Data Security

On February 10, 2026, PayPal disclosed a data breach affecting approximately 100 PayPal Working Capital loan applicants due to a software coding error. Personal data including Social Security numbers, dates of birth, and business contact information was exposed from July 1 to December 13, 2025. Some customers experienced unauthorized transactions and received refunds. PayPal offered 2 years of free credit monitoring through Equifax.

Cisco released a patch for a critical vulnerability affecting its Unified Communications and WebEx products that allowed remote code execution. The vulnerability was actively exploited in the wild before the patch was released, representing a significant security risk to enterprise communications infrastructure.

Microsoft issued out-of-band security patches for a high-severity Microsoft Office zero-day vulnerability tracked as CVE-2026-21509, with a CVSS score of 7.8 out of 10.0. The vulnerability allows attackers to bypass document security checks and is being actively exploited in the wild via malicious files. The emergency patch was released outside Microsoft's normal Patch Tuesday schedule due to active exploitation.

The FTC announced a proposed order to settle allegations that cryptocurrency company Nomad (Illusory Systems Inc.) failed to implement adequate security measures leading to a breach in which hackers stole $186 million from customers. The FTC alleged that Nomad prominently touted its security in advertising, claiming 'security-first' services, but failed to live up to these promises by failing to use secure coding practices, implement processes for receiving and addressing vulnerability reports, respond to security incidents, or utilize widely known technologies that might have helped mitigate consumer losses.

On January 21, 2026, Cisco disclosed a critical code injection vulnerability (CVE-2026-20045, CVSS 8.2) affecting Unified Communications Manager, Webex Calling, and related products that was actively exploited as a zero-day before a patch was available. The vulnerability allowed attackers to send crafted HTTP requests to obtain user-level access to the underlying operating system and escalate privileges to root. Cisco's PSIRT was aware of attempted exploitation in the wild. The U.S. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog and gave federal agencies until February 11, 2026 to deploy updates. The zero-day status indicates attackers discovered the vulnerability before Cisco's security teams, representing a failure to identify and remediate critical vulnerabilities before exploitation.

Crunchbase confirmed it was hacked in January 2026 after the cybercriminal group ShinyHunters published samples of stolen data. The company stated they detected a cybersecurity incident where a threat actor exfiltrated certain documents from their corporate network. Investigators linked the attack to a broader ShinyHunters campaign focused on voice phishing targeting Okta single sign-on credentials, with similar techniques tied to recent breaches at SoundCloud and Betterment.

Nike disclosed it is investigating unauthorized access that resulted in the extraction of approximately 1.4 terabytes of internal data. The incident involves a large volume of files taken from internal systems, which signals sustained access rather than a short-lived intrusion. The breach represents a significant compromise of Nike's internal systems and data.

A widespread malware campaign abused Google's Chrome Web Store for months, exposing private AI chatbot conversations and browsing data from roughly 900,000 users. The campaign involved two malicious browser extensions identified as 'ChatGPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI' and 'AI Sidebar with DeepSeek, ChatGPT, Claude.' The extensions remained available in the Chrome Web Store despite the security vulnerabilities.

In January 2025, the US Supreme Court unanimously upheld the Protecting Americans from Foreign Adversary Controlled Applications Act, requiring ByteDance to divest TikTok by January 19, 2025 or face a ban. The court found the law sufficiently tailored to address national security concerns over data collection practices by a foreign adversary affecting 170 million US users. TikTok briefly went dark for US users on January 18-19 before Trump issued executive orders delaying enforcement. A consortium including Oracle, Silver Lake, and MGX eventually acquired 80% of TikTok US operations in a deal that closed January 2026.

Ransomware attack in January 2025 on government contractor Conduent exposed data of over 25 million individuals across multiple states: 15.4 million in Texas (initially disclosed as 4 million), 10.5 million in Oregon, plus hundreds of thousands in Delaware, Massachusetts, and other states. Compromised data included names, Social Security numbers, medical records, health insurance info, and treatment history. Ransomware gang 'Safeway/SafePay' stole 8+ TB of data. Texas AG Ken Paxton called it potentially the 'largest healthcare data breach in US history.' 10+ class action lawsuits filed.

The UK Information Commissioner's Office fined 23andMe £2.31 million for failing to adequately protect UK customers' personal data in the 2023 data breach that exposed genetic and ancestry information.

In January 2025, Oracle Cloud suffered a significant security breach exploiting a Java vulnerability. An attacker deployed malware into Oracle's Identity Manager database, exfiltrating sensitive authentication data including usernames, hashed passwords, SSO credentials, and LDAP passwords from over 140,000 Oracle Cloud tenants. Multiple lawsuits filed in March-April 2025 alleged Oracle intentionally withheld information about the breaches, with substantial delays violating mandatory notification requirements.

A data breach occurred December 26, 2024 but wasn't detected until May 11, 2025. Overseas support personnel were bribed to access internal systems and steal customer information including names, Social Security numbers, bank details, and transaction histories. The breach affected 69,461 customers. Coinbase recorded $355 million in costs across Q2-Q3 2025. TaskUs, which provided customer service personnel since 2017, laid off 226 staff in India connected to the breach.

In November 2024, T-Mobile confirmed it was targeted by the Salt Typhoon Chinese state-sponsored hacking campaign that breached multiple US telecommunications companies. The attack potentially exposed call logs, text messages, and surveillance request records for targeted individuals. The campaign highlighted systemic infrastructure security weaknesses across US telecom networks and raised national security concerns about foreign access to sensitive communications data.

Northeastern University research published November 2024 revealed Lyft unintentionally sent driver and applicant Social Security Numbers to TikTok and Meta. Lyft shared unsalted hashes of workers' SSN with Facebook (Meta) and TikTok when applicants used desktop website. Companies had added tracking pixels provided free by Meta and TikTok for web traffic analysis, but these pixels inadvertently collected data from private application web forms and sent it directly to social media companies. Issue only discovered when researchers applied for driver positions via desktop website. Represents major privacy vulnerability in driver onboarding process.

The Wikimedia Foundation adopted a formal Human Rights Policy in December 2021 embedding privacy protection into its mission. In November 2024, the Foundation launched temporary accounts to replace IP-based editing, providing better privacy protection for logged-out editors while maintaining accountability. The Foundation practices data minimization, collects very little personal information, and does not sell user data. It maintains a Country and Territory Protection List limiting data publication for at-risk regions, updated in January 2024. The Foundation also adopted differential privacy techniques in partnership with Tumult Labs to release 8 years of pageview data while protecting individual users.

In October 2024, Internet Archive suffered a significant data breach affecting 31 million users. Attackers exploited unsecured Zendesk API tokens that had been accessible in a GitLab repository for nearly two years. Exposed data included email addresses, screen names, and bcrypt password hashes. A second breach occurred via unrotated tokens after the initial attack.

In September 2024, the FCC imposed a $31.5 million consent decree on T-Mobile covering four major data breaches from 2021-2023. The 2021 breach exposed 76.6 million customers' names, SSNs, and driver's licenses. The 2023 breach exposed 37 million customers' billing addresses and account numbers. T-Mobile was required to invest an additional $15.75 million in cybersecurity improvements. The FCC found multiple compliance failures including inadequate data protection, impermissible access to customer proprietary network information, and misrepresentation to customers about security practices.

Dutch Data Protection Authority fined Uber €290 million for transferring personal data of EU drivers to the United States without adequate protection between August 6, 2021 and November 21, 2023. Data included account details, taxi licenses, location data, photos, payment details, identity documents, and in some cases criminal and medical data of drivers. Uber stopped using Standard Contractual Clauses from August 2021, leaving driver data insufficiently protected. Uber responded it would appeal, calling the decision 'completely unjustified.' An additional €10 million fine was imposed in January 2024 for related data access rights violations.

On July 19, 2024, CrowdStrike released a faulty update to its Falcon Sensor security product that crashed 8.5 million Windows computers globally - the largest IT outage in history. The update contained a logic error causing out-of-bounds memory reads. Airlines cancelled 5,078 flights (Delta alone lost $500M), hospitals and emergency services were disrupted, and banks went offline. Former employees reported company prioritized 'speed over quality' with inadequate testing. Global economic damage exceeded $10 billion. CEO George Kurtz declined to testify before Congress.