Search & browse the archive

EDPB · Jun 10, 2026 · EU

EDPB meets with EU Commissioner McGrath and adopts common data breach notification template

The European Data Protection Board held its latest plenary session, meeting with EU Commissioner Michael McGrath to discuss shared priorities including the Digital Omnibus package, while also formally adopting a standardized template for data breach notifications across member states.

Why this matters: A unified breach notification template streamlines how individuals learn when their personal data has been compromised, potentially strengthening timely transparency. The EDPB's cautionary signal on the Digital Omnibus suggests concern that proposed regulatory changes could dilute existing data protection standards.

Who should care: Cybersecurity · Privacy officers · Administrators · Lawyers · AI governance · Compliance

Digital Omnibus on AI: Provisional compromise reshapes EU AI Act. Part 2: Data governance, innovation and extended deadlines for high-risk AI systems

EU negotiators have reached a provisional compromise under the Digital Omnibus package that modifies the AI Act, adjusting data governance requirements, reshaping innovation provisions, and extending compliance deadlines for operators of high-risk AI systems.

Why this matters: Deadline extensions for high-risk AI systems mean individuals may face consequential automated decisions — in hiring, credit, or public services — with fewer immediate safeguards in place, while revised data governance rules will determine how much personal data AI developers can lawfully use.

Who should care: Cybersecurity · Privacy officers · Administrators · AI governance · Lawyers · General readers · Policy

CNIL · Jun 10, 2026 · EU / France

EDPB meets with EU Commissioner McGrath and adopts common data breach notification template

EDPB meets with EU Commissioner McGrath and adopts common data breach notification template  CNIL

Who should care: Cybersecurity · Privacy officers · Administrators · Lawyers · AI governance

FTC Consumer Protection · Jun 05, 2026 · US Federal

FTC Gives Final Approval to Order Against Illuminate Settling Allegations It Failed to Secure Students’ Personal Data

The FTC has finalized a settlement with Illuminate Education over a data breach that exposed millions of students' personal information. The order mandates a formal security program, restrictions on how much student data the company may collect and retain, and deletion of data deemed unnecessary.

Why this matters: Students have little say in whether their schools share their data with third-party vendors, making robust regulatory enforcement a primary safeguard. The order's data minimization and deletion requirements acknowledge that limiting collection in the first place reduces exposure when security measures inevitably fall short.

Who should care: Cybersecurity · Privacy officers · Administrators · Lawyers · Compliance

EDPB · Jun 04, 2026 · EU

The Italian SA fined Poste Vita for data breach

Italy's data protection authority issued an administrative fine against insurance firm Poste Vita S.p.A. following a customer complaint alleging unauthorized disclosure of personal data. The regulator found violations of GDPR principles governing data processing and breach-notification obligations.

Why this matters: The case underscores that insurers hold sensitive personal and financial data, and failures to secure or promptly report breaches leave individuals exposed without timely recourse — a reminder that notification rules exist to protect people, not just satisfy regulators.

Who should care: Cybersecurity · Privacy officers · Administrators · Lawyers · Compliance

IAPP · May 29, 2026 · International

Why data mining is functionally required after a HIPAA breach

Following a HIPAA breach, covered entities are effectively compelled to conduct extensive data mining to identify which records were exposed, assess the scope of harm, and meet regulatory notification obligations — making deep internal data analysis a practical necessity rather than an optional step.

Why this matters: The requirement to mine patient data post-breach, while protective in intent, means sensitive health information is subjected to broad internal scrutiny. How organizations scope, log, and retain that analysis introduces secondary privacy risks that HIPAA's breach framework does not fully address.

Who should care: Cybersecurity · Privacy officers · Administrators · Healthcare professionals · Compliance

Krebs on Security · May 22, 2026 · International

Lawmakers Demand Answers as CISA Tries to Contain Data Leak

Lawmakers in both houses of Congress are demanding answers from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) after KrebsOnSecurity reported this week that a CISA contractor intentionally published AWS GovCloud keys and a vast trove of other agency secrets on a public GitHub account. The inquiry comes as CISA is still struggling to contain the breach and invalidate the leaked credentials.

Who should care: Cybersecurity · Privacy officers · Administrators

TechCrunch — Privacy · May 22, 2026 · International

Trump Mobile confirms it exposed customers’ personal data, including phone numbers and home addresses

President Trump’s branded cell phone maker and cell provider said the exposure was linked to a third-party platform and was evaluating whether it needs to notify customers.

Who should care: Cybersecurity · Privacy officers · Administrators

TechCrunch — Privacy · May 20, 2026 · International

Customers say Trump Mobile is leaking their personal information

Trump Mobile is leaking customers’ email and home addresses but has not responded to people alerting the company of the data exposure, according to two YouTubers who said they verified that their leaked data is authentic.

Who should care: Cybersecurity · Privacy officers · Administrators

Krebs on Security · May 18, 2026 · International

CISA Admin Leaked AWS GovCloud Keys on Github

Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history.

Who should care: Cybersecurity · Privacy officers · Administrators

Information Commissioner's Office · May 11, 2026 · UK

Fine of nearly £1m issued against South Staffordshire Plc and South Staffordshire Water Plc following major cyber attack and data breach

The UK's Information Commissioner's Office has levied a fine of approximately £1 million against South Staffordshire Plc and its water utility subsidiary following a significant cyberattack that resulted in a personal data breach affecting customers.

Why this matters: When critical infrastructure operators fail to secure personal data, ordinary people bear the consequences of exposed information with little recourse. Regulatory penalties signal that custodians of sensitive data face accountability, reinforcing individuals' right to expect adequate protection.

Who should care: Cybersecurity · Privacy officers · Administrators · Lawyers · Compliance

The Guardian — Privacy · May 01, 2026 · International

UK Biobank has my data, but I’m not worried. I know the benefits are too great to consider pulling out | Polly Toynbee

A dataset from UK Biobank — a large longitudinal health research repository — reportedly appeared for sale on Alibaba's platform in China, prompting concern among researchers and a warning from UK Science Minister Patrick Vallance that further such attempts are anticipated. Columnist Polly Toynbee argues the research value of such studies outweighs the risks.

Why this matters: The incident illustrates that even well-governed research databases carrying sensitive, long-term health records are vulnerable to unauthorized distribution, raising questions about whether participants' informed consent extends to scenarios where their data surfaces on foreign commercial platforms beyond any regulator's reach.

Who should care: Cybersecurity · Privacy officers · Administrators · Healthcare professionals · Compliance

The Guardian — Privacy · Apr 29, 2026 · International

More private health records of UK Biobank volunteers appear on Chinese website

Additional confidential health records from UK Biobank's 500,000 volunteers have appeared for sale on Alibaba following last week's initial breach, with Science Minister Patrick Vallance confirming the government is coordinating with Chinese authorities to remove the listings and anticipating further exposures.

Why this matters: Volunteers donated sensitive biological and medical data under an expectation of research use, not commercial exposure; the ongoing resurfacing of that data on a foreign marketplace highlights how breaches of biomedical repositories can strip individuals of control over their most intimate personal information with limited immediate recourse.

Who should care: Cybersecurity · Privacy officers · Administrators · Healthcare professionals · Compliance

The Guardian — Privacy · Apr 23, 2026 · International

Some Interrail travellers told to cancel passports as hacked data posted online

Eurail, which sells passes, says data being ‘offered for sale on dark web’ after December breach affecting 300,000 people Holidaymakers across Europe are facing the stress and expense of getting new passports after their personal data was posted on the dark web after a hack of the Interrail company Eurail. Personal data, including passport numbers, names, phone numbers, email and home addresses and dates of birth of more than 300,000 European travellers was accessed in December. But this week Eurail revealed to customers that “data copied during the security incident has been offered for sale…

Who should care: Cybersecurity · Privacy officers · Administrators

TechCrunch — Privacy · Mar 05, 2026 · International

Italian prosecutors confirm journalist was hacked with Paragon spyware

Italian prosecutors have confirmed that two journalists were targeted with Paragon spyware, advancing a broader national investigation into the tool's use. The identity of those who authorized or carried out the surveillance remains unknown.

Why this matters: Spyware deployed against journalists threatens press freedom and source confidentiality, creating a chilling effect on newsgathering. The unresolved question of who ordered the surveillance leaves open the possibility of state or powerful private actors targeting critical reporting with impunity.

Who should care: Cybersecurity · Privacy officers · Administrators · Lawyers · Compliance