Industry Privacy News

Canvas, a widely-used learning management system, suffered a cyberattack that exposed usernames, email addresses, course names, enrollment information, and messages belonging to students, teachers, and staff across multiple school districts. Instructure CEO Steve Daly confirmed that core learning data like course content, submissions, and credentials were not compromised, and apologized for inadequate communication during the incident. School districts have warned users to watch for phishing ...

Canvas Online Learning Platform Disabled for Hours After Breach by Hackers

In April 2026, fashion retailer Zara was targeted by the ShinyHunters extortion group through a compromise of the Anodot analytics platform, resulting in the exposure of 197,376 customer email addresses along with support ticket records, order IDs, product SKUs, and geographic locations. Parent company Inditex confirmed that passwords and payment information were not affected in the breach. The incident was part of a larger "pay or leak" campaign that affected multiple organizations and led t...

Hackers accessed databases belonging to a former technology provider of Spanish fashion retailer Zara, exposing personal information of approximately 197,000 customers including email addresses, purchase histories, geographic locations, and support ticket data. The ShinyHunters cybercrime gang claimed responsibility and leaked 140GB of stolen data, though Zara's parent company Inditex stated that names, phone numbers, addresses, passwords, and payment information were not compromised. The bre...

NVIDIA confirmed that GeForce NOW user data was exposed in a breach affecting Armenian users between March 20-26, caused by a compromise at regional partner GFN.am's infrastructure. The exposed information includes names, email addresses, phone numbers, dates of birth, and usernames, though passwords were not compromised and users who registered after March 9 are unaffected. A threat actor offered the stolen database for $100,000 on hacker forums before the post was removed.

Portland Public Schools warn of data breach from online learning system

Cleveland says Flock cameras secure after Dayton ditches system following data breach

Personal information of 2.9 million Alberta voters - including phone numbers, home addresses, and voter identification numbers - was leaked to a separatist group called the Centurion Project, which posted the data on its website before a court-ordered injunction forced its removal. Elections Alberta is investigating the breach, but recent legislative amendments have limited what the election commissioner can publicly disclose and raised the threshold for launching investigations. The incident...

CMS students, employees impacted by nationwide Canvas data breach

Western Orthopaedics P.C., a Denver-based orthopedic surgery practice, disclosed a data breach that exposed personal and health information of at least 409 patients after unauthorized access to its systems between September 17-25, 2025. The compromised data included Social Security numbers, financial account information, health insurance details, and medical billing information, with a ransomware group called PEAR claiming responsibility for the attack in October 2025. The practice is offerin...

Décimas fined €120,000 by Spanish watchdog after data breach

The Federal Trade Commission reached a settlement banning data broker Kochava and its subsidiary from selling Americans' precise location data without explicit consent, resolving a 2022 lawsuit that alleged the company sold geolocation information tracking visits to sensitive locations like healthcare clinics and places of worship. Under the proposed court order, Kochava must establish privacy safeguards including a sensitive location data program, verify consumer consent through suppliers, a...

Ireland's Data Protection Commission has opened an investigation into Shein to determine whether the fashion retailer properly complied with EU data protection rules when transferring European user data to China. The probe will assess Shein's adherence to GDPR requirements governing international data transfers from its Dublin headquarters. This investigation adds to Ireland's active enforcement of cross-border data cases, including a similar ongoing matter involving TikTok's data transfers t...

Gaming community Reborn Gaming suffered a data breach in April 2026 through a vulnerability in cPanel and WebHost Manager, exposing 126 email addresses along with IP addresses and Steam IDs. The breach affects users of the gaming platform who now face potential risks from their exposed contact information and gaming identifiers. Reborn Gaming self-reported the incident to Have I Been Pwned, a breach notification service.

Edtech Firm Instructure Discloses Data Breach Amid Hacker Leak Threats - SecurityWeek

Cybersecurity firm Trellix disclosed that attackers gained unauthorized access to a portion of its source code repository, affecting a company that protects over 200 million endpoints for 50,000 business and government customers worldwide. The company is investigating with forensic experts and has notified law enforcement, stating it has found no evidence the source code was exploited or altered. Trellix has not yet disclosed whether customer or corporate data was stolen or when the breach wa...

Trellix reports data breach following unauthorized access to source code repository

Educational technology company Instructure confirmed a data breach exposing personal information of users at affected institutions, including names, email addresses, student ID numbers, and private messages between students and teachers. The ShinyHunters extortion gang claimed responsibility for the attack, alleging they accessed data on 275 million individuals across nearly 9,000 schools worldwide through a now-patched vulnerability in Instructure's systems. Instructure states no passwords, ...

SitusAMC Holdings Corp., a mortgage industry services provider, suffered a data breach in November 2025 that compromised customer records including accounting data and legal agreements, potentially affecting clients of JPMorgan Chase, Citi, and Morgan Stanley. A federal judge has consolidated eight class-action lawsuits into one case, with plaintiffs alleging the company failed to adequately protect their personal information through negligent security practices. The company completed its for...

New York regulators fined Delta Dental $2.25 million after the company failed to adequately protect consumer data and delayed reporting a breach that exposed names, Social Security numbers, financial details, and health information of New Yorkers. Investigators found Delta Dental did not address a known vulnerability in MOVEit Transfer servers despite state warnings in June 2023, allowing hackers to exploit the weakness and steal sensitive data. The penalty reflects violations of New York's c...

Spain's data protection authority fined Bankinter €240,000 after a cyberattack on EVO Banco (which Bankinter absorbed) exposed 1.27 million customer records in March 2024. The breach occurred when a system migration error removed access controls from a customer onboarding API, allowing attackers to successfully extract personal data including names, birth dates, national ID numbers, and contact details over five days. The bank only learned of the breach two weeks later when a third party repo...

French authorities have arrested a 15-year-old suspected of hacking the National Agency for Secure Documents (ANTS) and attempting to sell 12-18 million citizens' personal records on cybercriminal forums. The breach potentially exposed names, email addresses, birth dates, login credentials, and other personal details from the agency that processes applications for passports, national ID cards, and driver's licenses. The suspect, allegedly operating as "breach3d," faces up to seven years in pr...

Roblox will require all Indonesian users under 16 to undergo facial scans to verify their age, affecting approximately 23 million children on the platform, in compliance with new government restrictions on minors' social media use. Users who do not complete facial verification will be automatically placed in restricted "Roblox Kids" accounts with no chat features. The company states the facial scan data will be immediately deleted after age estimation, though Indonesia has classified Roblox a...

Vimeo confirmed a data breach originating from a third-party analytics vendor that exposed user email addresses and technical information, though the company stated that core systems and sensitive credentials were not compromised. Hackers have threatened to leak the stolen data. The incident highlights the risks organizations face through their third-party service providers.

Lloyds Banking Group compensated 1,625 additional customers following a March programming error that allowed approximately 114,000 users to view other customers' transaction details across its Lloyds, Halifax, and Bank of Scotland apps. The bank has now paid £201,000 in total to 5,250 affected customers, though it reports finding no increase in fraud linked to the breach that potentially impacted nearly 450,000 account holders. The Treasury Committee chair described the incident as "an alarmi...

Home security provider ADT confirmed a data breach affecting 5.5 million customers after hackers accessed names, phone numbers, home addresses, and partial Social Security numbers through a compromised employee Okta account. The breach occurred via voice phishing targeting an employee's single sign-on credentials, allowing hackers to extract data from ADT's Salesforce system, though the company states payment information and security systems were not compromised. The exposed partial personal ...

Vimeo confirmed that customer data was accessed without authorization after attackers breached third-party service Anodot and stole authentication tokens to access Vimeo's Snowflake and BigQuery databases. The exposed data includes some customer email addresses, technical data, video titles, and metadata, but does not include uploaded video content, account credentials, or payment card information. The extortion group ShinyHunters claimed the breach and threatened to publish the stolen data u...

Americans lost at least $2.1 billion to scams originating on social media in 2025, an eightfold increase since 2020, according to the Federal Trade Commission. Investment scams accounted for $1.1 billion of those losses, while shopping and romance scams also targeted users, with most scams starting on Facebook, WhatsApp, and Instagram. The figures reflect only reported losses, meaning actual damages are likely higher, as many victims do not file complaints.

A federal judge dismissed a Justice Department lawsuit demanding detailed voter data from Rhode Island, including birth dates, addresses, driver's license numbers, and partial Social Security numbers. The judge ruled that federal law does not permit DOJ's "fishing expedition," similar to rejections in California, Massachusetts, Michigan, and Oregon, while at least 12 states have provided the data. Election officials raised concerns about potential misuse after DOJ acknowledged it planned to s...

ADT Confirms Major Data Breach Exposing Millions of Names, Partial SSNs

Fidelity to Pay $1.25 Million Over Data Breach That Exposed 77,000 People

In April 2025, the hacking group ShinyHunters obtained and publicly released data from Pitney Bowes affecting 8.2 million people after extortion negotiations reportedly failed. The compromised data included email addresses, names, phone numbers, physical addresses, and in some cases employee job titles. Users whose information was exposed face increased risks of phishing attacks, identity theft, and targeted scams using their personal contact details.

A Chinese national accused of working as a contract hacker for China's Ministry of State Security has been extradited from Italy to the United States to face criminal charges. Xu Zewei allegedly conducted cyberespionage operations and intelligence-gathering breaches between February 2020 and June 2021 as part of the Silk Typhoon hacking group. The case is part of broader U.S. law enforcement action against state-sponsored cyber intrusion campaigns targeting computer systems.

Fidelity Brokerage Services was fined $1.25 million by Massachusetts regulators after a three-day cyberattack in August 2024 exposed personal information of approximately 77,000 customers, including Social Security numbers, passport and driver's license images, and medical data. The breach occurred when an attacker exploited a vulnerability in Fidelity's online access controls that allowed manipulation of document identifiers to view other customers' files. Fidelity failed to notify affected ...

The Council of Engineers Thailand reported that hackers breached its database during a server transfer, stealing personal data of approximately 350,000 members including names, addresses, phone numbers, and license information. The attack involved 680,000 data breaches over a 10-hour period before detection, though details about the attackers' identity and any ransom demands have not been disclosed. The council has warned members that their stolen data could be misused.

Home security company ADT confirmed a data breach on April 20 affecting customer information including names, phone numbers, and addresses, with a small percentage of records also containing dates of birth and partial Social Security numbers. The breach occurred after hackers from the ShinyHunters group allegedly used a voice phishing attack to compromise an employee's single sign-on account and access ADT's Salesforce system, and are now threatening to leak the stolen data unless ADT pays a ...

SAG-AFTRA Health Plan disclosed a phishing attack that gave unauthorized access to an employee's email account between September 17-18, 2024, exposing the Social Security numbers, health insurance information, and claims details of at least 1,202 individuals across Texas and Massachusetts. The breach occurred when an employee fell victim to a phishing email, compromising sensitive personal data of health plan participants. Affected individuals are being offered two years of free credit monito...

The Department of Justice is intervening in support of xAI's lawsuit against Colorado's law requiring developers of high-risk AI systems to disclose and mitigate algorithmic discrimination. The DOJ argues the law, set to take effect in June, violates the Fourteenth Amendment by requiring developers to account for statistical disparities across demographics like race and sex. The case reflects broader tension between state AI regulation efforts and the Trump administration's opposition to inco...

Rhode Island reached a $5 million settlement with Deloitte following a data breach affecting the state's RIBridges system, which serves HealthSource RI customers. The payment will help cover state expenses related to the breach, while Deloitte separately covers costs for a call center, credit monitoring, and identity protection for impacted individuals. Approximately 2,000 HealthSource RI customers have been enrolled directly since the breach as the system undergoes a phased relaunch.

Eurail, which sells Interrail rail passes, disclosed that personal data of more than 300,000 European travelers - including passport numbers, names, addresses, and dates of birth - was stolen in a December breach and is now being sold on the dark web. Some affected customers have been advised by passport authorities to cancel their passports and pay for replacements costing up to £200 to prevent fraudulent use. The breach has caused confusion and anger among travelers facing unexpected expens...

Data from all 500,000 UK Biobank volunteers was breached and listed for sale on Alibaba's Chinese e-commerce platform, though the listings were removed before any confirmed purchases occurred. The stolen information included de-identified health data such as age, gender, and lifestyle habits, but not names, addresses, or contact details. UK officials called the security lapse "extremely lax" and referred the incident to the Information Commissioner's Office, raising concerns about protection ...

Absolute Dental agreed to a $3.3 million settlement after a data breach between February and March 2025 exposed personal information of approximately 1.2 million patients and employees. The breach occurred when malware was accidentally executed through an account linked to the company's third-party managed service provider, giving unauthorized parties access to Absolute Dental's systems. Class members can claim reimbursement for documented losses up to $5,000 or receive a pro rata payment fro...

Vercel expanded its breach investigation and discovered hackers had accessed some customer data before the April incident, when an employee downloaded a compromised app from Context AI. The company found additional affected customer accounts beyond the initial breach but has not disclosed the total number impacted or how far back the earlier compromise extends. Evidence suggests hackers used information-stealing malware to obtain credentials and API keys, then rapidly accessed customer data i...

South Korea fines matchmaking agency over leak of sensitive user data

France Titres (ANTS), the French government agency managing official identity documents, confirmed a cyberattack in which hackers stole approximately 19 million records containing names, contact details, birthdays, addresses, and other personal information. The stolen data is being offered for sale on dark web forums, and ANTS has warned affected users about potential phishing attacks using the compromised information. The agency stated that hackers do not have access to user accounts and tha...

A breach dubbed "BlueLeaks 2.0" exposed 8.3 million anonymous tips submitted through Navigate360's P3 platform, affecting students, Crime Stoppers programs, and military personnel from 1987 through November 2025. The hackers claim to have obtained 93 GB of data in plain text format that included tipsters' full names and details about reported individuals, despite platform promises of anonymity. Navigate360 has not publicly confirmed the breach or notified affected individuals on its websites,...

The UK High Court ruled that London's Metropolitan Police can continue using live facial recognition technology, rejecting a legal challenge brought by civil liberties group Big Brother Watch and youth worker Shaun Thompson, who was falsely identified and detained by the system in 2024. The judges found the technology does not violate privacy rights under European human rights law, despite Thompson's misidentification as his brother who was wanted by police. Thompson plans to appeal the decis...

The Chattanooga Heart Institute has agreed to pay up to $3.75 million to settle a class action lawsuit stemming from a 2023 data breach. The settlement resolves legal claims from affected patients whose personal information was compromised in the breach. This represents one of the larger healthcare data breach settlements in the region, affecting patients who received care at the cardiology practice.

A 45-year-old NSW Treasury official has been charged with accessing restricted data after allegedly downloading over 5,600 commercially sensitive government documents to an external server between April 10-14. The documents, described as spanning "whole of government" departments and containing confidential commercial and financial information about current and past government negotiations, were detected three days after the final alleged transfer. Authorities say there is currently no eviden...

Ameriprise Financial disclosed a data breach affecting nearly 50,000 people after an unauthorized individual accessed stored data and files between March 2 and 18, exposing names and personal identifiers. This marks the second breach for the Minneapolis-based firm in less than six months, following a December phishing incident that potentially exposed 598 people. Ameriprise is offering free identity protection services to affected customers and stated no unauthorized transactions or fund move...

Tyler Robert Buchanan, a 24-year-old British member of the cybercrime group Scattered Spider, pleaded guilty to wire fraud conspiracy and aggravated identity theft for his role in 2022 SMS phishing attacks targeting major technology companies including Twilio, LastPass, DoorDash, and Mailchimp. The attacks compromised tens of thousands of users and enabled the group to steal at least $8 million in cryptocurrency through SIM-swapping, where attackers hijack victims' phone numbers to intercept ...

New York Attorney General Letitia James sued Coinbase Financial Markets and Gemini Titan for allegedly operating unlicensed gambling platforms disguised as prediction markets, violating state gambling laws including restrictions on betting involving New York college sports teams. The lawsuit comes amid a broader regulatory conflict, with the US Commodity Futures Trading Commission recently suing three other states to assert federal authority over prediction market regulation. James emphasized...

Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials

Minidoka Memorial Hospital in Idaho experienced a cyberattack on April 5 that disrupted internal systems and imaging services, forcing some emergency patient transfers though the hospital continued operations. A threat group called "Blackwater" later claimed to have stolen approximately 576 GB of data comprising over 2.3 million files and threatened to leak it after April 24, though they provided no proof of their claims. The incident affects patient data at the rural hospital, though the ful...

Cloud app hosting company Vercel was breached after one of its employees downloaded a compromised app from Context AI, allowing hackers to access internal systems and steal unencrypted customer credentials, API keys, and potentially source code. Vercel has notified affected customers and advised them to rotate their app credentials, though the company has not disclosed how many users were impacted. The breach highlights supply chain risks, as hackers exploited a third-party app connection to ...

Amtrak is dealing with a data breach after hackers claimed to have accessed and released customer records online, with at least 2.1 million unique accounts confirmed exposed, though some reports suggest the total could reach 9.4 million records. The exposed data includes names, email addresses, physical addresses, customer support tickets, and potentially travel-related details. The attack has been linked to the hacking group ShinyHunters, which reportedly gained access through Amtrak's Sales...

An attacker compromised Vercel's systems and stole customer credentials and sensitive data after initially infecting a Context.ai employee's computer with malware disguised as Roblox game cheats. The breach exploited interconnected cloud services, with the attacker using stolen OAuth tokens to access a Vercel employee's Google Workspace account and then pivoting to Vercel's internal environments. Vercel customers are at risk and have been advised to rotate their credentials, while the stolen ...

Canada Life, one of Canada's largest insurers, disclosed that hackers from the ShinyHunters group accessed personal information of up to 70,000 customers through an employee's account, including names, dates of birth, addresses, gender, and income levels. Most of the compromised accounts belonged to employees of one large corporate client, and the company is offering affected customers free credit monitoring. The breach, detected within the past two weeks, has been contained and authorities h...

Vercel, a cloud development platform, confirmed a security breach after a threat actor gained unauthorized access to internal systems through a compromised employee's Google Workspace account linked to a third-party AI tool called Context.ai. The attacker accessed environment variables not marked as sensitive, which allowed them to enumerate and gain further access to customer data, though the company states its core services remain unaffected. Vercel is working with affected customers and re...

Cookeville Regional Medical Center in Tennessee disclosed a ransomware attack that compromised personal and medical data of over 337,000 individuals, including Social Security numbers, financial information, and health records. The Rhysida ransomware group stole approximately 370,000 files and, after failing to sell the data for roughly $1 million, made it freely available online, significantly increasing the risk of identity theft and fraud. The hospital is offering identity theft protection...

WebTPA, a third-party healthcare administrator, disclosed a data breach affecting 2.4 million individuals after discovering unauthorized network access that occurred between April 18-23, 2023. The exposed information may include names, contact details, dates of birth, Social Security numbers, and insurance information, though financial account data and medical treatment records were not compromised. The company is offering affected individuals two years of free identity monitoring services th...

Roblox reached a $12 million settlement with Nevada that requires the gaming platform to implement enhanced protections for young users, including mandatory age verification and restrictions on nighttime notifications for minors. The company will pay $10 million over three years to support youth programs and fund a law enforcement liaison position to address platform safety concerns. Nevada's attorney general described the agreement as a first-of-its-kind settlement, reached in lieu of litiga...

Rockstar Games confirmed a data breach after the ShinyHunters gang leaked over 78 million records containing internal analytics data, including metrics from GTA Online and Red Dead Online related to player behavior, revenue patterns, and anti-cheat systems. The breach occurred through a compromised third-party analytics provider, Anodot, which had integration access to Rockstar's Snowflake environment via stolen authentication tokens. Rockstar stated the exposed information was limited and di...

Cardiovascular Consultants agreed to pay $3.85 million to settle a class action lawsuit over a September 2023 data breach that exposed patients' sensitive health information. Affected individuals can claim up to $5,000 for documented out-of-pocket losses related to the breach, or receive an estimated $75 cash payment without proof, plus two years of free medical monitoring services. The settlement received preliminary court approval in February 2026 and covers all U.S. residents whose persona...

McGraw-Hill confirmed that hackers exploited a Salesforce platform misconfiguration to access a limited set of internal data, though the company states no customer databases, student information, or sensitive financial data were compromised. The breach follows an extortion threat from the ShinyHunters group, which claims to possess 45 million Salesforce records containing personally identifiable information and has set a ransom deadline. McGraw-Hill says the affected webpages have been secure...

Rockstar Games confirmed it suffered a cyberattack in which hackers accessed a "limited amount of non-material company information" through a third-party data breach, though the company states no player data was affected. The hacking group ShinyHunters claims to have stolen company data including financial information and player habit studies from cloud servers, and threatened to release it after their ransom demand went unpaid. This breach is separate from Rockstar's 2022 incident that leake...

Hackers breached business monitoring software company Anodot on April 4, stealing authentication tokens that allowed them to access and extract customer data stored in the cloud, affecting at least a dozen companies including Rockstar Games. The ShinyHunters hacking group is now threatening to publish the stolen data unless ransom demands are met, demonstrating how attackers can compromise multiple organizations by targeting a single software provider they all use. Cloud storage provider Snow...

SouthState Bank has agreed to a $1.5 million settlement following a February 2024 data breach that potentially exposed personal information - including names, Social Security numbers, and financial account details - of approximately two million customers. Affected individuals will automatically receive one year of free credit monitoring, and those who file claims can receive up to $3,500 for documented losses such as fraudulent charges, bank fees, and ID replacement costs. The settlement cove...

Hackers breached European gym chain Basic-Fit's systems and downloaded personal data of approximately 1 million members across six countries, including names, addresses, phone numbers, email addresses, dates of birth, bank details, and membership information. The company detected and stopped the intrusion within minutes but confirmed some data had already been extracted, though passwords and identity documents were not accessed. Basic-Fit reported the breach to Dutch authorities and notified ...

Rockstar Games confirmed it was affected by a third-party data breach after a hacker group claimed to have breached the GTA 6 developer and issued a ransom demand with an April 14 deadline. The company stated the breach has no major impact on its operations or players. The incident follows previous security breaches involving Rockstar Games.

The Silent Ransom Group breached law firm Orrick, Herrington & Sutcliffe in January 2026, accessing its network for approximately one week without deploying malware, likely through phishing or social engineering. After Orrick offered $1 million to resolve the incident - significantly less than the ransom demand - the threat actors leaked the firm's data, marking the first top-100 law firm to offer what the group considered an insufficient payment. This is Orrick's second major data breach in ...

South Korea's Personal Information Protection Commission fined Lotte Card 9.62 billion won ($6.51 million) after a hacking incident exposed personal data of 2.97 million customers, including resident registration numbers of 450,000 people. The breach occurred because Lotte Card stored registration numbers in plain text in log files from its online payment system and failed to implement proper encryption, violating data protection laws. The Financial Supervisory Service also imposed a separate...

Christie's fined $194,000 for data breach in South Korea

South Korea's Personal Information Protection Commission fined British auction house Christie's approximately $193,600 after a data breach exposed personal information of 620 South Korean members, including names, addresses, and resident registration numbers. The breach occurred when a Christie's employee granted system access to a malicious actor, and the company failed to encrypt customer data or report the incident within the required 72-hour timeframe. The regulator cited inadequate secur...

French email provider Alinto left an Elasticsearch database exposed online, leaking 40 million email records containing sender and recipient addresses, location details, and relay IP addresses. The breach affected major corporations including L'Oreal, Renault, and DHL, as well as numerous French government agencies with at least 14,000 government email addresses exposed. Security researchers discovered the unsecured database and notified Alinto, which has since secured the server.

Cybercriminals allegedly stole and leaked 7.7 terabytes of sensitive Los Angeles Police Department data, including officer personnel files, internal affairs investigations, and discovery documents containing unredacted criminal complaints, witness names, and medical information. The breach affected a third-party digital storage system used by the LA City Attorney's Office rather than LAPD systems directly, with the extortion gang World Leaks claiming responsibility. The leak exposes more than...

Healthcare IT company CareCloud disclosed a data breach on March 16 that potentially exposed medical records of millions of patients after hackers accessed one of its six patient record stores for approximately eight hours. The company serves over 45,000 provider groups, hospitals, and medical practices across the U.S., though it remains unclear whether protected health information was actually stolen or if ransomware was involved. An investigation is ongoing with third-party cybersecurity ex...

Jones Day, a top-ranked U.S. law firm, confirmed a data breach affecting 10 clients after the Silent Ransom Group gained access through a phishing attack and posted stolen files to the dark web on March 30. The hackers demanded $13 million and threatened to publish all data, contact employees and clients, and resume attacks if the firm did not respond by their deadline. All affected clients have been notified of the breach, which targeted a senior member of the firm's Federal Circuit legal team.

Lakeview Loan Servicing and related mortgage companies agreed to a $26 million settlement after an October 2021 data breach potentially exposed sensitive information of approximately 5.8 million customers. Affected individuals can file claims by June 22, 2026, for reimbursement of documented out-of-pocket losses up to $5,000, such as fraud-related expenses or credit monitoring costs, or receive a pro-rated cash payment. The settlement covers current and former customers of Lakeview, Pingora, ...

Oklahoma Governor Stitt signed Senate Bill 546 on March 20, 2026, making Oklahoma the 21st state with a comprehensive consumer privacy law, effective January 1, 2027. The law applies to businesses that serve Oklahoma residents and either process data of 100,000+ consumers annually or process data of 25,000+ consumers while earning over 50% of revenue from selling personal data. Covered businesses must honor consumer requests to access, correct, delete, or port their data, and allow opt-outs f...

In September 2024, immigration case management platform DocketWise suffered a data breach when unauthorized actors used valid credentials to access repositories containing unstructured client data from multiple law firms, affecting 116,666 individuals. The exposed information varied by person but could include Social Security numbers, passport details, financial account information, medical records, and other sensitive personal data belonging to immigration law firm clients. The breach is par...

Phoenix-based Cardiovascular Consultants agreed to pay $3.85 million to settle a class action lawsuit following a September 2023 data breach in which attackers accessed systems, encrypted data, and stole patient information including names, addresses, birth dates, Social Security numbers, and driver's license numbers. The practice denied wrongdoing but settled to avoid ongoing litigation costs and risks. The breach affected patients' personal and health information due to what the lawsuit all...

Fitness app Strava's public "Global Heatmap" feature inadvertently revealed the locations of secret U.S. military bases and personnel movements in conflict zones like Afghanistan and Syria by displaying users' GPS-tracked exercise routes. Military analysts found that jogging trails at forward operating bases were clearly visible on the map, making it easy to identify facilities that don't appear on services like Google Maps, with U.S. military personnel being the primary Strava users in many ...

Probe launched after Hospital Authority data breach involving 56,0000 patients

Hong Kong's Hospital Authority disclosed that personal data of over 56,000 patients from Kowloon East hospitals was accessed without authorization and leaked on a third-party platform, including names, identity card numbers, birth dates, and details of surgical procedures. The breach was detected by monitoring systems early Friday morning and linked to a contractor's system maintenance work, which has been suspended. Both Hong Kong police and the privacy watchdog are investigating the inciden...

A threat group called TeamPCP breached the European Commission's Amazon cloud environment using a stolen API key, exposing personal data including names, email addresses, and email content from at least 30 EU entities. The attackers exfiltrated a 90GB dataset containing tens of thousands of files, which was subsequently published on the dark web by data extortion group ShinyHunters. The breach affected 42 internal European Commission clients and at least 29 other Union entities using the euro...

Drift, a decentralized cryptocurrency exchange on the Solana blockchain, suffered a hack that drained $285 million in digital assets, potentially making it one of the largest crypto thefts in history. Security researchers believe the attacker exploited a vulnerability in a new lending market feature that allowed users to borrow against an illiquid token. The exchange suspended deposits and withdrawals while working with security firms and exchanges to contain the breach.

Cardiovascular Consultants agreed to pay $3.85 million to settle a class action lawsuit stemming from a September 2023 cyberattack that exposed patients' Social Security numbers, medical records, addresses, and other sensitive information. Affected individuals who received breach notification can claim up to $5,000 for documented out-of-pocket losses related to the incident, plus two years of medical monitoring services. The cardiology practice denied wrongdoing but settled to avoid ongoing l...

Nacogdoches Memorial Hospital disclosed that a January 31 cyberattack compromised its computer network, potentially exposing patient information including names, Social Security numbers, dates of birth, medical record numbers, and in some cases photographs. The hospital has notified affected patients by letter and established a hotline for questions, stating no confirmed misuse of data has been detected so far. NMH says it has enhanced network security measures and updated procedures to preve...

Banking tech data breach exposes 672K in ransomware attack

Iowa's Attorney General filed a lawsuit against Change Healthcare following a February 2024 data breach that exposed sensitive information - including Social Security numbers, medical records, and health insurance details - of nearly 2.2 million Iowans. The breach went undetected for 10 days while hackers installed malware and stole data through a remote access portal lacking multifactor authentication, and the company waited five months to notify affected individuals. The lawsuit alleges vio...

What Match Group (MTCH)'s FTC Privacy Settlement With OkCupid Data-Sharing Allegations Means For Shareholders

OkCupid and parent company Match Group settled with the FTC over allegations they gave AI firm Clarifai unrestricted access to users' demographic data, location information, and nearly 3 million photos without consent or opt-out options. The proposed settlement includes a 20-year order requiring clearer disclosures about how the companies handle sensitive user data, including messages, health information, photos, and location details. The companies have not admitted liability in the case.

UnitedHealth Group confirmed that a ransomware attack on its subsidiary Change Healthcare exposed protected health information and personally identifiable information potentially affecting a substantial proportion of people in America. The company paid $22 million in ransom but never received the stolen data back because the ransomware operator ALPHV took the payment and shut down, leaving the affiliate attackers and the victim empty-handed. UnitedHealth is offering affected individuals two y...

A patient who received an X-ray at West Tallinn Central Hospital in Estonia was given a supposedly new USB drive to transfer their medical images, but discovered it also contained health data from several other patients. The hospital has not yet explained how patient data ended up on what was meant to be a blank drive and says it will investigate only after the patient files a formal complaint. The incident exposed sensitive health information of multiple individuals through what appears to b...

Italy data protection agency fines Intesa Sanpaolo $36 mln over data breach

Match Group and its subsidiary OkCupid settled with the FTC over allegations that the dating platform shared three million user photos and location data with facial recognition company Clarifai in 2014 without informing users or providing an opt-out option. The FTC claimed this violated OkCupid's privacy policy, which only allowed sharing with service providers and business partners, not unrelated third parties. Under the settlement, which carries no monetary penalty, Match Group is permanent...

The FTC announced enforcement action against OkCupid and Match Group for allegedly sharing nearly 3 million users' personal data - including photos, location information, and demographics - with a third party without authorization or contractual restrictions, reportedly because OkCupid's founders had financial ties to the recipient. Under the proposed settlement, both companies are permanently barred from misrepresenting their data collection, use, and disclosure practices, with future violat...

Italy's data protection authority fined Intesa Sanpaolo, the country's largest banking group, €31.8 million after an employee improperly accessed the banking information of 3,573 customers over a two-year period from February 2022 to April 2024. The regulator cited inadequate technical and organizational security measures that allowed the employee to conduct more than 6,600 unauthorized queries. The penalty represents one of Italy's largest data protection fines for insider misuse of customer...

T-Mobile confirmed a data breach affecting 47.8 million people, including 7.8 million current postpaid customers, over 40 million former or prospective customers, and 850,000 prepaid customers. Stolen data included names, dates of birth, Social Security numbers, and driver's license information, while 850,000 prepaid customers also had phone numbers and account PINs exposed. T-Mobile stated that payment card information was not compromised and reset PINs for affected prepaid accounts after di...

CareCloud reported to the SEC that an unauthorized third party temporarily accessed one of its six electronic health record environments on March 16, disrupting functionality for about eight hours before systems were restored. The health technology company is investigating whether patient information was accessed or stolen during the breach, which affected its CareCloud Health division but was reportedly contained to that single environment. CareCloud has engaged cybersecurity experts and not...

Settlement approved for Canadians affected by past 23andMe data breach

Hong Kong's Correctional Services Department disclosed that a hacker illegally accessed its IT systems on Tuesday, compromising personal data of 6,800 current and former prison employees including names, birthdates, academic qualifications, employment history, and email addresses. The breach occurred when the attacker first infiltrated the department's internal Knowledge Management System and then gained entry to a separate system containing staff data. Authorities have notified affected indi...

Dutch Police discloses security breach after phishing attack

Ajax data breach exposed season tickets, supporter bans open to tampering - Help Net Security

Excelsior Orthopaedics; Buffalo Surgery Center Pay $2.4 Million to Settle Data Breach Lawsuit

Lakeview Loan Servicing agrees to $26M settlement over data breach. Here's how to file a claim

Corewell Health says patients' social security numbers and more may have been compromised in data breach

European Parliament rejects extension of CSAM scanning rules for tech platforms

The European Commission confirmed a cyberattack on its cloud infrastructure hosting Europa.eu websites, with hackers reportedly stealing over 350 gigabytes of data from the Commission's Amazon Web Services account. The Commission stated its internal systems were not affected and the attack has been contained, though the investigation is ongoing to determine what specific data was taken. The breach affected the Commission's web presence platform, and the organization is notifying entities that...

Iran-linked hackers breached FBI Director Kash Patel's personal Gmail account and published over 300 emails along with personal photographs dating from 2010 to 2019. The FBI confirmed the breach but stated the compromised data was historical and contained no government information, while the hacker group Handala Hack Team - believed by Western researchers to be linked to Iranian government cyber-intelligence - publicly posted the materials on their website. The incident demonstrates the vulne...

KERBER, ECK & BRAECKEL REACHES $1.4 MILLION SETTLEMENT OVER DATA BREACH IMPACTING CHRISTOPHER RURAL HEALTH PATIENTS

Judge tosses out X's advertiser boycott lawsuit

Fidelity Reaches $2.5M Settlement Over Data Breach Affecting 155,000 Customers

Nike Hit With Suit Over January Data Breach Affecting Thousands

Bank to pay $12,500 from $5.2m data settlement - see if you got the notice

Clinica Family Health & Wellness reveals 2025 data breach

Infinite Campus warns of breach after ShinyHunters claims data theft

HackerOne discloses employee data breach after Navia hack

Toll of Kaplan data breach surpasses 230K

Telehealth Platform Provider OpenLoop Health Disclosed Data Breach

Lapsus$ Hackers disclose more about AstraZeneca Data Breach - Cybersecurity Insiders

PURA set to vote Wednesday on Aquarion sale, Avangrid data breach findings

Utah Medical Clinic Sued by Insurer Over Data Breach Coverage

Education company Kaplan reports data breach impacting more than 230,000

Who are ShinyHunters and what is Telus Digital? Crunchyroll data breach explained. Here's how much and wha

RuneScape Boards - 222,762 breached accounts: In around 2011, the now defunct RuneScape Boards forum (also known as RSBoards) suffered a data breach that was later redistributed as part of a larger corpus of data . The vBulletin-based service exposed 223k unique email addresses along with usernames, IP addresses and salted...

Balance Autism Settles Class Action Data Breach Lawsuit

Fidelity agrees to $2.5M class action settlement over alleged data security failure - Class Action Lawsuits

Attorney General Jackley's Genetic Data Privacy Bill Signed into Law

PowerSchool, Bain Can't Skirt MDL Over Student Data Breach

North Carolina tech worker found guilty of insider attack netting $2.5M ransom: Matt Kapko reports: A 27-year-old North Carolina man was found guilty of six counts of extortion for a series of crimes he committed while working as a data analyst contractor for a D.C.-based international technology company, the Justice Department said Thursday. Cameron...

Starbucks Confirms Data Breach from a Social Engineering Attack on a Business Partner

Mizuno USA settles data breach with cash payments and credit monitoring: Who can claim and how to file

UK police force presses pause on live facial recognition after study finds racial bias

DATA BREACH ALERT: Edelson Lechtzin LLP is Investigating Claims on Behalf of Persons Affected by the ID Care Data Breach

Security Firm Aura Discloses Data Breach Impacting 900,000 Records - SecurityWeek

Deaconess Health System Data Breach Exposes SSNs and Sensitive Medical Records of Patients

Marquis Data Breach Affects 672,000 Individuals - SecurityWeek

PathStone Family Office, a wealth management firm overseeing roughly $160 billion in assets, was breached by the ShinyHunters cybercrime group in February 2026. The attackers exfiltrated 15 GB of data from PathStone's Salesforce environment, exposing personal information of over 91,000 clients including Social Security numbers, financial profiles, and estate planning records. A former intern has since filed a lawsuit against the firm over the breach.

Identity protection company Aura suffers massive 900,000 person data breach: customer information exposed

Navia discloses data breach impacting 2.7 million people

Judge mostly denies Frederick Health motion to dismiss data breach lawsuit

PPB Urges Alternative Tip Submissions Amid Reported Data Breach

Data breach linked to Crime Stoppers; Portland Police urge avoiding tip service for now

UK fines 4chan nearly $700,000 for failing its online safety act obligations

Baltimore watchdog uncovers thousands in fraudulent billing, confidential data breach related to youth crimefighting program

Telus Digital confirms massive 1 petabyte data breach by hackers

Lawsuit filed against Ericsson following US data breach

MedPeds Associates of Sarasota Notice of Data Breach

Bank software vendor Marquis says more than 670,000 impacted by August breach

Kaplan North America Data Breach Alert Issued By Wolf Haldenstein

OpenLoop Health Data Breach Affects 68,160 Texans

Aura confirms data breach exposing 900,000 records after a voice-phishing attack on an employee with access to a legacy marketing platform. Names, emails, addresses, and phone numbers were compromised, fueling targeted phishing risks for 35,000 current and former customers.

Glass Products Co. Reaches Deal In Data Breach Suit

The FBI confirms it's buying Americans' location data

CommonSpirit Health Patients Affected by Vendor Data Breach

Geisinger, Nuance Reach $5 Million Settlement After Data Breach

Baltimore IG refers fraud, data sharing in crime prevention office for criminal investigation

Data breach reported by Google News - Security & Encryption: Class actions claim CarGurus data breach exposed 1.2 million consumers’ PII - Class Action Lawsuits

Regulatory action reported by Google News - Enforcement: French court upholds €40 million GDPR fine for Criteo - Digital Watch Observatory

Legal action reported by Google News - Security & Encryption: Myers Auto Group Data Breach Class Action Settlement - Claim Depot

Legal action reported by Engadget: xAI is being sued by teens who say Grok created CSAM using their photos

Reported by Google News - Enforcement: Encyclopedia Britannica Sues OpenAI Over AI Training Data. Is Grokipedia Next? - Gizmodo

Community bank reaches $2.4M agreement in 2023 data breach class action

Fidelity Agrees to Pay $2.5M in Data Breach Class Action

Intuitive Surgical confirms phishing-related data breach

Major data breach prompts about $6.5M penalty for Lotte Card

Data breach reported by HIBP - Baydöner - 1,266,822 breached accounts: In March 2026, the Turkish restaurant chain Baydöner suffered a data breach which was subsequently published to a public hacking forum . The incident exposed over 1.2M unique email addresses along with names, phone numbers, cities of residence and plaintext passwords. A small...

Data breach reported by HIBP - Divine Skins - 105,814 breached accounts: In March 2026, the League of Legends custom skins service Divine Skins suffered a data breach . The incident was disclosed via the service's Discord server, where Divine Skins stated that an unauthorised third party accessed part of its systems, deleted all skins from the...

Data breach reported by Google News - Security & Encryption: Were you affected by the Numotion data breach? You could receive a $15,000 payment - MARCA

Data breach reported by Google News - Security & Encryption: American drivers to get up to $4.5k under $1.5 million 'data breach' settlement - The US Sun

Regulatory action reported by Google News - Privacy & Data: ICO publishes guidance on data protection complaints processes (via Passle) - Slaughter and May

Legal action reported by Engadget: Adobe agrees to pay settlement for making its subscriptions hard to cancel

Data breach reported by BleepingComputer: Telus Digital confirms breach after hacker claims 1 petabyte data theft

Data breach reported by BleepingComputer: England Hockey investigating ransomware data breach

Data breach reported by The Register: Ericsson blames vendor vishing slip-up for breach exposing thousands of records

Data breach reported by Google News - Security & Encryption: Loblaw Data Breach Impacts Customer Information - SecurityWeek

Data breach reported by The Register: FBI is investigating breach that may have hit its wiretapping tools

Regulatory action reported by Google News: Data privacy violations result in $1.1M penalty for PlayOn Sports | brief | SC Media - SC Media

Legal action reported by TechCrunch: Meta sued over AI smart glasses’ privacy concerns, after workers reviewed nudity, sex, and other footage

Reported by Google News: Maine Senate advances amended data privacy bill that would exempt political groups - newscentermaine.com

Reported by Google News: xAI loses bid to halt California AI data disclosure law - Reuters

Reported by EPIC: SCOTUS to Hear Case Over Proper Scope of the Video Privacy Protection Act (VPPA)

Data breach reported by HIBP - KomikoAI - 1,060,191 breached accounts: In February, the AI-powered comic generation platform KomikoAI suffered a data breach . The incident exposed 1M unique email addresses along with names, user posts and the AI prompts used to generate content. The exposed data enables the mapping of individual AI prompts to...

Data breach reported by HIBP - CarMax - 431,371 breached accounts: In January 2026, data allegedly sourced from US automotive retailer CarMax was published online following a failed extortion attempt . The data included 431k unique email addresses along with names, phone numbers and physical addresses.

Data breach reported by HIBP - APOIA.se - 450,764 breached accounts: In December 2025, a database of the Brazilian crowdfunding platform APOIA.se was posted to an online forum . In January 2026, the company confirmed it had suffered a data breach. The incident exposed 451k unique email addresses along with names and physical addresses.

Data breach reported by HIBP - University of Pennsylvania - 623,750 breached accounts: In October 2025, the University of Pennsylvania was the victim of a data breach followed by a ransom demand , largely affecting its donor database. After the incident, the attackers sent inflammatory emails to some victims. The data was later published online in February 2026 ...