploit the weakness and steal sensitive data. The penalty reflects violations of New York's c...

Spain's data protection authority fined Bankinter €240,000 after a cyberattack on EVO Banco (which Bankinter absorbed) exposed 1.27 million customer records in March 2024. The breach occurred when a system migration error removed access controls from a customer onboarding API, allowing attackers to successfully extract personal data including names, birth dates, national ID numbers, and contact details over five days. The bank only learned of the breach two weeks later when a third party repo...

French authorities have arrested a 15-year-old suspected of hacking the National Agency for Secure Documents (ANTS) and attempting to sell 12-18 million citizens' personal records on cybercriminal forums. The breach potentially exposed names, email addresses, birth dates, login credentials, and other personal details from the agency that processes applications for passports, national ID cards, and driver's licenses. The suspect, allegedly operating as "breach3d," faces up to seven years in pr...

Roblox will require all Indonesian users under 16 to undergo facial scans to verify their age, affecting approximately 23 million children on the platform, in compliance with new government restrictions on minors' social media use. Users who do not complete facial verification will be automatically placed in restricted "Roblox Kids" accounts with no chat features. The company states the facial scan data will be immediately deleted after age estimation, though Indonesia has classified Roblox a...

Vimeo confirmed a data breach originating from a third-party analytics vendor that exposed user email addresses and technical information, though the company stated that core systems and sensitive credentials were not compromised. Hackers have threatened to leak the stolen data. The incident highlights the risks organizations face through their third-party service providers.

Lloyds Banking Group compensated 1,625 additional customers following a March programming error that allowed approximately 114,000 users to view other customers' transaction details across its Lloyds, Halifax, and Bank of Scotland apps. The bank has now paid £201,000 in total to 5,250 affected customers, though it reports finding no increase in fraud linked to the breach that potentially impacted nearly 450,000 account holders. The Treasury Committee chair described the incident as "an alarmi...

Home security provider ADT confirmed a data breach affecting 5.5 million customers after hackers accessed names, phone numbers, home addresses, and partial Social Security numbers through a compromised employee Okta account. The breach occurred via voice phishing targeting an employee's single sign-on credentials, allowing hackers to extract data from ADT's Salesforce system, though the company states payment information and security systems were not compromised. The exposed partial personal ...

Vimeo confirmed that customer data was accessed without authorization after attackers breached third-party service Anodot and stole authentication tokens to access Vimeo's Snowflake and BigQuery databases. The exposed data includes some customer email addresses, technical data, video titles, and metadata, but does not include uploaded video content, account credentials, or payment card information. The extortion group ShinyHunters claimed the breach and threatened to publish the stolen data u...

Americans lost at least $2.1 billion to scams originating on social media in 2025, an eightfold increase since 2020, according to the Federal Trade Commission. Investment scams accounted for $1.1 billion of those losses, while shopping and romance scams also targeted users, with most scams starting on Facebook, WhatsApp, and Instagram. The figures reflect only reported losses, meaning actual damages are likely higher, as many victims do not file complaints.

A federal judge dismissed a Justice Department lawsuit demanding detailed voter data from Rhode Island, including birth dates, addresses, driver's license numbers, and partial Social Security numbers. The judge ruled that federal law does not permit DOJ's "fishing expedition," similar to rejections in California, Massachusetts, Michigan, and Oregon, while at least 12 states have provided the data. Election officials raised concerns about potential misuse after DOJ acknowledged it planned to s...

ADT Confirms Major Data Breach Exposing Millions of Names, Partial SSNs

Fidelity to Pay $1.25 Million Over Data Breach That Exposed 77,000 People

In April 2025, the hacking group ShinyHunters obtained and publicly released data from Pitney Bowes affecting 8.2 million people after extortion negotiations reportedly failed. The compromised data included email addresses, names, phone numbers, physical addresses, and in some cases employee job titles. Users whose information was exposed face increased risks of phishing attacks, identity theft, and targeted scams using their personal contact details.

A Chinese national accused of working as a contract hacker for China's Ministry of State Security has been extradited from Italy to the United States to face criminal charges. Xu Zewei allegedly conducted cyberespionage operations and intelligence-gathering breaches between February 2020 and June 2021 as part of the Silk Typhoon hacking group. The case is part of broader U.S. law enforcement action against state-sponsored cyber intrusion campaigns targeting computer systems.

Fidelity Brokerage Services was fined $1.25 million by Massachusetts regulators after a three-day cyberattack in August 2024 exposed personal information of approximately 77,000 customers, including Social Security numbers, passport and driver's license images, and medical data. The breach occurred when an attacker exploited a vulnerability in Fidelity's online access controls that allowed manipulation of document identifiers to view other customers' files. Fidelity failed to notify affected ...

The Council of Engineers Thailand reported that hackers breached its database during a server transfer, stealing personal data of approximately 350,000 members including names, addresses, phone numbers, and license information. The attack involved 680,000 data breaches over a 10-hour period before detection, though details about the attackers' identity and any ransom demands have not been disclosed. The council has warned members that their stolen data could be misused.

Home security company ADT confirmed a data breach on April 20 affecting customer information including names, phone numbers, and addresses, with a small percentage of records also containing dates of birth and partial Social Security numbers. The breach occurred after hackers from the ShinyHunters group allegedly used a voice phishing attack to compromise an employee's single sign-on account and access ADT's Salesforce system, and are now threatening to leak the stolen data unless ADT pays a ...

SAG-AFTRA Health Plan disclosed a phishing attack that gave unauthorized access to an employee's email account between September 17-18, 2024, exposing the Social Security numbers, health insurance information, and claims details of at least 1,202 individuals across Texas and Massachusetts. The breach occurred when an employee fell victim to a phishing email, compromising sensitive personal data of health plan participants. Affected individuals are being offered two years of free credit monito...

The Department of Justice is intervening in support of xAI's lawsuit against Colorado's law requiring developers of high-risk AI systems to disclose and mitigate algorithmic discrimination. The DOJ argues the law, set to take effect in June, violates the Fourteenth Amendment by requiring developers to account for statistical disparities across demographics like race and sex. The case reflects broader tension between state AI regulation efforts and the Trump administration's opposition to inco...

Rhode Island reached a $5 million settlement with Deloitte following a data breach affecting the state's RIBridges system, which serves HealthSource RI customers. The payment will help cover state expenses related to the breach, while Deloitte separately covers costs for a call center, credit monitoring, and identity protection for impacted individuals. Approximately 2,000 HealthSource RI customers have been enrolled directly since the breach as the system undergoes a phased relaunch.

Eurail, which sells Interrail rail passes, disclosed that personal data of more than 300,000 European travelers - including passport numbers, names, addresses, and dates of birth - was stolen in a December breach and is now being sold on the dark web. Some affected customers have been advised by passport authorities to cancel their passports and pay for replacements costing up to £200 to prevent fraudulent use. The breach has caused confusion and anger among travelers facing unexpected expens...

Data from all 500,000 UK Biobank volunteers was breached and listed for sale on Alibaba's Chinese e-commerce platform, though the listings were removed before any confirmed purchases occurred. The stolen information included de-identified health data such as age, gender, and lifestyle habits, but not names, addresses, or contact details. UK officials called the security lapse "extremely lax" and referred the incident to the Information Commissioner's Office, raising concerns about protection ...

Absolute Dental agreed to a $3.3 million settlement after a data breach between February and March 2025 exposed personal information of approximately 1.2 million patients and employees. The breach occurred when malware was accidentally executed through an account linked to the company's third-party managed service provider, giving unauthorized parties access to Absolute Dental's systems. Class members can claim reimbursement for documented losses up to $5,000 or receive a pro rata payment fro...

Vercel expanded its breach investigation and discovered hackers had accessed some customer data before the April incident, when an employee downloaded a compromised app from Context AI. The company found additional affected customer accounts beyond the initial breach but has not disclosed the total number impacted or how far back the earlier compromise extends. Evidence suggests hackers used information-stealing malware to obtain credentials and API keys, then rapidly accessed customer data i...

South Korea fines matchmaking agency over leak of sensitive user data

France Titres (ANTS), the French government agency managing official identity documents, confirmed a cyberattack in which hackers stole approximately 19 million records containing names, contact details, birthdays, addresses, and other personal information. The stolen data is being offered for sale on dark web forums, and ANTS has warned affected users about potential phishing attacks using the compromised information. The agency stated that hackers do not have access to user accounts and tha...

A breach dubbed "BlueLeaks 2.0" exposed 8.3 million anonymous tips submitted through Navigate360's P3 platform, affecting students, Crime Stoppers programs, and military personnel from 1987 through November 2025. The hackers claim to have obtained 93 GB of data in plain text format that included tipsters' full names and details about reported individuals, despite platform promises of anonymity. Navigate360 has not publicly confirmed the breach or notified affected individuals on its websites,...

The UK High Court ruled that London's Metropolitan Police can continue using live facial recognition technology, rejecting a legal challenge brought by civil liberties group Big Brother Watch and youth worker Shaun Thompson, who was falsely identified and detained by the system in 2024. The judges found the technology does not violate privacy rights under European human rights law, despite Thompson's misidentification as his brother who was wanted by police. Thompson plans to appeal the decis...

The Chattanooga Heart Institute has agreed to pay up to $3.75 million to settle a class action lawsuit stemming from a 2023 data breach. The settlement resolves legal claims from affected patients whose personal information was compromised in the breach. This represents one of the larger healthcare data breach settlements in the region, affecting patients who received care at the cardiology practice.

A 45-year-old NSW Treasury official has been charged with accessing restricted data after allegedly downloading over 5,600 commercially sensitive government documents to an external server between April 10-14. The documents, described as spanning "whole of government" departments and containing confidential commercial and financial information about current and past government negotiations, were detected three days after the final alleged transfer. Authorities say there is currently no eviden...

Ameriprise Financial disclosed a data breach affecting nearly 50,000 people after an unauthorized individual accessed stored data and files between March 2 and 18, exposing names and personal identifiers. This marks the second breach for the Minneapolis-based firm in less than six months, following a December phishing incident that potentially exposed 598 people. Ameriprise is offering free identity protection services to affected customers and stated no unauthorized transactions or fund move...

Tyler Robert Buchanan, a 24-year-old British member of the cybercrime group Scattered Spider, pleaded guilty to wire fraud conspiracy and aggravated identity theft for his role in 2022 SMS phishing attacks targeting major technology companies including Twilio, LastPass, DoorDash, and Mailchimp. The attacks compromised tens of thousands of users and enabled the group to steal at least $8 million in cryptocurrency through SIM-swapping, where attackers hijack victims' phone numbers to intercept ...

New York Attorney General Letitia James sued Coinbase Financial Markets and Gemini Titan for allegedly operating unlicensed gambling platforms disguised as prediction markets, violating state gambling laws including restrictions on betting involving New York college sports teams. The lawsuit comes amid a broader regulatory conflict, with the US Commodity Futures Trading Commission recently suing three other states to assert federal authority over prediction market regulation. James emphasized...

Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials

Minidoka Memorial Hospital in Idaho experienced a cyberattack on April 5 that disrupted internal systems and imaging services, forcing some emergency patient transfers though the hospital continued operations. A threat group called "Blackwater" later claimed to have stolen approximately 576 GB of data comprising over 2.3 million files and threatened to leak it after April 24, though they provided no proof of their claims. The incident affects patient data at the rural hospital, though the ful...

Cloud app hosting company Vercel was breached after one of its employees downloaded a compromised app from Context AI, allowing hackers to access internal systems and steal unencrypted customer credentials, API keys, and potentially source code. Vercel has notified affected customers and advised them to rotate their app credentials, though the company has not disclosed how many users were impacted. The breach highlights supply chain risks, as hackers exploited a third-party app connection to ...

An attacker compromised Vercel's systems and stole customer credentials and sensitive data after initially infecting a Context.ai employee's computer with malware disguised as Roblox game cheats. The breach exploited interconnected cloud services, with the attacker using stolen OAuth tokens to access a Vercel employee's Google Workspace account and then pivoting to Vercel's internal environments. Vercel customers are at risk and have been advised to rotate their credentials, while the stolen ...

Canada Life, one of Canada's largest insurers, disclosed that hackers from the ShinyHunters group accessed personal information of up to 70,000 customers through an employee's account, including names, dates of birth, addresses, gender, and income levels. Most of the compromised accounts belonged to employees of one large corporate client, and the company is offering affected customers free credit monitoring. The breach, detected within the past two weeks, has been contained and authorities h...

Vercel, a cloud development platform, confirmed a security breach after a threat actor gained unauthorized access to internal systems through a compromised employee's Google Workspace account linked to a third-party AI tool called Context.ai. The attacker accessed environment variables not marked as sensitive, which allowed them to enumerate and gain further access to customer data, though the company states its core services remain unaffected. Vercel is working with affected customers and re...

Cookeville Regional Medical Center in Tennessee disclosed a ransomware attack that compromised personal and medical data of over 337,000 individuals, including Social Security numbers, financial information, and health records. The Rhysida ransomware group stole approximately 370,000 files and, after failing to sell the data for roughly $1 million, made it freely available online, significantly increasing the risk of identity theft and fraud. The hospital is offering identity theft protection...

WebTPA, a third-party healthcare administrator, disclosed a data breach affecting 2.4 million individuals after discovering unauthorized network access that occurred between April 18-23, 2023. The exposed information may include names, contact details, dates of birth, Social Security numbers, and insurance information, though financial account data and medical treatment records were not compromised. The company is offering affected individuals two years of free identity monitoring services th...

Roblox reached a $12 million settlement with Nevada that requires the gaming platform to implement enhanced protections for young users, including mandatory age verification and restrictions on nighttime notifications for minors. The company will pay $10 million over three years to support youth programs and fund a law enforcement liaison position to address platform safety concerns. Nevada's attorney general described the agreement as a first-of-its-kind settlement, reached in lieu of litiga...

Rockstar Games confirmed a data breach after the ShinyHunters gang leaked over 78 million records containing internal analytics data, including metrics from GTA Online and Red Dead Online related to player behavior, revenue patterns, and anti-cheat systems. The breach occurred through a compromised third-party analytics provider, Anodot, which had integration access to Rockstar's Snowflake environment via stolen authentication tokens. Rockstar stated the exposed information was limited and di...

Cardiovascular Consultants agreed to pay $3.85 million to settle a class action lawsuit over a September 2023 data breach that exposed patients' sensitive health information. Affected individuals can claim up to $5,000 for documented out-of-pocket losses related to the breach, or receive an estimated $75 cash payment without proof, plus two years of free medical monitoring services. The settlement received preliminary court approval in February 2026 and covers all U.S. residents whose persona...

McGraw-Hill confirmed that hackers exploited a Salesforce platform misconfiguration to access a limited set of internal data, though the company states no customer databases, student information, or sensitive financial data were compromised. The breach follows an extortion threat from the ShinyHunters group, which claims to possess 45 million Salesforce records containing personally identifiable information and has set a ransom deadline. McGraw-Hill says the affected webpages have been secure...

Rockstar Games confirmed it suffered a cyberattack in which hackers accessed a "limited amount of non-material company information" through a third-party data breach, though the company states no player data was affected. The hacking group ShinyHunters claims to have stolen company data including financial information and player habit studies from cloud servers, and threatened to release it after their ransom demand went unpaid. This breach is separate from Rockstar's 2022 incident that leake...

Hackers breached business monitoring software company Anodot on April 4, stealing authentication tokens that allowed them to access and extract customer data stored in the cloud, affecting at least a dozen companies including Rockstar Games. The ShinyHunters hacking group is now threatening to publish the stolen data unless ransom demands are met, demonstrating how attackers can compromise multiple organizations by targeting a single software provider they all use. Cloud storage provider Snow...

SouthState Bank has agreed to a $1.5 million settlement following a February 2024 data breach that potentially exposed personal information - including names, Social Security numbers, and financial account details - of approximately two million customers. Affected individuals will automatically receive one year of free credit monitoring, and those who file claims can receive up to $3,500 for documented losses such as fraudulent charges, bank fees, and ID replacement costs. The settlement cove...

Hackers breached European gym chain Basic-Fit's systems and downloaded personal data of approximately 1 million members across six countries, including names, addresses, phone numbers, email addresses, dates of birth, bank details, and membership information. The company detected and stopped the intrusion within minutes but confirmed some data had already been extracted, though passwords and identity documents were not accessed. Basic-Fit reported the breach to Dutch authorities and notified ...

Rockstar Games confirmed it was affected by a third-party data breach after a hacker group claimed to have breached the GTA 6 developer and issued a ransom demand with an April 14 deadline. The company stated the breach has no major impact on its operations or players. The incident follows previous security breaches involving Rockstar Games.

The Silent Ransom Group breached law firm Orrick, Herrington & Sutcliffe in January 2026, accessing its network for approximately one week without deploying malware, likely through phishing or social engineering. After Orrick offered $1 million to resolve the incident - significantly less than the ransom demand - the threat actors leaked the firm's data, marking the first top-100 law firm to offer what the group considered an insufficient payment. This is Orrick's second major data breach in ...

South Korea's Personal Information Protection Commission fined Lotte Card 9.62 billion won ($6.51 million) after a hacking incident exposed personal data of 2.97 million customers, including resident registration numbers of 450,000 people. The breach occurred because Lotte Card stored registration numbers in plain text in log files from its online payment system and failed to implement proper encryption, violating data protection laws. The Financial Supervisory Service also imposed a separate...

Christie's fined $194,000 for data breach in South Korea

South Korea's Personal Information Protection Commission fined British auction house Christie's approximately $193,600 after a data breach exposed personal information of 620 South Korean members, including names, addresses, and resident registration numbers. The breach occurred when a Christie's employee granted system access to a malicious actor, and the company failed to encrypt customer data or report the incident within the required 72-hour timeframe. The regulator cited inadequate secur...

French email provider Alinto left an Elasticsearch database exposed online, leaking 40 million email records containing sender and recipient addresses, location details, and relay IP addresses. The breach affected major corporations including L'Oreal, Renault, and DHL, as well as numerous French government agencies with at least 14,000 government email addresses exposed. Security researchers discovered the unsecured database and notified Alinto, which has since secured the server.

Cybercriminals allegedly stole and leaked 7.7 terabytes of sensitive Los Angeles Police Department data, including officer personnel files, internal affairs investigations, and discovery documents containing unredacted criminal complaints, witness names, and medical information. The breach affected a third-party digital storage system used by the LA City Attorney's Office rather than LAPD systems directly, with the extortion gang World Leaks claiming responsibility. The leak exposes more than...

Healthcare IT company CareCloud disclosed a data breach on March 16 that potentially exposed medical records of millions of patients after hackers accessed one of its six patient record stores for approximately eight hours. The company serves over 45,000 provider groups, hospitals, and medical practices across the U.S., though it remains unclear whether protected health information was actually stolen or if ransomware was involved. An investigation is ongoing with third-party cybersecurity ex...

Jones Day, a top-ranked U.S. law firm, confirmed a data breach affecting 10 clients after the Silent Ransom Group gained access through a phishing attack and posted stolen files to the dark web on March 30. The hackers demanded $13 million and threatened to publish all data, contact employees and clients, and resume attacks if the firm did not respond by their deadline. All affected clients have been notified of the breach, which targeted a senior member of the firm's Federal Circuit legal team.

Lakeview Loan Servicing and related mortgage companies agreed to a $26 million settlement after an October 2021 data breach potentially exposed sensitive information of approximately 5.8 million customers. Affected individuals can file claims by June 22, 2026, for reimbursement of documented out-of-pocket losses up to $5,000, such as fraud-related expenses or credit monitoring costs, or receive a pro-rated cash payment. The settlement covers current and former customers of Lakeview, Pingora, ...

Oklahoma Governor Stitt signed Senate Bill 546 on March 20, 2026, making Oklahoma the 21st state with a comprehensive consumer privacy law, effective January 1, 2027. The law applies to businesses that serve Oklahoma residents and either process data of 100,000+ consumers annually or process data of 25,000+ consumers while earning over 50% of revenue from selling personal data. Covered businesses must honor consumer requests to access, correct, delete, or port their data, and allow opt-outs f...

In September 2024, immigration case management platform DocketWise suffered a data breach when unauthorized actors used valid credentials to access repositories containing unstructured client data from multiple law firms, affecting 116,666 individuals. The exposed information varied by person but could include Social Security numbers, passport details, financial account information, medical records, and other sensitive personal data belonging to immigration law firm clients. The breach is par...

Phoenix-based Cardiovascular Consultants agreed to pay $3.85 million to settle a class action lawsuit following a September 2023 data breach in which attackers accessed systems, encrypted data, and stole patient information including names, addresses, birth dates, Social Security numbers, and driver's license numbers. The practice denied wrongdoing but settled to avoid ongoing litigation costs and risks. The breach affected patients' personal and health information due to what the lawsuit all...

Fitness app Strava's public "Global Heatmap" feature inadvertently revealed the locations of secret U.S. military bases and personnel movements in conflict zones like Afghanistan and Syria by displaying users' GPS-tracked exercise routes. Military analysts found that jogging trails at forward operating bases were clearly visible on the map, making it easy to identify facilities that don't appear on services like Google Maps, with U.S. military personnel being the primary Strava users in many ...

Probe launched after Hospital Authority data breach involving 56,0000 patients

Hong Kong's Hospital Authority disclosed that personal data of over 56,000 patients from Kowloon East hospitals was accessed without authorization and leaked on a third-party platform, including names, identity card numbers, birth dates, and details of surgical procedures. The breach was detected by monitoring systems early Friday morning and linked to a contractor's system maintenance work, which has been suspended. Both Hong Kong police and the privacy watchdog are investigating the inciden...

A threat group called TeamPCP breached the European Commission's Amazon cloud environment using a stolen API key, exposing personal data including names, email addresses, and email content from at least 30 EU entities. The attackers exfiltrated a 90GB dataset containing tens of thousands of files, which was subsequently published on the dark web by data extortion group ShinyHunters. The breach affected 42 internal European Commission clients and at least 29 other Union entities using the euro...

Drift, a decentralized cryptocurrency exchange on the Solana blockchain, suffered a hack that drained $285 million in digital assets, potentially making it one of the largest crypto thefts in history. Security researchers believe the attacker exploited a vulnerability in a new lending market feature that allowed users to borrow against an illiquid token. The exchange suspended deposits and withdrawals while working with security firms and exchanges to contain the breach.

Cardiovascular Consultants agreed to pay $3.85 million to settle a class action lawsuit stemming from a September 2023 cyberattack that exposed patients' Social Security numbers, medical records, addresses, and other sensitive information. Affected individuals who received breach notification can claim up to $5,000 for documented out-of-pocket losses related to the incident, plus two years of medical monitoring services. The cardiology practice denied wrongdoing but settled to avoid ongoing l...

Nacogdoches Memorial Hospital disclosed that a January 31 cyberattack compromised its computer network, potentially exposing patient information including names, Social Security numbers, dates of birth, medical record numbers, and in some cases photographs. The hospital has notified affected patients by letter and established a hotline for questions, stating no confirmed misuse of data has been detected so far. NMH says it has enhanced network security measures and updated procedures to preve...

Banking tech data breach exposes 672K in ransomware attack

Iowa's Attorney General filed a lawsuit against Change Healthcare following a February 2024 data breach that exposed sensitive information - including Social Security numbers, medical records, and health insurance details - of nearly 2.2 million Iowans. The breach went undetected for 10 days while hackers installed malware and stole data through a remote access portal lacking multifactor authentication, and the company waited five months to notify affected individuals. The lawsuit alleges vio...

What Match Group (MTCH)'s FTC Privacy Settlement With OkCupid Data-Sharing Allegations Means For Shareholders

OkCupid and parent company Match Group settled with the FTC over allegations they gave AI firm Clarifai unrestricted access to users' demographic data, location information, and nearly 3 million photos without consent or opt-out options. The proposed settlement includes a 20-year order requiring clearer disclosures about how the companies handle sensitive user data, including messages, health information, photos, and location details. The companies have not admitted liability in the case.

UnitedHealth Group confirmed that a ransomware attack on its subsidiary Change Healthcare exposed protected health information and personally identifiable information potentially affecting a substantial proportion of people in America. The company paid $22 million in ransom but never received the stolen data back because the ransomware operator ALPHV took the payment and shut down, leaving the affiliate attackers and the victim empty-handed. UnitedHealth is offering affected individuals two y...

A patient who received an X-ray at West Tallinn Central Hospital in Estonia was given a supposedly new USB drive to transfer their medical images, but discovered it also contained health data from several other patients. The hospital has not yet explained how patient data ended up on what was meant to be a blank drive and says it will investigate only after the patient files a formal complaint. The incident exposed sensitive health information of multiple individuals through what appears to b...

Italy data protection agency fines Intesa Sanpaolo $36 mln over data breach

Match Group and its subsidiary OkCupid settled with the FTC over allegations that the dating platform shared three million user photos and location data with facial recognition company Clarifai in 2014 without informing users or providing an opt-out option. The FTC claimed this violated OkCupid's privacy policy, which only allowed sharing with service providers and business partners, not unrelated third parties. Under the settlement, which carries no monetary penalty, Match Group is permanent...

The FTC announced enforcement action against OkCupid and Match Group for allegedly sharing nearly 3 million users' personal data - including photos, location information, and demographics - with a third party without authorization or contractual restrictions, reportedly because OkCupid's founders had financial ties to the recipient. Under the proposed settlement, both companies are permanently barred from misrepresenting their data collection, use, and disclosure practices, with future violat...

Italy's data protection authority fined Intesa Sanpaolo, the country's largest banking group, €31.8 million after an employee improperly accessed the banking information of 3,573 customers over a two-year period from February 2022 to April 2024. The regulator cited inadequate technical and organizational security measures that allowed the employee to conduct more than 6,600 unauthorized queries. The penalty represents one of Italy's largest data protection fines for insider misuse of customer...

T-Mobile confirmed a data breach affecting 47.8 million people, including 7.8 million current postpaid customers, over 40 million former or prospective customers, and 850,000 prepaid customers. Stolen data included names, dates of birth, Social Security numbers, and driver's license information, while 850,000 prepaid customers also had phone numbers and account PINs exposed. T-Mobile stated that payment card information was not compromised and reset PINs for affected prepaid accounts after di...

CareCloud reported to the SEC that an unauthorized third party temporarily accessed one of its six electronic health record environments on March 16, disrupting functionality for about eight hours before systems were restored. The health technology company is investigating whether patient information was accessed or stolen during the breach, which affected its CareCloud Health division but was reportedly contained to that single environment. CareCloud has engaged cybersecurity experts and not...

Settlement approved for Canadians affected by past 23andMe data breach

Hong Kong's Correctional Services Department disclosed that a hacker illegally accessed its IT systems on Tuesday, compromising personal data of 6,800 current and former prison employees including names, birthdates, academic qualifications, employment history, and email addresses. The breach occurred when the attacker first infiltrated the department's internal Knowledge Management System and then gained entry to a separate system containing staff data. Authorities have notified affected indi...

Dutch Police discloses security breach after phishing attack

Ajax data breach exposed season tickets, supporter bans open to tampering - Help Net Security

Excelsior Orthopaedics; Buffalo Surgery Center Pay $2.4 Million to Settle Data Breach Lawsuit

Lakeview Loan Servicing agrees to $26M settlement over data breach. Here's how to file a claim

Corewell Health says patients' social security numbers and more may have been compromised in data breach

European Parliament rejects extension of CSAM scanning rules for tech platforms

The European Commission confirmed a cyberattack on its cloud infrastructure hosting Europa.eu websites, with hackers reportedly stealing over 350 gigabytes of data from the Commission's Amazon Web Services account. The Commission stated its internal systems were not affected and the attack has been contained, though the investigation is ongoing to determine what specific data was taken. The breach affected the Commission's web presence platform, and the organization is notifying entities that...

Iran-linked hackers breached FBI Director Kash Patel's personal Gmail account and published over 300 emails along with personal photographs dating from 2010 to 2019. The FBI confirmed the breach but stated the compromised data was historical and contained no government information, while the hacker group Handala Hack Team - believed by Western researchers to be linked to Iranian government cyber-intelligence - publicly posted the materials on their website. The incident demonstrates the vulne...

KERBER, ECK & BRAECKEL REACHES $1.4 MILLION SETTLEMENT OVER DATA BREACH IMPACTING CHRISTOPHER RURAL HEALTH PATIENTS

Judge tosses out X's advertiser boycott lawsuit

Fidelity Reaches $2.5M Settlement Over Data Breach Affecting 155,000 Customers

Nike Hit With Suit Over January Data Breach Affecting Thousands

Bank to pay $12,500 from $5.2m data settlement - see if you got the notice

Clinica Family Health & Wellness reveals 2025 data breach

Infinite Campus warns of breach after ShinyHunters claims data theft

HackerOne discloses employee data breach after Navia hack

Toll of Kaplan data breach surpasses 230K

Telehealth Platform Provider OpenLoop Health Disclosed Data Breach

Lapsus$ Hackers disclose more about AstraZeneca Data Breach - Cybersecurity Insiders

PURA set to vote Wednesday on Aquarion sale, Avangrid data breach findings

Utah Medical Clinic Sued by Insurer Over Data Breach Coverage

Education company Kaplan reports data breach impacting more than 230,000

Who are ShinyHunters and what is Telus Digital? Crunchyroll data breach explained. Here's how much and wha

RuneScape Boards - 222,762 breached accounts: In around 2011, the now defunct RuneScape Boards forum (also known as RSBoards) suffered a data breach that was later redistributed as part of a larger corpus of data . The vBulletin-based service exposed 223k unique email addresses along with usernames, IP addresses and salted...

Balance Autism Settles Class Action Data Breach Lawsuit

Fidelity agrees to $2.5M class action settlement over alleged data security failure - Class Action Lawsuits

Attorney General Jackley's Genetic Data Privacy Bill Signed into Law

PowerSchool, Bain Can't Skirt MDL Over Student Data Breach

North Carolina tech worker found guilty of insider attack netting $2.5M ransom: Matt Kapko reports: A 27-year-old North Carolina man was found guilty of six counts of extortion for a series of crimes he committed while working as a data analyst contractor for a D.C.-based international technology company, the Justice Department said Thursday. Cameron...

Starbucks Confirms Data Breach from a Social Engineering Attack on a Business Partner

Mizuno USA settles data breach with cash payments and credit monitoring: Who can claim and how to file

UK police force presses pause on live facial recognition after study finds racial bias

DATA BREACH ALERT: Edelson Lechtzin LLP is Investigating Claims on Behalf of Persons Affected by the ID Care Data Breach

Security Firm Aura Discloses Data Breach Impacting 900,000 Records - SecurityWeek

Deaconess Health System Data Breach Exposes SSNs and Sensitive Medical Records of Patients

Marquis Data Breach Affects 672,000 Individuals - SecurityWeek

PathStone Family Office, a wealth management firm overseeing roughly $160 billion in assets, was breached by the ShinyHunters cybercrime group in February 2026. The attackers exfiltrated 15 GB of data from PathStone's Salesforce environment, exposing personal information of over 91,000 clients including Social Security numbers, financial profiles, and estate planning records. A former intern has since filed a lawsuit against the firm over the breach.

Identity protection company Aura suffers massive 900,000 person data breach: customer information exposed

Navia discloses data breach impacting 2.7 million people

Judge mostly denies Frederick Health motion to dismiss data breach lawsuit

PPB Urges Alternative Tip Submissions Amid Reported Data Breach

Data breach linked to Crime Stoppers; Portland Police urge avoiding tip service for now

UK fines 4chan nearly $700,000 for failing its online safety act obligations

Baltimore watchdog uncovers thousands in fraudulent billing, confidential data breach related to youth crimefighting program

Telus Digital confirms massive 1 petabyte data breach by hackers

Lawsuit filed against Ericsson following US data breach

MedPeds Associates of Sarasota Notice of Data Breach

Bank software vendor Marquis says more than 670,000 impacted by August breach

Kaplan North America Data Breach Alert Issued By Wolf Haldenstein

OpenLoop Health Data Breach Affects 68,160 Texans

Aura confirms data breach exposing 900,000 records after a voice-phishing attack on an employee with access to a legacy marketing platform. Names, emails, addresses, and phone numbers were compromised, fueling targeted phishing risks for 35,000 current and former customers.

Glass Products Co. Reaches Deal In Data Breach Suit

The FBI confirms it's buying Americans' location data

CommonSpirit Health Patients Affected by Vendor Data Breach

Geisinger, Nuance Reach $5 Million Settlement After Data Breach

Baltimore IG refers fraud, data sharing in crime prevention office for criminal investigation

Data breach reported by Google News - Security & Encryption: Class actions claim CarGurus data breach exposed 1.2 million consumers’ PII - Class Action Lawsuits

Regulatory action reported by Google News - Enforcement: French court upholds €40 million GDPR fine for Criteo - Digital Watch Observatory

Legal action reported by Google News - Security & Encryption: Myers Auto Group Data Breach Class Action Settlement - Claim Depot

Legal action reported by Engadget: xAI is being sued by teens who say Grok created CSAM using their photos

Reported by Google News - Enforcement: Encyclopedia Britannica Sues OpenAI Over AI Training Data. Is Grokipedia Next? - Gizmodo

Community bank reaches $2.4M agreement in 2023 data breach class action

Fidelity Agrees to Pay $2.5M in Data Breach Class Action

Intuitive Surgical confirms phishing-related data breach

Major data breach prompts about $6.5M penalty for Lotte Card

Data breach reported by HIBP - Baydöner - 1,266,822 breached accounts: In March 2026, the Turkish restaurant chain Baydöner suffered a data breach which was subsequently published to a public hacking forum . The incident exposed over 1.2M unique email addresses along with names, phone numbers, cities of residence and plaintext passwords. A small...

Data breach reported by HIBP - Divine Skins - 105,814 breached accounts: In March 2026, the League of Legends custom skins service Divine Skins suffered a data breach . The incident was disclosed via the service's Discord server, where Divine Skins stated that an unauthorised third party accessed part of its systems, deleted all skins from the...

Data breach reported by Google News - Security & Encryption: Were you affected by the Numotion data breach? You could receive a $15,000 payment - MARCA

Data breach reported by Google News - Security & Encryption: American drivers to get up to $4.5k under $1.5 million 'data breach' settlement - The US Sun

Regulatory action reported by Google News - Privacy & Data: ICO publishes guidance on data protection complaints processes (via Passle) - Slaughter and May

Legal action reported by Engadget: Adobe agrees to pay settlement for making its subscriptions hard to cancel

Data breach reported by BleepingComputer: Telus Digital confirms breach after hacker claims 1 petabyte data theft

Data breach reported by BleepingComputer: England Hockey investigating ransomware data breach

Data breach reported by The Register: Ericsson blames vendor vishing slip-up for breach exposing thousands of records

Data breach reported by Google News - Security & Encryption: Loblaw Data Breach Impacts Customer Information - SecurityWeek

Data breach reported by The Register: FBI is investigating breach that may have hit its wiretapping tools

Regulatory action reported by Google News: Data privacy violations result in $1.1M penalty for PlayOn Sports | brief | SC Media - SC Media

Legal action reported by TechCrunch: Meta sued over AI smart glasses’ privacy concerns, after workers reviewed nudity, sex, and other footage

Reported by Google News: Maine Senate advances amended data privacy bill that would exempt political groups - newscentermaine.com

Reported by Google News: xAI loses bid to halt California AI data disclosure law - Reuters

Reported by EPIC: SCOTUS to Hear Case Over Proper Scope of the Video Privacy Protection Act (VPPA)

Data breach reported by HIBP - KomikoAI - 1,060,191 breached accounts: In February, the AI-powered comic generation platform KomikoAI suffered a data breach . The incident exposed 1M unique email addresses along with names, user posts and the AI prompts used to generate content. The exposed data enables the mapping of individual AI prompts to...

Data breach reported by HIBP - CarMax - 431,371 breached accounts: In January 2026, data allegedly sourced from US automotive retailer CarMax was published online following a failed extortion attempt . The data included 431k unique email addresses along with names, phone numbers and physical addresses.

Data breach reported by HIBP - APOIA.se - 450,764 breached accounts: In December 2025, a database of the Brazilian crowdfunding platform APOIA.se was posted to an online forum . In January 2026, the company confirmed it had suffered a data breach. The incident exposed 451k unique email addresses along with names and physical addresses.

Data breach reported by HIBP - University of Pennsylvania - 623,750 breached accounts: In October 2025, the University of Pennsylvania was the victim of a data breach followed by a ransom demand , largely affecting its donor database. After the incident, the attackers sent inflammatory emails to some victims. The data was later published online in February 2026 ...