Industry Privacy News
Event Timeline
273 events
Dutch police investigating the February cyberattack on telecom provider Odido, which exposed personal data of over 6 million customers, have identified a suspected local accomplice who posed as an IT employee to help hackers gain access to the company's customer contact system. Authorities are working to identify the Dutch-speaking caller and may publicly release a voice recording to aid the investigation. Police have seized servers used to distribute the stolen data and are appealing for inf...
A former ransomware negotiator was sentenced to 70 months in prison for colluding with BlackCat ransomware affiliates while working for DigitalMint, sharing confidential client information including insurance limits to maximize ransom payments totaling $75.3 million from five U.S. companies between April and September 2023. The betrayal meant victims unknowingly negotiated with the very person supposed to help them, with individual ransoms reaching nearly $27 million. Two co-conspirators who ...
The European Data Protection Board opened a public consultation on a new standardized template for personal data breach notifications, featuring approximately 126 questions covering incident details, affected individuals, risk assessments, and remedial measures. The template uses conditional logic and predefined response options to help organizations provide consistent information to data protection authorities across the EU. Stakeholders can submit comments until August 5, 2026.
Data Security Incidents Announced by Park Dental Research Corp; Wabi Sabi Behavioral Health Center
Vendor reaches $1.8M settlement over data breach affecting Catholic Health patients
Mount Royal University confirmed that a ransomware attack compromised employee and student data after an unauthorized actor accessed, copied, and deleted information from the school's file storage system. The attacker targeted the university's H drive, which contains personal information from staff work and student academics, and deleted corporate data from the J drive, though the school found no evidence that J drive data was accessed before deletion. MRU is offering two years of credit moni...
Illinois Governor JB Pritzker signed the Artificial Intelligence Safety Measures Act, requiring the largest AI developers (those generating over $500 million annually) to publicly document how they assess catastrophic risks like weapons assistance or cyberattacks, and to report harmful incidents to the state within 24-72 hours. The law mirrors recent California and New York regulations, and together these three states represent an estimated 40% of the U.S. AI market, effectively creating nati...
A ransomware group called Unsafe claimed to have breached Deutsche Bank's internal systems and posted samples of employee data on a dark web leak site, including email addresses, password hashes, and physical addresses. Security researchers warn the stolen employee records could enable phishing attacks, credential cracking, or further network intrusion, though it remains unclear whether customer data was compromised. Deutsche Bank has not yet confirmed the breach or responded to requests for ...
Global IT services firm Accenture confirmed a security breach after a hacker claimed to have stolen 35GB of data, including source code, RSA keys, SSH keys, and Azure access credentials, and offered it for sale on a cybercrime forum. The company stated it remediated the issue and experienced no impact to operations or service delivery, but did not disclose how attackers gained access or whether customer data was affected. This marks Accenture's third publicly disclosed breach since 2021.
The Moody Bible Institute suffered a data breach exposing personal information of 2.3 million donors, supporters, students, and alumni after the extortion group ShinyHunters published stolen data when ransom demands were not met. The compromised information includes names, dates of birth, physical and email addresses, phone numbers, genders, and marital statuses, creating risks for identity theft and targeted phishing attacks. The institute has engaged cybersecurity experts to investigate and...
Florida Attorney General James Uthmeier and Roku reached a settlement in June 2026 resolving allegations that Roku collected and sold children's sensitive data - including viewing habits, voice recordings, and geolocation - without proper parental consent under Florida's Digital Bill of Rights. Under the agreement, which includes no fine or admission of wrongdoing, Roku will invest an estimated $25 million to enhance parental controls and deploy the changes nationwide within 12 months. The re...
Hong Kong's Shun Hing Group, a major conglomerate and Panasonic distributor, suffered a March cyberattack that exposed personal data of approximately 920,000 customers, including names, addresses, phone numbers, and email addresses. The company detected the breach on March 20, reported it to police and Hong Kong's privacy commissioner, and hired cybersecurity specialists to investigate and strengthen defenses. Privacy experts are calling for government-imposed fines on companies that experien...
Insurance companies Aflac and Zurich disclosed that approximately 2 million Japanese customers had their personal information compromised after a third-party US subcontractor was breached, with hackers posting the stolen data for sale online. Aflac reported that 1.3 million cancer insurance customers' data was exposed, including age, gender, policy numbers and coverage amounts, while Zurich confirmed 760,000 auto insurance customers had names, birth dates, email addresses and vehicle informat...
American insurance giant Aflac disclosed that attackers breached its Japan subsidiary's systems earlier this month, stealing personal and bank account information belonging to customers. The company, which is the largest supplemental insurance provider in the United States and serves millions in both the U.S. and Japan, reported the incident to the U.S. Securities and Exchange Commission. The breach exposes sensitive financial and personal data of affected customers at Aflac Japan.
Aflac reported a data breach in Japan affecting approximately 4.38 million customers and insurance agents after attackers accessed its policyholder portal between June 15 and June 25. The compromised information includes personal details, contact information, insurance policy data, and banking records for about 230,000 customers, though no credit card information was exposed. Aflac detected the breach on June 25 following unusual system activity and has engaged cybersecurity specialists to in...
Nissan disclosed a data breach affecting current and former employees in the United States, Canada, Mexico, and Brazil after attackers exploited a zero-day vulnerability in Oracle PeopleSoft software. The breach, linked to the ShinyHunters extortion group, potentially exposed sensitive personal information including Social Security numbers, banking details, tax records, and dependent information. Nissan is offering affected employees free credit monitoring and has restricted access to payroll...
Bradford Health Services, an Alabama-based addiction treatment and mental health provider operating 28 facilities nationwide, has settled a class action lawsuit stemming from a December 2023 data breach. The breach, detected through unusual network activity, exposed personal information including names, Social Security numbers, driver's license numbers, and dates of birth of patients who received treatment services. The settlement resolves legal claims related to the unauthorized access of pr...
The U.S. Supreme Court ruled 6-3 that law enforcement must obtain a warrant before using geofence warrants, which collect cellphone location data from all users in a broad area, not just suspects. The Court found that individuals have a reasonable expectation of privacy in their location data, and accessing it constitutes a Fourth Amendment search requiring probable cause. The decision limits a surveillance practice that previously allowed police to gather tracking information on potentially ...
Japanese telecommunications operator KDDI Corporation disclosed a data breach affecting up to 14.2 million email accounts across six ISPs, after attackers exploited a vulnerability in third-party software on June 17. The breach potentially exposed email addresses and passwords of current and former customers, though some passwords were stored in hashed or encrypted form. Affected customers are advised to reset their email passwords immediately and enable two-factor authentication where availa...
Australia has doubled the maximum fine for social media companies violating its under-16 age ban to 99 million AUD ($68 million), while granting its eSafety Commissioner expanded enforcement powers to demand compliance evidence from platforms and third parties. Despite claims of over five million underage accounts being removed since the ban took effect in December, recent studies indicate 61-85% of Australian children under 16 still access social media. The government cited insufficient comp...
LastPass confirmed that customer support data - including names, contact details, and support ticket contents - was exposed through a breach at Klue, a third-party market research vendor it uses. The breach occurred when attackers exploited an old credential from a 2022 pilot project that remained active, affecting multiple companies beyond LastPass. While no password vaults or master passwords were compromised, the exposed information could be used for phishing or social engineering attacks ...
Bradford Health Services and Bradford Health Partners settled a class action lawsuit stemming from a December 2023 cyberattack that compromised sensitive data of over 32,000 patients, including Social Security numbers, medical records, and financial information. The Hunters International threat group claimed to have stolen more than 760 GB of data, and victims were not notified until 18 months after the breach was detected. Under the settlement, affected individuals can enroll in three years ...
South Korea Fines Crypto Exchange Bithumb for Sharing User Data Overseas
Tata Electronics confirmed a cyberattack that compromised parts of its IT systems, though the company states operations were unaffected. The World Leaks extortion group leaked data allegedly stolen from Tata, including manufacturing documents and schematics for Apple iPhone components such as PCB designs and material specifications. The incident highlights risks to supply chain manufacturers handling sensitive proprietary information for major technology companies.
Hackers breached Madison Square Garden's systems by calling a low-level employee and tricking them into granting access, a technique known as "vishing" or voice phishing. The attackers successfully stole a large cache of data from the venue through this social engineering tactic. This incident highlights the growing threat of phone-based social engineering attacks, which have become more common as younger, native English-speaking hackers have entered the cybercrime landscape.
A federal appeals court ruling in Webb v. Injured Workers Pharmacy established that data breach victims can demonstrate legal standing even without proven misuse of their stolen information, if they spent time responding to the breach and face material risk of future harm. The decision has been cited over seventy times in two years and has become a key reference for courts evaluating whether data breach victims have sufficient injury to sue. This matters because it makes it easier for affecte...
LastPass confirmed that hackers accessed customer data from its Salesforce environment after stealing OAuth tokens in a supply chain attack on Klue, a third-party market intelligence platform used by LastPass employees. The breach exposed customer names, phone numbers, email addresses, physical addresses, support case details, and sales data, though LastPass password vaults were not compromised. Users are warned to watch for phishing attempts using the stolen information, and LastPass emphasi...
Dialog, an invite-only group cofounded by Peter Thiel, exposed personal information of 113 past event participants and registrants for an upcoming retreat through a misconfigured website that made internal files publicly accessible to anyone who visited the app landing page. The exposed data included names, contact information, and login tokens for senior figures including NATO officials, US senators, the treasury secretary, and White House intelligence officials, though Dialog claimed the in...
Tata Electronics, a major supplier to Apple and Tesla, confirmed a cybersecurity incident after hackers posted over 630 GB of stolen data on a forum, allegedly containing Apple supplier specifications, Tesla manufacturing documents, and internal communications. The company stated the breach occurred "a few weeks ago" but declined to specify what data was compromised or whether customer information was exposed. The incident affects a key player in global electronics and semiconductor supply ch...
LastPass customers had their names, contact details, physical addresses, and customer support case records stolen when hackers breached Klue, a market research firm that LastPass uses as a technology partner. While LastPass's own systems and password vaults were not compromised in this incident, the stolen support tickets may contain fragments of sensitive information such as credentials or identity documents that customers shared while seeking help. This marks the latest breach affecting Las...
Market intelligence provider Klue suffered a data breach after hackers used compromised credentials to access customer cloud databases, stealing business contact information including names, emails, phone numbers, and job titles from multiple cybersecurity firms like HackerOne, Snyk, and Tanium. The cybercrime group Icarus claimed responsibility and threatened to publish the stolen data unless a ransom is paid. This incident highlights the growing risk of supply chain attacks where hackers co...
Two men pleaded guilty to charges related to a cyberattack on Transport for London that began in August 2024, disrupting services for three months and costing the operator £39 million. The hack affected 10 million customers, compromising personal information from TfL's Oyster refunds system and forcing the shutdown of online services including contactless refunds and photocard applications. Investigators linked the attack to the criminal group Scattered Spider, which has targeted other major ...
KerberRose Wealth Management, a Wisconsin-based financial services firm, experienced a data breach on April 29 that affected approximately 27,000 clients, with the suspicious activity discovered two days later on May 1. The company notified affected customers and offered two years of credit monitoring and identity protection services, though the breach only became publicly known because some impacted customers resided in states like Massachusetts and Maine that require public disclosure. Wisc...
Threat actors exploited a security breach at market intelligence platform Klue to steal OAuth tokens, which they used to access and exfiltrate Salesforce CRM data from multiple organizations over a 24-hour period using automated scripts. The attackers, identified as a relatively new extortion group called "Icarus," are now demanding ransom payments from affected Klue customers. Salesforce has disabled the Klue Battlecards integration while the incident is investigated, preventing organization...
A data breach at the Texas Parks & Wildlife Department exposed the driver's license information and passport numbers of more than 3 million people, along with email addresses, phone numbers, and residential addresses. Hackers accessed the department's license system vendor, which handles hunting and fishing license sales, though the department has not disclosed when the breach occurred or identified the vendor involved. This incident represents one of the largest data breaches affecting Texas...
HCRG Care Group, a major private provider of NHS services in Kent and Surrey, is investigating a ransomware attack in which hackers claim to have breached more than two terabytes of sensitive patient information. The company implemented containment measures after staff reported IT issues and difficulties accessing patient data, and has notified the Information Commissioner and regulators. Services continue to operate, though some patient appointments were rescheduled due to the incident.
Nintendo confirmed that 160,000 user accounts were accessed through its Nintendo Network ID system starting in early April, exposing personal information including names, dates of birth, email addresses, and potentially Nintendo store payment details. The company believes attackers impersonated legitimate logins and has responded by disabling NNID login access, forcing password resets, and urging users to enable multi-factor authentication. Users who reused passwords between their NNID and Ni...
A federal appeals court ruled that Ohio can enforce a law requiring social media companies to obtain parental consent before allowing children under 16 to use their platforms, overturning a previous injunction. The court found the law does not violate free speech protections, despite challenges from tech industry group NetChoice, which argued it restricts children's access to protected content and threatens online privacy. The law requires age verification and applies to platforms like Instag...
US court rules Ohio can restrict children's use of social media
A former healthcare worker at the London Clinic has been formally cautioned by the UK's Information Commissioner's Office for deliberately accessing the Princess of Wales's medical records without authorization and attempting to sell them for financial gain during her hospitalization in January 2024. The ICO conducted a criminal investigation after the hospital reported the breach in March 2024, determining that a caution was the appropriate enforcement response for what it described as a cle...
Nintendo confirmed a data breach affecting approximately 160,000 accounts caused by hackers impersonating Nintendo Network IDs from the Wii U/3DS era. The breach exposed users' names, dates of birth, countries, and email addresses, though no credit card information was stolen. In response, Nintendo disabled the ability to log into Nintendo Accounts using Nintendo Network IDs and reset passwords for affected users.
Cybercriminals have compromised over 30,000 Fortinet firewalls and VPNs worldwide by exploiting weak or unchanged default passwords rather than unknown vulnerabilities, affecting major companies including Accenture, Comcast, Lenovo, and Samsung. The attackers use automated tools to scan for exposed devices, then leverage previously stolen credentials to break in and harvest additional passwords from network traffic, creating a self-perpetuating attack cycle. Victims span numerous industries a...
Vermont's governor signed the Vermont Data Privacy and Online Surveillance Act into law, establishing comprehensive data privacy protections that will take effect January 1, 2028. The law applies to businesses processing data of at least 35,000 Vermont consumers and grants residents rights to access, correct, delete their data, and opt out of targeted advertising, data sales, and certain profiling activities. Companies covered by the law must conduct risk assessments for high-risk processing ...
Vermont's Governor signed S.B. 110 into law, expanding the state's data breach notification requirements to include additional types of personal information such as online login credentials, biometric data, genetic information, and health records. The law also creates new student privacy protections for educational technology services, restricting how operators can collect, use, and disclose student data. These requirements took effect on July 1, 2020.
Rochester Regional Health patients received breach notification letters after a May cyberattack on MOVEit file transfer software exposed names, birthdates, and health information belonging to 18,600 individuals. The breach affected GRIPA (Greater Rochester Independent Practice Association), which coordinates healthcare services for providers across the region, meaning patients were impacted even if they never directly worked with the organization. Affected individuals are being offered credit...
Digital healthcare company iRhythm Holdings disclosed that hackers used social engineering to steal patient health information and personal data from third-party business applications, with attackers demanding ransom payment to prevent public disclosure of the stolen data. The breach affects patients who used iRhythm's cardiac monitoring service, which has analyzed heartbeat data from over 12 million patients, though the company has not disclosed how many individuals are impacted. iRhythm con...
Pharmaceutical company Novo Nordisk refused to pay a $25 million ransom demand from hacking group FulcrumSec, which claims to have stolen over a terabyte of data including employee information, clinical trial patient data, and proprietary drug information after spending two months inside the company's networks. The group is now exploring private sales of some stolen data while withholding employee, physician, and patient information as part of what it calls a harm-reduction strategy. Novo Nor...
Alta Resources Corp. agreed to pay $675,000 to settle a class action lawsuit stemming from a November 2023 data breach that exposed sensitive personal and health information of individuals who received breach notification letters. Affected individuals can claim up to $2,000 for documented out-of-pocket losses related to identity theft or fraud, an estimated $50 alternative cash payment without documentation, or two years of credit monitoring with $1 million identity theft insurance. The claim...
The bankruptcy plan administrator for 23andMe agreed to pay $46.75 million to settle claims from a 2023 data breach that exposed genetic information of approximately 6.9 million customers, with cyber insurance policies covering about $13 million of the payout. The breach, which lasted five months beginning in April 2023, compromised DNA Relatives profiles and Family Tree data through unauthorized account access. Individual settlement payments range from $50 to $10,000, with over 255,000 claim...
The ShinyHunters hacking group breached Infinite Campus's Salesforce system in March, exposing personal information from 137,000 school staff accounts including names, email addresses, phone numbers, physical addresses, and job titles. Infinite Campus, which provides student information systems to over 3,200 U.S. school districts, confirmed the breach affected staff contact information but stated there was no evidence that student databases were compromised. The stolen data was subsequently l...
South Korea's Personal Information Protection Commission fined e-commerce giant Coupang approximately 623 billion won for a data breach that exposed personal information of 37.55 million people through a former employee's exploitation of authentication credentials, and for unlawfully collecting online browsing data from 11.17 million users without consent through its advertising business. Coupang's subsidiary received an additional 248 million won fine for misusing employee weight data from h...
Crimson Wine Group experienced a data breach between June 26-30, 2024, that exposed sensitive information of 26,238 individuals, including Social Security numbers, driver's license numbers, financial account details, and medical records. The company discovered the unauthorized access on July 15, 2024, and is providing affected individuals with one year of complimentary credit monitoring and identity restoration services. The breach poses risks of identity theft and financial fraud due to the ...
South Korea's data protection regulator fined e-commerce company Coupang a record $410 million for a data breach affecting approximately 37.5 million users, whose names, phone numbers, and delivery details were exposed. The regulator also penalized Coupang for collecting online activity records of 11.17 million users without permission, including tracking which websites and apps they visited. The fine represents the largest penalty ever imposed by South Korea's Personal Information Protection...
South Korea fined e-commerce giant Coupang a record $409 million after a former employee improperly accessed personal information from nearly 34 million customer accounts - roughly two-thirds of the country's population - for months without detection. Regulators found the breach resulted from inadequate security management rather than sophisticated hacking, exposing names, contact details, delivery addresses, and order histories. The fine is South Korea's largest ever for a data breach, with ...
The University of Nottingham confirmed that hackers accessed its student records system, exposing personal data of approximately 454,600 current and former students across its UK, Malaysia, and China campuses. The stolen information includes names, addresses, phone numbers, passport numbers, payment details, and sensitive data such as ethnicities and disabilities. The cybercrime group ShinyHunters claimed responsibility and posted stolen documents on their dark web leak site as part of a broa...
Novo Nordisk disclosed a cyberattack in which unauthorized parties copied de-identified patient data from some clinical trials, including information such as year of birth, sex, and health biomarkers, but not names or direct identifiers. The company temporarily took certain IT systems offline and is working with cybersecurity experts and authorities to investigate the incident. While Novo states the breach does not pose immediate risks to patients and considers it unlikely third parties could...
South Korea's Personal Information Protection Commission fined eCommerce platform Coupang a record 624.7 billion won (approximately $412 million) following a data breach affecting nearly 34 million accounts - roughly two-thirds of the country's population. The breach occurred when a former employee maintained unauthorized access to customer data for months due to what regulators called "negligent management" and inadequate security systems. The penalty includes fines for both the data leak it...
The ShinyHunters extortion gang is exploiting vulnerabilities in Oracle PeopleSoft servers to steal data from over 100 organizations, primarily in the education sector, with at least one university confirming a breach. The attackers claim to be using a combination of old and zero-day vulnerabilities to access both cloud and on-premises systems, then demanding ransom from victims. Organizations running PeopleSoft for managing HR, payroll, finance, and student data are affected, though Oracle h...
Canada has introduced legislation to ban social media access for children under 16 and establish safety standards for AI chatbots, with companies facing penalties of up to 3% of global revenue or C$10 million for non-compliance. The bill, which could take over a year to pass and 18 months to implement, follows similar action by Australia and reflects growing government concern about mental health impacts on young people. Officials cited incidents including a lawsuit against OpenAI alleging th...
A ransomware group called Qilin has been actively exploiting a security flaw in Check Point's VPN and firewall products since May 7, targeting dozens of organizations globally, including systems used by U.S. federal agencies. CISA ordered all civilian federal agencies to patch the vulnerability by June 11, citing the immediate threat to government networks. The breach demonstrates how security tools themselves can become entry points for attackers when vulnerabilities are exploited before pat...
Law firm Fox Rothschild is facing a class action lawsuit after a May data breach allegedly exposed names and Social Security numbers of thousands of individuals. The breach, attributed to the Silent Ransom Group, reportedly occurred when one of the firm's attorneys fell victim to a social engineering attack that compromised a single device. The plaintiff claims the firm failed to notify affected individuals and did not implement adequate security measures to protect sensitive data.
The University of Oxford disclosed that its third-party CareerConnect careers platform, operated by Group GTI, was breached on May 28, exposing users' names, email addresses, and encrypted passwords for non-SSO accounts. The breach, which also affects other UK universities using the platform like King's College London and the University of Manchester, appears focused on credential harvesting for potential phishing attacks, prompting password resets for affected users. This marks Oxford's seco...
Mid and South Essex NHS Foundation Trust confirmed that 2,380 patient records, including test results and personal information like names and NHS numbers, were stolen in a June 2024 cyber attack on third-party testing provider Synnovis. The Russia-based Qilin ransomware group claimed responsibility for the breach, which affected multiple NHS organizations across England and resulted in stolen data being published on the dark web. The trust is now contacting affected patients and has brought i...
A man was convicted of four terrorist offences after he obtained, manipulated, and analyzed sensitive PSNI officer data that was accidentally released in a 2023 Freedom of Information breach affecting over 10,000 entries. Prosecutors presented evidence that Christopher Paul O'Kane actively sought out the leaked spreadsheet containing officer names, ranks, and locations, highlighted specific officers known to him, and searched online for methods of remote detonation of explosive devices. The c...
Bayview Asset Management and its mortgage servicing subsidiaries are facing class action lawsuits after a 2021 data breach compromised the sensitive information of over 5 million consumers. Plaintiffs allege the companies failed to follow standard security practices, including not encrypting personally identifiable information and failing to detect that a hacker accessed their systems for 41 days after an employee clicked a malicious link. The companies are now objecting to a proposed amended...
The FTC ordered Illuminate Education to implement stronger data security measures following a 2021 breach that exposed information on 10.1 million students. The company ignored a 2020 warning about network vulnerabilities, stored sensitive data in plain text until 2022, and delayed notifying some school districts for nearly two years. Under the settlement, Illuminate must adopt a comprehensive security program, delete unnecessary data, and accelerate future breach notifications.
Massachusetts lawmakers unanimously passed a comprehensive data privacy law that gives residents the right to access and delete their personal data while banning companies from selling precise geolocation information without explicit consent. The law applies to companies processing data of more than 100,000 consumers and also prohibits the sale of other sensitive information including biometric data, health records, and details about religion or sexual orientation. The statewide ban on locati...
HVAC/R wholesale distributor Baker Distributing Company suffered a data breach in May 2025 when the ShinyHunters extortion group extracted data from the company's SharePoint and Salesforce systems, exposing information from approximately 103,000 accounts. The leaked data included email addresses, names, physical addresses, phone numbers, and customer support tickets related to Baker's HVAC contractor customer base. While the exposed information was primarily corporate contact and support data...
Dental benefits administrator DentaQuest suffered a data breach exposing sensitive information of 2.6 million accounts, including email addresses, full names, phone numbers, government-issued IDs, health insurance information, and dates of birth. The extortion group ShinyHunters publicly leaked over 234 GB of stolen data after failing to reach an agreement with the company. Affected individuals face increased risk of phishing and social engineering attacks due to the comprehensive nature of t...
Visual Arts, publisher of visual novels including Clannad, suffered a data breach in April when attackers stole authentication credentials to access their cloud storage and internal systems. The company confirmed that over 10,000 pieces of personal information belonging to employees, customers, business partners, and job applicants were potentially compromised, along with the leak of an unreleased game build to an overseas website. Visual Arts has reported the incident to Japan's Personal Inf...
A data breach at IMA Diligence Services exposed the personal information of 525,000 individuals after attackers compromised a legacy server managed by a third-party vendor. The breach demonstrates the ongoing security risks posed by outdated systems and third-party infrastructure. Affected individuals face potential identity theft and fraud risks from the stolen personal data.
A Finnish court overturned a €1.1 million fine against pharmacy chain Yliopiston Apteekki for using Google and Meta tracking technologies on customers between 2018-2022, despite confirming the company violated GDPR. The court ruled that the university-owned pharmacy, as an independent public law institution, cannot be subject to administrative penalties under data protection regulations. The pharmacy discontinued the tracking technologies in September 2022.
Carnival disclosed a data breach affecting Texas passengers that exposed personal information including names, addresses, and potentially other sensitive identifiers such as passport and driver's license information. The cruise company has begun notifying affected individuals and is cooperating with authorities to investigate the unauthorized access. The breach raises concerns about identity theft and fraud risks for those whose information was compromised.
In May 2026, Atlas Menu, a cheat service for GTA V and CS2 games, suffered a data breach when an attacker gained access to its systems and published the service's database on GitHub. The breach exposed approximately 64,000 user accounts, including email addresses, usernames, IP addresses, support tickets, and bcrypt-hashed passwords. Users of the service are advised to change their passwords immediately, especially if reused on other accounts, and enable two-factor authentication where availa...
A Kentucky school district received approximately $27 million in settlements from Meta ($9 million), Snap ($8 million), ByteDance ($8 million), and Alphabet ($2 million) over claims that their platforms fueled student mental health crises through addictive design features. The Breathitt County case, which settled before a planned June trial, was set to be the first test case among lawsuits filed by 1,200 other school districts alleging social media companies designed platforms to keep young u...
The ShinyHunters ransomware group breached American insurance company Kemper Corporation in April 2024 through social engineering attacks on its Salesforce environment, compromising data from 269,299 accounts. The leaked information included email addresses, names, phone numbers, physical addresses, and partial payment card details including the last four digits, expiry dates, and card brands. Kemper confirmed the incident and reported engaging cybersecurity experts and law enforcement.
A Romanian national was sentenced to 56 months in federal prison for hacking into Oregon's Department of Emergency Management network in 2021 and selling access to buyers, along with stolen personal data including names, email addresses, birth dates, and passport numbers of individuals in the system. He also sold access to nearly a dozen other U.S. victims' networks, resulting in at least $250,000 in total losses. The case highlights ongoing risks to government systems and the trafficking of ...
California Attorney General Rob Bonta is suing Chrome Holding Co., the successor to 23andMe, over a 2023 data breach that exposed sensitive genetic information of nearly seven million users through a credential-stuffing attack. The breach revealed genetic predispositions, ancestry data, and information about biological relatives, with hackers specifically advertising stolen data from Asian American Pacific Islander and Jewish users on the dark web. The lawsuit alleges 23andMe failed to implem...
California lawmakers are advancing legislation (SB 354) that would modernize insurance data privacy laws, giving consumers more control over how their personal information is collected, used, and shared by insurers and third-party service providers. The bill would authorize the state insurance commissioner to investigate violations and impose penalties ranging from $5,000 to $1 million, addressing gaps in oversight as insurers increasingly use sophisticated technologies to process sensitive c...
Oklahoma Attorney General Gentner Drummond filed a lawsuit against online marketplace Temu alleging the company collects consumers' sensitive data without their consent and transfers it to the Chinese government. The lawsuit, filed in Cleveland County, also accuses the Boston-based company, owned by Chinese firm PDD Holdings, of illegally selling merchandise bearing Oklahoma trademarks including those of the Oklahoma City Thunder and state universities. Temu has denied the allegations and sta...
Lithuania's State Enterprise Center of Registers was hacked, exposing over 600,000 real estate registry records containing names, identification numbers, dates of birth, and property information. Attackers allegedly accessed the system through compromised credentials from the Migration Department, with connections traced to a foreign state. Lithuanian officials are particularly concerned the breach could endanger Russian and Belarusian political exiles living in Lithuania by exposing their re...
UK Visa Portal, a third-party immigration service website, exposed at least 100,000 passports and selfie photos of visa applicants through a publicly accessible Amazon storage server due to a misconfiguration. The exposed documents included location data that in some cases revealed applicants' home addresses, and the company responded to disclosure by sending lawyers rather than immediately fixing the security flaw. The breach highlights risks of sensitive identity documents being inadequatel...
Dutch police arrested a 35-year-old man suspected of repeatedly accessing Ajax football club's computer systems through an unpatched vulnerability disclosed in March. The breach exposed email addresses of several hundred people and limited personal information of individuals with stadium bans, though some reports suggest it may have affected over 300,000 registered supporters and 42,000 season tickets. The incident highlights the growing trend of cyberattacks targeting sports organizations, w...
Dutch government blocks sale of DigiD operator Solvinity to US tech firm due to data security concerns
A data breach at 7-Eleven exposed the personal information of over 185,000 people, including names, dates of birth, addresses, phone numbers, email addresses, and in some cases Social Security numbers and driver's license numbers. The ShinyHunters hacking group gained access to an internal server containing franchisee documents and demanded payment to prevent publication of the stolen data. The breach affects customers and franchisees whose sensitive personal information was stored on the com...
Hackers breached Unimed, a billing service provider for German hospitals, stealing patient data from at least six university medical centers in mid-April. The compromised information includes names, addresses, and in some cases health records and billing details linked to diagnoses, affecting over 100,000 patients - mostly those with private insurance or self-paying arrangements. No attackers have claimed responsibility, and affected hospitals have suspended data transfers to the provider whi...
Trump Mobile confirmed it exposed customers' personal data - including names, email addresses, home addresses, and phone numbers - to the open internet through a third-party platform provider. The company claims no breach of its own systems occurred and found no evidence that financial information was compromised. Trump Mobile is still evaluating whether to notify affected customers, despite YouTubers and a researcher unsuccessfully attempting to alert the company about the exposure earlier t...
Beacon Mutual Insurance Company, a workers' compensation insurer and state vendor in Rhode Island, confirmed it experienced a ransomware attack on January 14 that compromised its systems, though its live production environment remained unaffected and operations resumed by January 20. The Warwick-based company is conducting a forensic investigation to determine what personal information may have been stolen and has stated it will notify any individuals whose data was affected. As the third-par...
Alera Group, a national insurance brokerage firm, agreed to a $2 million settlement after unauthorized individuals accessed its computer systems between July and August 2024, potentially exposing sensitive personal and medical information of employees, dependents, clients, and partners. Affected individuals were not notified until nearly a year after the breach occurred, prompting criticism from officials over the delayed disclosure. Eligible U.S. residents who received breach notification ca...
A January ransomware attack on Beacon Mutual Insurance, Rhode Island's workers' compensation administrator, exposed personal information of approximately 132,000 Rhode Islanders, including about 4,500 current and former state employees. The breach affected around 162,000 people total across multiple states, though Beacon confirmed that compromised systems did not connect to state networks. The company disclosed the incident to Rhode Island's Attorney General in May and is directly notifying a...
In January 2021, the parody site Windows93 suffered a data breach affecting its Myspace93 sub-site when attackers exploited a beta application to download server files containing 46,000 user accounts. The compromised data, leaked in June 2021, included email addresses, IP addresses, usernames, and passwords stored in plain text. Users who had accounts on Myspace93 should immediately change their passwords, especially if they reused the same credentials on other sites, and enable two-factor au...
A data breach targeting the Canvas educational platform in early May potentially compromised the personal information of approximately 1,700 people in Canada's Northwest Territories, including teachers, education staff, government employees, and contractors. The exposed data includes names, email addresses, and enrollment or training information, though the territorial government confirmed no passwords or financial information were accessed. The parent company Instructure reportedly reached a...
The Federal Trade Commission settled with Cox Media Group and two marketing firms for nearly $1 million after they falsely claimed their "Active Listening" service could target ads based on audio recordings from consumers' smart devices. The FTC found the companies were not actually collecting voice data as advertised but were simply reselling consumer email lists at marked-up prices while misrepresenting that consumers had consented to audio collection. The settlement requires the companies ...
A cyberattack on Canvas, a widely used learning management platform, potentially exposed personal information including names, email addresses, student numbers, and messages of 275 million users across thousands of universities worldwide. The parent company Instructure reached an agreement with the hacking group ShinyHunters, which claimed to have returned and destroyed the stolen data and promised not to extort customers. The breach affected educational institutions globally, including schoo...
GitHub confirmed that hackers from the TeamPCP cybercrime group gained unauthorized access to approximately 3,800 internal code repositories after compromising an employee's device through a malicious VS Code extension. The Microsoft-owned platform stated that the breach was limited to internal repositories and did not affect customer data, though the stolen code is now being offered for sale on cybercrime forums for $50,000. GitHub has rotated critical credentials and is conducting a full in...
The California Supreme Court ruled that plaintiffs can sue over medical record data breaches without proving their information was actually viewed by unauthorized parties. However, the court dismissed a student's lawsuit against educational contractor Illuminate Education over a 2022 breach, finding the company did not qualify as a healthcare provider under state confidentiality laws and that student educational assessments do not constitute medical information. The decision clarifies when Ca...
Grafana suffered a data breach after hackers used a GitHub workflow token that was not rotated following the TanStack npm supply-chain attack, allowing unauthorized access to private repositories. The attackers stole source code and business contact information, including names and email addresses used in professional relationships, but Grafana states no customer production data or systems were compromised. The breach occurred despite an initial incident response that rotated most tokens, wit...
Nucor Corp. reached a class action settlement over a May 2025 data breach that exposed personal information, offering affected individuals up to $8,200 in compensation for documented expenses and losses. Class members who received breach notification letters in June 2025 can claim reimbursement for out-of-pocket costs like credit monitoring and bank fees (up to $700), lost time (up to $75), and extraordinary losses from identity theft (up to $7,500). The total settlement fund is capped at $20...
The Police Service of Northern Ireland (PSNI) has paid almost £40 million in compensation to over 5,000 officers and civilian staff following a 2023 data breach that accidentally released personal details of all 9,400 PSNI personnel. Each claimant who accepted the universal settlement offer received £7,500, while several hundred additional claims remain ongoing. Stormont ministers set aside £119 million total to address the breach, which a law firm described as unprecedented in scale for Nort...
Texas Attorney General filed a lawsuit against Netflix alleging the company misled users about data collection practices, including falsely claiming paid subscribers wouldn't face data-driven advertising and that children's profiles don't collect behavioral data. The lawsuit also accuses Netflix of using addictive design features like autoplay to extend viewing sessions, particularly affecting children. The AG seeks to stop the alleged unlawful data collection, require autoplay to be disabled...
Texas Attorney General filed a lawsuit against Netflix under the Texas Deceptive Trade Practices Act on May 11, 2026, alleging the company collected personal information, including from children, through misleading disclosures. The lawsuit also claims Netflix used dark patterns to make its platform addictive. The action represents enforcement of state consumer protection laws against a major streaming platform's data collection practices.
7-Eleven confirmed a data breach after the hacking group ShinyHunters demanded ransom, claiming to have stolen over 600,000 Salesforce records containing personal information and corporate data. The breach affects customers whose personal details were stored in 7-Eleven's Salesforce system. This incident is part of a broader pattern of attacks by ShinyHunters, which has also been linked to recent breaches at other major companies.
Texas Attorney General Ken Paxton filed a lawsuit against Netflix on May 11, alleging the streaming service illegally collects and tracks viewing habits, preferences, and behavioral data from users including children without their knowledge or consent, then sells this information to other companies for profit. The lawsuit claims Netflix violated the Texas Deceptive Trade Practices Act and seeks to stop the data collection practices and require the platform to disable autoplay by default on ch...
NYC Health + Hospitals, the largest public health system in the United States, disclosed a data breach affecting at least 1.8 million people after hackers accessed its network for three months through a compromised third-party vendor. The stolen data includes medical records, health insurance information, Social Security numbers, driver's licenses, and irreplaceable biometric data such as fingerprints and palm prints. The breach primarily impacts uninsured New Yorkers and Medicaid recipients ...
Canvas, an educational platform used by schools nationwide, suffered data breaches on April 29 and May 7 that exposed usernames, email addresses, student ID numbers, and communications from over 275 million users at nearly 9,000 schools. The hacking group ShinyHunters claimed responsibility for the April breach, and Canvas owner Instructure reached an agreement with the attackers to return and destroy the stolen data. In Pittsfield, Massachusetts, the breach disrupted the grade reporting syst...
Vimeo confirmed a data breach affecting approximately 119,000 users after a security incident at third-party analytics vendor Anodot, which was linked to cloud platform Snowflake. The breach exposed user names, email addresses, video titles, and metadata, but did not compromise video content, login credentials, or payment information. Affected users face increased phishing risks as hackers can use the verified contact data for social engineering attacks.
The alleged main administrator of Dream Market, one of the largest dark web marketplaces before its 2019 shutdown, was arrested in Germany and indicted in the US on money laundering charges after allegedly moving millions in cryptocurrency commissions and converting them to gold bars. German authorities recovered approximately $1.7 million in gold bars and $1.2 million in suspected Dream Market proceeds during searches of his residence. The marketplace facilitated the sale of hundreds of kilo...
Canvas, an educational platform used by thousands of universities, suffered a ransomware attack that locked out students and teachers and resulted in stolen personal data. Although the parent company Instructure paid the ransom for system recovery and data deletion, a former White House cyber official warns the stolen information may still be circulating and could be used to target young people. Experts note the attack involved AI technology and represents a growing threat, as many ransomware...
In May 2026, real estate services firm Cushman & Wakefield was targeted by the ShinyHunters extortion group, which publicly leaked data affecting over 310,000 accounts after issuing a "pay or leak" demand. The exposed information consisted primarily of business contact data including email addresses, names, job titles, company addresses, and phone numbers from both Cushman & Wakefield employees and external corporate contacts. The breach primarily compromised professional rather than personal...
Community Bank, operating in Pennsylvania, Ohio, and West Virginia, disclosed to the SEC that it improperly submitted customer data - including names, dates of birth, and Social Security numbers - into an unauthorized AI application. The bank filed the disclosure due to the volume and sensitivity of the exposed information and is now investigating the incident while notifying affected customers as required by law. The bank did not specify which AI application was used or provide details about...
Texas Attorney General Ken Paxton sued Netflix, alleging the streaming company collects user data without consent and merges on-platform user information with off-platform data from ad-tech partners like Google and The Trade Desk. The lawsuit, filed under state consumer protection law, seeks to force Netflix to delete unlawfully collected data, stop using it for targeted advertising without explicit consent, and pay civil fines of up to $10,000 per violation. Netflix called the lawsuit meritl...
Texas Attorney General Ken Paxton sues Netflix over alleged collection of user data without permission
Oklahoma Attorney General Gentner Drummond filed a lawsuit against Temu alleging the shopping app illegally accessed users' cameras, microphones, and location data without their knowledge or consent. The complaint also claims Temu used deceptive sign-up schemes that promised prizes that never materialized and failed to disclose its use of forced labor in violation of U.S. trade policies. Temu denies the allegations and says it intends to defend itself vigorously.
Canvas, a widely-used learning management system, suffered a cyberattack that exposed usernames, email addresses, course names, enrollment information, and messages belonging to students, teachers, and staff across multiple school districts. Instructure CEO Steve Daly confirmed that core learning data like course content, submissions, and credentials were not compromised, and apologized for inadequate communication during the incident. School districts have warned users to watch for phishing ...
The UK's Information Commissioner's Office fined South Staffordshire Water £964,900 after a 2022 Cl0p ransomware attack exposed personal data of over 600,000 customers, including names, birthdates, bank details, and some medical information. The attack succeeded because hackers gained initial access through a 2020 phishing email and remained undetected in the company's systems for 20 months before being discovered. The ICO cited significant failures in data security practices that left custom...
Texas Attorney General Ken Paxton has sued Netflix, alleging the streaming service operates a large-scale surveillance program that collects data from users and children without proper consent. The lawsuit claims Netflix aims to monetize this data for profit, though the company has previously stated it does not sell user data to third parties. Netflix previously settled a 2011 privacy lawsuit for $9 million over alleged data sharing.
Texas AG Sues Netflix, Claiming The Streaming Service Collects User Data Without Consent
Texas Attorney General Ken Paxton filed a lawsuit against Netflix alleging the company collects and shares detailed user data - including viewing habits, locations, and children's behavior - with advertisers and data brokers without proper consent. The lawsuit claims Netflix has publicly denied data collection practices while internally describing itself as a "logging company that occasionally streams movies" and collecting approximately 5 petabytes of user behavior data daily. Texas is seeki...
In April 2026, fashion retailer Zara was targeted by the ShinyHunters extortion group through a compromise of the Anodot analytics platform, resulting in the exposure of 197,376 customer email addresses along with support ticket records, order IDs, product SKUs, and geographic locations. Parent company Inditex confirmed that passwords and payment information were not affected in the breach. The incident was part of a larger "pay or leak" campaign that affected multiple organizations and led t...
Hackers accessed databases belonging to a former technology provider of Spanish fashion retailer Zara, exposing personal information of approximately 197,000 customers including email addresses, purchase histories, geographic locations, and support ticket data. The ShinyHunters cybercrime gang claimed responsibility and leaked 140GB of stolen data, though Zara's parent company Inditex stated that names, phone numbers, addresses, passwords, and payment information were not compromised. The bre...
NVIDIA confirmed that GeForce NOW user data was exposed in a breach affecting Armenian users between March 20-26, caused by a compromise at regional partner GFN.am's infrastructure. The exposed information includes names, email addresses, phone numbers, dates of birth, and usernames, though passwords were not compromised and users who registered after March 9 are unaffected. A threat actor offered the stolen database for $100,000 on hacker forums before the post was removed.
Portland Public Schools warn of data breach from online learning system
Cleveland says Flock cameras secure after Dayton ditches system following data breach
Personal information of 2.9 million Alberta voters - including phone numbers, home addresses, and voter identification numbers - was leaked to a separatist group called the Centurion Project, which posted the data on its website before a court-ordered injunction forced its removal. Elections Alberta is investigating the breach, but recent legislative amendments have limited what the election commissioner can publicly disclose and raised the threshold for launching investigations. The incident...
CMS students, employees impacted by nationwide Canvas data breach
Western Orthopaedics P.C., a Denver-based orthopedic surgery practice, disclosed a data breach that exposed personal and health information of at least 409 patients after unauthorized access to its systems between September 17-25, 2025. The compromised data included Social Security numbers, financial account information, health insurance details, and medical billing information, with a ransomware group called PEAR claiming responsibility for the attack in October 2025. The practice is offerin...
The Federal Trade Commission reached a settlement banning data broker Kochava and its subsidiary from selling Americans' precise location data without explicit consent, resolving a 2022 lawsuit that alleged the company sold geolocation information tracking visits to sensitive locations like healthcare clinics and places of worship. Under the proposed court order, Kochava must establish privacy safeguards including a sensitive location data program, verify consumer consent through suppliers, a...
Ireland's Data Protection Commission has opened an investigation into Shein to determine whether the fashion retailer properly complied with EU data protection rules when transferring European user data to China. The probe will assess Shein's adherence to GDPR requirements governing international data transfers from its Dublin headquarters. This investigation adds to Ireland's active enforcement of cross-border data cases, including a similar ongoing matter involving TikTok's data transfers t...
Gaming community Reborn Gaming suffered a data breach in April 2026 through a vulnerability in cPanel and WebHost Manager, exposing 126 email addresses along with IP addresses and Steam IDs. The breach affects users of the gaming platform who now face potential risks from their exposed contact information and gaming identifiers. Reborn Gaming self-reported the incident to Have I Been Pwned, a breach notification service.
Cybersecurity firm Trellix disclosed that attackers gained unauthorized access to a portion of its source code repository, affecting a company that protects over 200 million endpoints for 50,000 business and government customers worldwide. The company is investigating with forensic experts and has notified law enforcement, stating it has found no evidence the source code was exploited or altered. Trellix has not yet disclosed whether customer or corporate data was stolen or when the breach wa...
Educational technology company Instructure confirmed a data breach exposing personal information of users at affected institutions, including names, email addresses, student ID numbers, and private messages between students and teachers. The ShinyHunters extortion gang claimed responsibility for the attack, alleging they accessed data on 275 million individuals across nearly 9,000 schools worldwide through a now-patched vulnerability in Instructure's systems. Instructure states no passwords, ...
SitusAMC Holdings Corp., a mortgage industry services provider, suffered a data breach in November 2025 that compromised customer records including accounting data and legal agreements, potentially affecting clients of JPMorgan Chase, Citi, and Morgan Stanley. A federal judge has consolidated eight class-action lawsuits into one case, with plaintiffs alleging the company failed to adequately protect their personal information through negligent security practices. The company completed its for...
New York regulators fined Delta Dental $2.25 million after the company failed to adequately protect consumer data and delayed reporting a breach that exposed names, Social Security numbers, financial details, and health information of New Yorkers. Investigators found Delta Dental did not address a known vulnerability in MOVEit Transfer servers despite state warnings in June 2023, allowing hackers to exploit the weakness and steal sensitive data. The penalty reflects violations of New York's c...
Spain's data protection authority fined Bankinter €240,000 after a cyberattack on EVO Banco (which Bankinter absorbed) exposed 1.27 million customer records in March 2024. The breach occurred when a system migration error removed access controls from a customer onboarding API, allowing attackers to successfully extract personal data including names, birth dates, national ID numbers, and contact details over five days. The bank only learned of the breach two weeks later when a third party repo...
French authorities have arrested a 15-year-old suspected of hacking the National Agency for Secure Documents (ANTS) and attempting to sell 12-18 million citizens' personal records on cybercriminal forums. The breach potentially exposed names, email addresses, birth dates, login credentials, and other personal details from the agency that processes applications for passports, national ID cards, and driver's licenses. The suspect, allegedly operating as "breach3d," faces up to seven years in pr...
Roblox will require all Indonesian users under 16 to undergo facial scans to verify their age, affecting approximately 23 million children on the platform, in compliance with new government restrictions on minors' social media use. Users who do not complete facial verification will be automatically placed in restricted "Roblox Kids" accounts with no chat features. The company states the facial scan data will be immediately deleted after age estimation, though Indonesia has classified Roblox a...
Vimeo confirmed a data breach originating from a third-party analytics vendor that exposed user email addresses and technical information, though the company stated that core systems and sensitive credentials were not compromised. Hackers have threatened to leak the stolen data. The incident highlights the risks organizations face through their third-party service providers.
Lloyds Banking Group compensated 1,625 additional customers following a March programming error that allowed approximately 114,000 users to view other customers' transaction details across its Lloyds, Halifax, and Bank of Scotland apps. The bank has now paid £201,000 in total to 5,250 affected customers, though it reports finding no increase in fraud linked to the breach that potentially impacted nearly 450,000 account holders. The Treasury Committee chair described the incident as "an alarmi...
Home security provider ADT confirmed a data breach affecting 5.5 million customers after hackers accessed names, phone numbers, home addresses, and partial Social Security numbers through a compromised employee Okta account. The breach occurred via voice phishing targeting an employee's single sign-on credentials, allowing hackers to extract data from ADT's Salesforce system, though the company states payment information and security systems were not compromised. The exposed partial personal ...
Vimeo confirmed that customer data was accessed without authorization after attackers breached third-party service Anodot and stole authentication tokens to access Vimeo's Snowflake and BigQuery databases. The exposed data includes some customer email addresses, technical data, video titles, and metadata, but does not include uploaded video content, account credentials, or payment card information. The extortion group ShinyHunters claimed the breach and threatened to publish the stolen data u...
Americans lost at least $2.1 billion to scams originating on social media in 2025, an eightfold increase since 2020, according to the Federal Trade Commission. Investment scams accounted for $1.1 billion of those losses, while shopping and romance scams also targeted users, with most scams starting on Facebook, WhatsApp, and Instagram. The figures reflect only reported losses, meaning actual damages are likely higher, as many victims do not file complaints.
A federal judge dismissed a Justice Department lawsuit demanding detailed voter data from Rhode Island, including birth dates, addresses, driver's license numbers, and partial Social Security numbers. The judge ruled that federal law does not permit DOJ's "fishing expedition," similar to rejections in California, Massachusetts, Michigan, and Oregon, while at least 12 states have provided the data. Election officials raised concerns about potential misuse after DOJ acknowledged it planned to s...
Fidelity to Pay $1.25 Million Over Data Breach That Exposed 77,000 People
In April 2025, the hacking group ShinyHunters obtained and publicly released data from Pitney Bowes affecting 8.2 million people after extortion negotiations reportedly failed. The compromised data included email addresses, names, phone numbers, physical addresses, and in some cases employee job titles. Users whose information was exposed face increased risks of phishing attacks, identity theft, and targeted scams using their personal contact details.
A Chinese national accused of working as a contract hacker for China's Ministry of State Security has been extradited from Italy to the United States to face criminal charges. Xu Zewei allegedly conducted cyberespionage operations and intelligence-gathering breaches between February 2020 and June 2021 as part of the Silk Typhoon hacking group. The case is part of broader U.S. law enforcement action against state-sponsored cyber intrusion campaigns targeting computer systems.
Fidelity Brokerage Services was fined $1.25 million by Massachusetts regulators after a three-day cyberattack in August 2024 exposed personal information of approximately 77,000 customers, including Social Security numbers, passport and driver's license images, and medical data. The breach occurred when an attacker exploited a vulnerability in Fidelity's online access controls that allowed manipulation of document identifiers to view other customers' files. Fidelity failed to notify affected ...
The Council of Engineers Thailand reported that hackers breached its database during a server transfer, stealing personal data of approximately 350,000 members including names, addresses, phone numbers, and license information. The attack involved 680,000 data breaches over a 10-hour period before detection, though details about the attackers' identity and any ransom demands have not been disclosed. The council has warned members that their stolen data could be misused.
Home security company ADT confirmed a data breach on April 20 affecting customer information including names, phone numbers, and addresses, with a small percentage of records also containing dates of birth and partial Social Security numbers. The breach occurred after hackers from the ShinyHunters group allegedly used a voice phishing attack to compromise an employee's single sign-on account and access ADT's Salesforce system, and are now threatening to leak the stolen data unless ADT pays a ...
SAG-AFTRA Health Plan disclosed a phishing attack that gave unauthorized access to an employee's email account between September 17-18, 2024, exposing the Social Security numbers, health insurance information, and claims details of at least 1,202 individuals across Texas and Massachusetts. The breach occurred when an employee fell victim to a phishing email, compromising sensitive personal data of health plan participants. Affected individuals are being offered two years of free credit monito...
The Department of Justice is intervening in support of xAI's lawsuit against Colorado's law requiring developers of high-risk AI systems to disclose and mitigate algorithmic discrimination. The DOJ argues the law, set to take effect in June, violates the Fourteenth Amendment by requiring developers to account for statistical disparities across demographics like race and sex. The case reflects broader tension between state AI regulation efforts and the Trump administration's opposition to inco...
Rhode Island reached a $5 million settlement with Deloitte following a data breach affecting the state's RIBridges system, which serves HealthSource RI customers. The payment will help cover state expenses related to the breach, while Deloitte separately covers costs for a call center, credit monitoring, and identity protection for impacted individuals. Approximately 2,000 HealthSource RI customers have been enrolled directly since the breach as the system undergoes a phased relaunch.
Eurail, which sells Interrail rail passes, disclosed that personal data of more than 300,000 European travelers - including passport numbers, names, addresses, and dates of birth - was stolen in a December breach and is now being sold on the dark web. Some affected customers have been advised by passport authorities to cancel their passports and pay for replacements costing up to £200 to prevent fraudulent use. The breach has caused confusion and anger among travelers facing unexpected expens...
Data from all 500,000 UK Biobank volunteers was breached and listed for sale on Alibaba's Chinese e-commerce platform, though the listings were removed before any confirmed purchases occurred. The stolen information included de-identified health data such as age, gender, and lifestyle habits, but not names, addresses, or contact details. UK officials called the security lapse "extremely lax" and referred the incident to the Information Commissioner's Office, raising concerns about protection ...
Vercel expanded its breach investigation and discovered hackers had accessed some customer data before the April incident, when an employee downloaded a compromised app from Context AI. The company found additional affected customer accounts beyond the initial breach but has not disclosed the total number impacted or how far back the earlier compromise extends. Evidence suggests hackers used information-stealing malware to obtain credentials and API keys, then rapidly accessed customer data i...
France Titres (ANTS), the French government agency managing official identity documents, confirmed a cyberattack in which hackers stole approximately 19 million records containing names, contact details, birthdays, addresses, and other personal information. The stolen data is being offered for sale on dark web forums, and ANTS has warned affected users about potential phishing attacks using the compromised information. The agency stated that hackers do not have access to user accounts and tha...
A breach dubbed "BlueLeaks 2.0" exposed 8.3 million anonymous tips submitted through Navigate360's P3 platform, affecting students, Crime Stoppers programs, and military personnel from 1987 through November 2025. The hackers claim to have obtained 93 GB of data in plain text format that included tipsters' full names and details about reported individuals, despite platform promises of anonymity. Navigate360 has not publicly confirmed the breach or notified affected individuals on its websites,...
The UK High Court ruled that London's Metropolitan Police can continue using live facial recognition technology, rejecting a legal challenge brought by civil liberties group Big Brother Watch and youth worker Shaun Thompson, who was falsely identified and detained by the system in 2024. The judges found the technology does not violate privacy rights under European human rights law, despite Thompson's misidentification as his brother who was wanted by police. Thompson plans to appeal the decis...
The Chattanooga Heart Institute has agreed to pay up to $3.75 million to settle a class action lawsuit stemming from a 2023 data breach. The settlement resolves legal claims from affected patients whose personal information was compromised in the breach. This represents one of the larger healthcare data breach settlements in the region, affecting patients who received care at the cardiology practice.
A 45-year-old NSW Treasury official has been charged with accessing restricted data after allegedly downloading over 5,600 commercially sensitive government documents to an external server between April 10-14. The documents, described as spanning "whole of government" departments and containing confidential commercial and financial information about current and past government negotiations, were detected three days after the final alleged transfer. Authorities say there is currently no eviden...
Ameriprise Financial disclosed a data breach affecting nearly 50,000 people after an unauthorized individual accessed stored data and files between March 2 and 18, exposing names and personal identifiers. This marks the second breach for the Minneapolis-based firm in less than six months, following a December phishing incident that potentially exposed 598 people. Ameriprise is offering free identity protection services to affected customers and stated no unauthorized transactions or fund move...
Tyler Robert Buchanan, a 24-year-old British member of the cybercrime group Scattered Spider, pleaded guilty to wire fraud conspiracy and aggravated identity theft for his role in 2022 SMS phishing attacks targeting major technology companies including Twilio, LastPass, DoorDash, and Mailchimp. The attacks compromised tens of thousands of users and enabled the group to steal at least $8 million in cryptocurrency through SIM-swapping, where attackers hijack victims' phone numbers to intercept ...
New York Attorney General Letitia James sued Coinbase Financial Markets and Gemini Titan for allegedly operating unlicensed gambling platforms disguised as prediction markets, violating state gambling laws including restrictions on betting involving New York college sports teams. The lawsuit comes amid a broader regulatory conflict, with the US Commodity Futures Trading Commission recently suing three other states to assert federal authority over prediction market regulation. James emphasized...
Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials
Minidoka Memorial Hospital in Idaho experienced a cyberattack on April 5 that disrupted internal systems and imaging services, forcing some emergency patient transfers though the hospital continued operations. A threat group called "Blackwater" later claimed to have stolen approximately 576 GB of data comprising over 2.3 million files and threatened to leak it after April 24, though they provided no proof of their claims. The incident affects patient data at the rural hospital, though the ful...
Cloud app hosting company Vercel was breached after one of its employees downloaded a compromised app from Context AI, allowing hackers to access internal systems and steal unencrypted customer credentials, API keys, and potentially source code. Vercel has notified affected customers and advised them to rotate their app credentials, though the company has not disclosed how many users were impacted. The breach highlights supply chain risks, as hackers exploited a third-party app connection to ...
Canada Life, one of Canada's largest insurers, disclosed that hackers from the ShinyHunters group accessed personal information of up to 70,000 customers through an employee's account, including names, dates of birth, addresses, gender, and income levels. Most of the compromised accounts belonged to employees of one large corporate client, and the company is offering affected customers free credit monitoring. The breach, detected within the past two weeks, has been contained and authorities h...
Vercel, a cloud development platform, confirmed a security breach after a threat actor gained unauthorized access to internal systems through a compromised employee's Google Workspace account linked to a third-party AI tool called Context.ai. The attacker accessed environment variables not marked as sensitive, which allowed them to enumerate and gain further access to customer data, though the company states its core services remain unaffected. Vercel is working with affected customers and re...
WebTPA, a third-party healthcare administrator, disclosed a data breach affecting 2.4 million individuals after discovering unauthorized network access that occurred between April 18-23, 2023. The exposed information may include names, contact details, dates of birth, Social Security numbers, and insurance information, though financial account data and medical treatment records were not compromised. The company is offering affected individuals two years of free identity monitoring services th...
Roblox reached a $12 million settlement with Nevada that requires the gaming platform to implement enhanced protections for young users, including mandatory age verification and restrictions on nighttime notifications for minors. The company will pay $10 million over three years to support youth programs and fund a law enforcement liaison position to address platform safety concerns. Nevada's attorney general described the agreement as a first-of-its-kind settlement, reached in lieu of litiga...
Rockstar Games confirmed a data breach after the ShinyHunters gang leaked over 78 million records containing internal analytics data, including metrics from GTA Online and Red Dead Online related to player behavior, revenue patterns, and anti-cheat systems. The breach occurred through a compromised third-party analytics provider, Anodot, which had integration access to Rockstar's Snowflake environment via stolen authentication tokens. Rockstar stated the exposed information was limited and di...
McGraw-Hill confirmed that hackers exploited a Salesforce platform misconfiguration to access a limited set of internal data, though the company states no customer databases, student information, or sensitive financial data were compromised. The breach follows an extortion threat from the ShinyHunters group, which claims to possess 45 million Salesforce records containing personally identifiable information and has set a ransom deadline. McGraw-Hill says the affected webpages have been secure...
Rockstar Games confirmed it suffered a cyberattack in which hackers accessed a "limited amount of non-material company information" through a third-party data breach, though the company states no player data was affected. The hacking group ShinyHunters claims to have stolen company data including financial information and player habit studies from cloud servers, and threatened to release it after their ransom demand went unpaid. This breach is separate from Rockstar's 2022 incident that leake...
Hackers breached European gym chain Basic-Fit's systems and downloaded personal data of approximately 1 million members across six countries, including names, addresses, phone numbers, email addresses, dates of birth, bank details, and membership information. The company detected and stopped the intrusion within minutes but confirmed some data had already been extracted, though passwords and identity documents were not accessed. Basic-Fit reported the breach to Dutch authorities and notified ...
Rockstar Games confirmed it was affected by a third-party data breach after a hacker group claimed to have breached the GTA 6 developer and issued a ransom demand with an April 14 deadline. The company stated the breach has no major impact on its operations or players. The incident follows previous security breaches involving Rockstar Games.
The Silent Ransom Group breached law firm Orrick, Herrington & Sutcliffe in January 2026, accessing its network for approximately one week without deploying malware, likely through phishing or social engineering. After Orrick offered $1 million to resolve the incident - significantly less than the ransom demand - the threat actors leaked the firm's data, marking the first top-100 law firm to offer what the group considered an insufficient payment. This is Orrick's second major data breach in ...
Christie's fined $194,000 for data breach in South Korea
French email provider Alinto left an Elasticsearch database exposed online, leaking 40 million email records containing sender and recipient addresses, location details, and relay IP addresses. The breach affected major corporations including L'Oreal, Renault, and DHL, as well as numerous French government agencies with at least 14,000 government email addresses exposed. Security researchers discovered the unsecured database and notified Alinto, which has since secured the server.
Cybercriminals allegedly stole and leaked 7.7 terabytes of sensitive Los Angeles Police Department data, including officer personnel files, internal affairs investigations, and discovery documents containing unredacted criminal complaints, witness names, and medical information. The breach affected a third-party digital storage system used by the LA City Attorney's Office rather than LAPD systems directly, with the extortion gang World Leaks claiming responsibility. The leak exposes more than...
Healthcare IT company CareCloud disclosed a data breach on March 16 that potentially exposed medical records of millions of patients after hackers accessed one of its six patient record stores for approximately eight hours. The company serves over 45,000 provider groups, hospitals, and medical practices across the U.S., though it remains unclear whether protected health information was actually stolen or if ransomware was involved. An investigation is ongoing with third-party cybersecurity ex...
Jones Day, a top-ranked U.S. law firm, confirmed a data breach affecting 10 clients after the Silent Ransom Group gained access through a phishing attack and posted stolen files to the dark web on March 30. The hackers demanded $13 million and threatened to publish all data, contact employees and clients, and resume attacks if the firm did not respond by their deadline. All affected clients have been notified of the breach, which targeted a senior member of the firm's Federal Circuit legal team.
Lakeview Loan Servicing and related mortgage companies agreed to a $26 million settlement after an October 2021 data breach potentially exposed sensitive information of approximately 5.8 million customers. Affected individuals can file claims by June 22, 2026, for reimbursement of documented out-of-pocket losses up to $5,000, such as fraud-related expenses or credit monitoring costs, or receive a pro-rated cash payment. The settlement covers current and former customers of Lakeview, Pingora, ...
Oklahoma Governor Stitt signed Senate Bill 546 on March 20, 2026, making Oklahoma the 21st state with a comprehensive consumer privacy law, effective January 1, 2027. The law applies to businesses that serve Oklahoma residents and either process data of 100,000+ consumers annually or process data of 25,000+ consumers while earning over 50% of revenue from selling personal data. Covered businesses must honor consumer requests to access, correct, delete, or port their data, and allow opt-outs f...
In September 2024, immigration case management platform DocketWise suffered a data breach when unauthorized actors used valid credentials to access repositories containing unstructured client data from multiple law firms, affecting 116,666 individuals. The exposed information varied by person but could include Social Security numbers, passport details, financial account information, medical records, and other sensitive personal data belonging to immigration law firm clients. The breach is par...
Phoenix-based Cardiovascular Consultants agreed to pay $3.85 million to settle a class action lawsuit following a September 2023 data breach in which attackers accessed systems, encrypted data, and stole patient information including names, addresses, birth dates, Social Security numbers, and driver's license numbers. The practice denied wrongdoing but settled to avoid ongoing litigation costs and risks. The breach affected patients' personal and health information due to what the lawsuit all...
Fitness app Strava's public "Global Heatmap" feature inadvertently revealed the locations of secret U.S. military bases and personnel movements in conflict zones like Afghanistan and Syria by displaying users' GPS-tracked exercise routes. Military analysts found that jogging trails at forward operating bases were clearly visible on the map, making it easy to identify facilities that don't appear on services like Google Maps, with U.S. military personnel being the primary Strava users in many ...
Probe launched after Hospital Authority data breach involving 56,0000 patients
Hong Kong's Hospital Authority disclosed that personal data of over 56,000 patients from Kowloon East hospitals was accessed without authorization and leaked on a third-party platform, including names, identity card numbers, birth dates, and details of surgical procedures. The breach was detected by monitoring systems early Friday morning and linked to a contractor's system maintenance work, which has been suspended. Both Hong Kong police and the privacy watchdog are investigating the inciden...
A threat group called TeamPCP breached the European Commission's Amazon cloud environment using a stolen API key, exposing personal data including names, email addresses, and email content from at least 30 EU entities. The attackers exfiltrated a 90GB dataset containing tens of thousands of files, which was subsequently published on the dark web by data extortion group ShinyHunters. The breach affected 42 internal European Commission clients and at least 29 other Union entities using the euro...
Drift, a decentralized cryptocurrency exchange on the Solana blockchain, suffered a hack that drained $285 million in digital assets, potentially making it one of the largest crypto thefts in history. Security researchers believe the attacker exploited a vulnerability in a new lending market feature that allowed users to borrow against an illiquid token. The exchange suspended deposits and withdrawals while working with security firms and exchanges to contain the breach.
Cardiovascular Consultants agreed to pay $3.85 million to settle a class action lawsuit stemming from a September 2023 cyberattack that exposed patients' Social Security numbers, medical records, addresses, and other sensitive information. Affected individuals who received breach notification can claim up to $5,000 for documented out-of-pocket losses related to the incident, plus two years of medical monitoring services. The cardiology practice denied wrongdoing but settled to avoid ongoing l...
Nacogdoches Memorial Hospital disclosed that a January 31 cyberattack compromised its computer network, potentially exposing patient information including names, Social Security numbers, dates of birth, medical record numbers, and in some cases photographs. The hospital has notified affected patients by letter and established a hotline for questions, stating no confirmed misuse of data has been detected so far. NMH says it has enhanced network security measures and updated procedures to preve...
Banking tech data breach exposes 672K in ransomware attack
Iowa's Attorney General filed a lawsuit against Change Healthcare following a February 2024 data breach that exposed sensitive information - including Social Security numbers, medical records, and health insurance details - of nearly 2.2 million Iowans. The breach went undetected for 10 days while hackers installed malware and stole data through a remote access portal lacking multifactor authentication, and the company waited five months to notify affected individuals. The lawsuit alleges vio...
OkCupid and parent company Match Group settled with the FTC over allegations they gave AI firm Clarifai unrestricted access to users' demographic data, location information, and nearly 3 million photos without consent or opt-out options. The proposed settlement includes a 20-year order requiring clearer disclosures about how the companies handle sensitive user data, including messages, health information, photos, and location details. The companies have not admitted liability in the case.
UnitedHealth Group confirmed that a ransomware attack on its subsidiary Change Healthcare exposed protected health information and personally identifiable information potentially affecting a substantial proportion of people in America. The company paid $22 million in ransom but never received the stolen data back because the ransomware operator ALPHV took the payment and shut down, leaving the affiliate attackers and the victim empty-handed. UnitedHealth is offering affected individuals two y...
A patient who received an X-ray at West Tallinn Central Hospital in Estonia was given a supposedly new USB drive to transfer their medical images, but discovered it also contained health data from several other patients. The hospital has not yet explained how patient data ended up on what was meant to be a blank drive and says it will investigate only after the patient files a formal complaint. The incident exposed sensitive health information of multiple individuals through what appears to b...
Italy data protection agency fines Intesa Sanpaolo $36 mln over data breach
Match Group and its subsidiary OkCupid settled with the FTC over allegations that the dating platform shared three million user photos and location data with facial recognition company Clarifai in 2014 without informing users or providing an opt-out option. The FTC claimed this violated OkCupid's privacy policy, which only allowed sharing with service providers and business partners, not unrelated third parties. Under the settlement, which carries no monetary penalty, Match Group is permanent...
The FTC announced enforcement action against OkCupid and Match Group for allegedly sharing nearly 3 million users' personal data - including photos, location information, and demographics - with a third party without authorization or contractual restrictions, reportedly because OkCupid's founders had financial ties to the recipient. Under the proposed settlement, both companies are permanently barred from misrepresenting their data collection, use, and disclosure practices, with future violat...
Settlement approved for Canadians affected by past 23andMe data breach
Hong Kong's Correctional Services Department disclosed that a hacker illegally accessed its IT systems on Tuesday, compromising personal data of 6,800 current and former prison employees including names, birthdates, academic qualifications, employment history, and email addresses. The breach occurred when the attacker first infiltrated the department's internal Knowledge Management System and then gained entry to a separate system containing staff data. Authorities have notified affected indi...
Dutch Police discloses security breach after phishing attack
Ajax data breach exposed season tickets, supporter bans open to tampering - Help Net Security
Lakeview Loan Servicing agrees to $26M settlement over data breach. Here's how to file a claim
Corewell Health says patients' social security numbers and more may have been compromised in data breach
European Parliament rejects extension of CSAM scanning rules for tech platforms
The European Commission confirmed a cyberattack on its cloud infrastructure hosting Europa.eu websites, with hackers reportedly stealing over 350 gigabytes of data from the Commission's Amazon Web Services account. The Commission stated its internal systems were not affected and the attack has been contained, though the investigation is ongoing to determine what specific data was taken. The breach affected the Commission's web presence platform, and the organization is notifying entities that...
Iran-linked hackers breached FBI Director Kash Patel's personal Gmail account and published over 300 emails along with personal photographs dating from 2010 to 2019. The FBI confirmed the breach but stated the compromised data was historical and contained no government information, while the hacker group Handala Hack Team - believed by Western researchers to be linked to Iranian government cyber-intelligence - publicly posted the materials on their website. The incident demonstrates the vulne...
KERBER, ECK & BRAECKEL REACHES $1.4 MILLION SETTLEMENT OVER DATA BREACH IMPACTING CHRISTOPHER RURAL HEALTH PATIENTS
Judge tosses out X's advertiser boycott lawsuit
Fidelity Reaches $2.5M Settlement Over Data Breach Affecting 155,000 Customers
Nike Hit With Suit Over January Data Breach Affecting Thousands
Bank to pay $12,500 from $5.2m data settlement - see if you got the notice
Clinica Family Health & Wellness reveals 2025 data breach
Infinite Campus warns of breach after ShinyHunters claims data theft
HackerOne discloses employee data breach after Navia hack
Toll of Kaplan data breach surpasses 230K
PURA set to vote Wednesday on Aquarion sale, Avangrid data breach findings
Who are ShinyHunters and what is Telus Digital? Crunchyroll data breach explained. Here's how much and wha
RuneScape Boards - 222,762 breached accounts: In around 2011, the now defunct RuneScape Boards forum (also known as RSBoards) suffered a data breach that was later redistributed as part of a larger corpus of data . The vBulletin-based service exposed 223k unique email addresses along with usernames, IP addresses and salted...
Attorney General Jackley's Genetic Data Privacy Bill Signed into Law
North Carolina tech worker found guilty of insider attack netting $2.5M ransom: Matt Kapko reports: A 27-year-old North Carolina man was found guilty of six counts of extortion for a series of crimes he committed while working as a data analyst contractor for a D.C.-based international technology company, the Justice Department said Thursday. Cameron...
Starbucks Confirms Data Breach from a Social Engineering Attack on a Business Partner
Mizuno USA settles data breach with cash payments and credit monitoring: Who can claim and how to file
UK police force presses pause on live facial recognition after study finds racial bias
DATA BREACH ALERT: Edelson Lechtzin LLP is Investigating Claims on Behalf of Persons Affected by the ID Care Data Breach
Security Firm Aura Discloses Data Breach Impacting 900,000 Records - SecurityWeek
Deaconess Health System Data Breach Exposes SSNs and Sensitive Medical Records of Patients
PathStone Family Office, a wealth management firm overseeing roughly $160 billion in assets, was breached by the ShinyHunters cybercrime group in February 2026. The attackers exfiltrated 15 GB of data from PathStone's Salesforce environment, exposing personal information of over 91,000 clients including Social Security numbers, financial profiles, and estate planning records. A former intern has since filed a lawsuit against the firm over the breach.
Identity protection company Aura suffers massive 900,000 person data breach: customer information exposed
Navia discloses data breach impacting 2.7 million people
Judge mostly denies Frederick Health motion to dismiss data breach lawsuit
PPB Urges Alternative Tip Submissions Amid Reported Data Breach
Data breach linked to Crime Stoppers; Portland Police urge avoiding tip service for now
UK fines 4chan nearly $700,000 for failing its online safety act obligations
Baltimore watchdog uncovers thousands in fraudulent billing, confidential data breach related to youth crimefighting program
Telus Digital confirms massive 1 petabyte data breach by hackers
MedPeds Associates of Sarasota Notice of Data Breach
Bank software vendor Marquis says more than 670,000 impacted by August breach
Kaplan North America Data Breach Alert Issued By Wolf Haldenstein
OpenLoop Health Data Breach Affects 68,160 Texans
Aura confirms data breach exposing 900,000 records after a voice-phishing attack on an employee with access to a legacy marketing platform. Names, emails, addresses, and phone numbers were compromised, fueling targeted phishing risks for 35,000 current and former customers.
Glass Products Co. Reaches Deal In Data Breach Suit
The FBI confirms it's buying Americans' location data
CommonSpirit Health Patients Affected by Vendor Data Breach
Data breach reported by Google News - Security & Encryption: Class actions claim CarGurus data breach exposed 1.2 million consumers’ PII - Class Action Lawsuits
Regulatory action reported by Google News - Enforcement: French court upholds €40 million GDPR fine for Criteo - Digital Watch Observatory
Legal action reported by Google News - Security & Encryption: Myers Auto Group Data Breach Class Action Settlement - Claim Depot
Legal action reported by Engadget: xAI is being sued by teens who say Grok created CSAM using their photos
Reported by Google News - Enforcement: Encyclopedia Britannica Sues OpenAI Over AI Training Data. Is Grokipedia Next? - Gizmodo
Community bank reaches $2.4M agreement in 2023 data breach class action
Intuitive Surgical confirms phishing-related data breach
Major data breach prompts about $6.5M penalty for Lotte Card
Data breach reported by HIBP - Baydöner - 1,266,822 breached accounts: In March 2026, the Turkish restaurant chain Baydöner suffered a data breach which was subsequently published to a public hacking forum . The incident exposed over 1.2M unique email addresses along with names, phone numbers, cities of residence and plaintext passwords. A small...
Data breach reported by HIBP - Divine Skins - 105,814 breached accounts: In March 2026, the League of Legends custom skins service Divine Skins suffered a data breach . The incident was disclosed via the service's Discord server, where Divine Skins stated that an unauthorised third party accessed part of its systems, deleted all skins from the...
Data breach reported by Google News - Security & Encryption: Were you affected by the Numotion data breach? You could receive a $15,000 payment - MARCA
Data breach reported by Google News - Security & Encryption: American drivers to get up to $4.5k under $1.5 million 'data breach' settlement - The US Sun
Regulatory action reported by Google News - Privacy & Data: ICO publishes guidance on data protection complaints processes (via Passle) - Slaughter and May
Legal action reported by Engadget: Adobe agrees to pay settlement for making its subscriptions hard to cancel
Data breach reported by BleepingComputer: Telus Digital confirms breach after hacker claims 1 petabyte data theft
Data breach reported by BleepingComputer: England Hockey investigating ransomware data breach
Data breach reported by The Register: Ericsson blames vendor vishing slip-up for breach exposing thousands of records
Data breach reported by Google News - Security & Encryption: Loblaw Data Breach Impacts Customer Information - SecurityWeek
Data breach reported by The Register: FBI is investigating breach that may have hit its wiretapping tools
Regulatory action reported by Google News: Data privacy violations result in $1.1M penalty for PlayOn Sports | brief | SC Media - SC Media
Legal action reported by TechCrunch: Meta sued over AI smart glasses’ privacy concerns, after workers reviewed nudity, sex, and other footage
Reported by Google News: Maine Senate advances amended data privacy bill that would exempt political groups - newscentermaine.com
Reported by Google News: xAI loses bid to halt California AI data disclosure law - Reuters
Reported by EPIC: SCOTUS to Hear Case Over Proper Scope of the Video Privacy Protection Act (VPPA)
Data breach reported by HIBP - KomikoAI - 1,060,191 breached accounts: In February, the AI-powered comic generation platform KomikoAI suffered a data breach . The incident exposed 1M unique email addresses along with names, user posts and the AI prompts used to generate content. The exposed data enables the mapping of individual AI prompts to...
Data breach reported by HIBP - CarMax - 431,371 breached accounts: In January 2026, data allegedly sourced from US automotive retailer CarMax was published online following a failed extortion attempt . The data included 431k unique email addresses along with names, phone numbers and physical addresses.
Data breach reported by HIBP - APOIA.se - 450,764 breached accounts: In December 2025, a database of the Brazilian crowdfunding platform APOIA.se was posted to an online forum . In January 2026, the company confirmed it had suffered a data breach. The incident exposed 451k unique email addresses along with names and physical addresses.
Data breach reported by HIBP - University of Pennsylvania - 623,750 breached accounts: In October 2025, the University of Pennsylvania was the victim of a data breach followed by a ransom demand , largely affecting its donor database. After the incident, the attackers sent inflammatory emails to some victims. The data was later published online in February 2026 ...