Data Security

On January 21, 2026, Cisco disclosed a critical code injection vulnerability (CVE-2026-20045, CVSS 8.2) affecting Unified Communications Manager, Webex Calling, and related products that was actively exploited as a zero-day before a patch was available. The vulnerability allowed attackers to send crafted HTTP requests to obtain user-level access to the underlying operating system and escalate privileges to root. Cisco's PSIRT was aware of attempted exploitation in the wild. The U.S. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog and gave federal agencies until February 11, 2026 to deploy updates. The zero-day status indicates attackers discovered the vulnerability before Cisco's security teams, representing a failure to identify and remediate critical vulnerabilities before exploitation.

Crunchbase confirmed it was hacked in January 2026 after the cybercriminal group ShinyHunters published samples of stolen data. The company stated they detected a cybersecurity incident where a threat actor exfiltrated certain documents from their corporate network. Investigators linked the attack to a broader ShinyHunters campaign focused on voice phishing targeting Okta single sign-on credentials, with similar techniques tied to recent breaches at SoundCloud and Betterment.

A widespread malware campaign abused Google's Chrome Web Store for months, exposing private AI chatbot conversations and browsing data from roughly 900,000 users. The campaign involved two malicious browser extensions identified as 'ChatGPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI' and 'AI Sidebar with DeepSeek, ChatGPT, Claude.' The extensions remained available in the Chrome Web Store despite the security vulnerabilities.

In January 2025, the US Supreme Court unanimously upheld the Protecting Americans from Foreign Adversary Controlled Applications Act, requiring ByteDance to divest TikTok by January 19, 2025 or face a ban. The court found the law sufficiently tailored to address national security concerns over data collection practices by a foreign adversary affecting 170 million US users. TikTok briefly went dark for US users on January 18-19 before Trump issued executive orders delaying enforcement. A consortium including Oracle, Silver Lake, and MGX eventually acquired 80% of TikTok US operations in a deal that closed January 2026.

The UK Information Commissioner's Office fined 23andMe £2.31 million for failing to adequately protect UK customers' personal data in the 2023 data breach that exposed genetic and ancestry information.

In January 2025, Oracle Cloud suffered a significant security breach exploiting a Java vulnerability. An attacker deployed malware into Oracle's Identity Manager database, exfiltrating sensitive authentication data including usernames, hashed passwords, SSO credentials, and LDAP passwords from over 140,000 Oracle Cloud tenants. Multiple lawsuits filed in March-April 2025 alleged Oracle intentionally withheld information about the breaches, with substantial delays violating mandatory notification requirements.

A data breach occurred December 26, 2024 but wasn't detected until May 11, 2025. Overseas support personnel were bribed to access internal systems and steal customer information including names, Social Security numbers, bank details, and transaction histories. The breach affected 69,461 customers. Coinbase recorded $355 million in costs across Q2-Q3 2025. TaskUs, which provided customer service personnel since 2017, laid off 226 staff in India connected to the breach.

Northeastern University research published November 2024 revealed Lyft unintentionally sent driver and applicant Social Security Numbers to TikTok and Meta. Lyft shared unsalted hashes of workers' SSN with Facebook (Meta) and TikTok when applicants used desktop website. Companies had added tracking pixels provided free by Meta and TikTok for web traffic analysis, but these pixels inadvertently collected data from private application web forms and sent it directly to social media companies. Issue only discovered when researchers applied for driver positions via desktop website. Represents major privacy vulnerability in driver onboarding process.

The Wikimedia Foundation adopted a formal Human Rights Policy in December 2021 embedding privacy protection into its mission. In November 2024, the Foundation launched temporary accounts to replace IP-based editing, providing better privacy protection for logged-out editors while maintaining accountability. The Foundation practices data minimization, collects very little personal information, and does not sell user data. It maintains a Country and Territory Protection List limiting data publication for at-risk regions, updated in January 2024. The Foundation also adopted differential privacy techniques in partnership with Tumult Labs to release 8 years of pageview data while protecting individual users.

In October 2024, Internet Archive suffered a significant data breach affecting 31 million users. Attackers exploited unsecured Zendesk API tokens that had been accessible in a GitLab repository for nearly two years. Exposed data included email addresses, screen names, and bcrypt password hashes. A second breach occurred via unrotated tokens after the initial attack.

Dutch Data Protection Authority fined Uber €290 million for transferring personal data of EU drivers to the United States without adequate protection between August 6, 2021 and November 21, 2023. Data included account details, taxi licenses, location data, photos, payment details, identity documents, and in some cases criminal and medical data of drivers. Uber stopped using Standard Contractual Clauses from August 2021, leaving driver data insufficiently protected. Uber responded it would appeal, calling the decision 'completely unjustified.' An additional €10 million fine was imposed in January 2024 for related data access rights violations.

In May 2024, hackers breached Ticketmaster's systems via compromised Snowflake cloud credentials, stealing personal data from approximately 560 million customer accounts including names, emails, phone numbers, and partial payment card details. The hacking group ShinyHunters claimed responsibility and attempted to sell the data for $500,000 on dark web forums. Live Nation confirmed the breach in an SEC filing.

FTC issued first-of-its-kind prohibition banning Cerebral from using health information for most advertising purposes after finding the company disclosed sensitive personal health information of nearly 3.2 million consumers to LinkedIn, Snapchat, and TikTok using tracking pixels without proper authorization.

A data harvesting website called Spy.pet scraped messages from 620 million Discord users across more than 14,000 servers, accumulating over 4 billion public messages between November 2023 and April 2024. The site sold access to the database to anyone including law enforcement, AI training companies, and individuals spying on contacts. Discord ultimately took action to shut down Spy.pet, but the incident highlighted vulnerabilities in Discord's platform security that allowed months of large-scale data scraping before detection.

In April 2024, perpetrators illegally transferred ₦11 billion ($7 million) from Flutterwave to several accounts. A second insider claimed the amount was at least ₦20 billion ($13.5 million). This followed a February 2024 incident where Flutterwave was defrauded of up to $24 million through unauthorized POS transactions, with a court order secured to recover funds from over 6,000 Nigerian bank customers.

In 2023-2024, Mandiant's 500+ threat intelligence analysts across 22 countries uncovered tactics of sophisticated state-sponsored groups: Russia's APT29, North Korea's 3CX supply chain attack, and Russia's Sandworm group breaching water infrastructure. Mandiant also exposed a critical vulnerability in Microsoft's Azure Kubernetes Service. Named a Leader in Forrester Wave for External Threat Intelligence, receiving the highest possible score in 15 of 29 criteria. The M-Trends 2024 report showed global median intrusion dwell time dropped to 10 days in 2023 from 16 days in 2022, indicating improved defensive capabilities.

Cisco is a Platinum member of the Cloud Native Computing Foundation (CNCF) and a Platinum sponsor of the Open Source Security Foundation (OpenSSF). The company is a top contributor to OpenTelemetry and the Kubernetes ecosystem, and launched Foundation AI, an open-source AI initiative for cybersecurity. Cisco's engineers serve in leadership roles across open source governance including as maintainers of key supply chain security projects.

Unmind's Nova AI workplace mental health tool adheres to GDPR with contractual zero data retention agreements with partners. User data is never used to train AI models. The platform allows employees to use services anonymously - employers only receive aggregated, non-identifiable data and cannot see individual employee activity.

In October 2023, LY Corporation suffered a data breach when hackers accessed systems through affiliate NAVER Cloud. The breach leaked 440,000+ items of personal data including users' age group, gender, and service histories. The incident stemmed from shared Active Directory authentication with former parent company Naver. Japan's Ministry of Internal Affairs issued administrative guidance twice in 2024, calling for system separation from Naver.

In May 2025, a lawsuit was filed alleging Computacenter fired a manager who reported a significant security breach at Deutsche Bank's New York headquarters. The breach involved an employee repeatedly bringing an unauthorized Chinese national into secure server rooms from March to June 2023. The manager claims the breach was not reported to SEC or Federal Reserve as required, and he was dismissed in July 2023 after raising concerns. He is seeking over $20 million in damages.