User Privacy

Al Jazeera's 'Invisible Eyes' documentary (May 2026) exposed that Safaricom allowed Kenyan security agencies access to subscriber location data, call records, and M-Pesa financial transactions -- often without court orders -- to surveil, locate, and track activists and protesters. A Safaricom employee admitted in court to complying with a government data request without a court order. The Law Society of Kenya filed a constitutional petition seeking a court audit of all data requests from June 2024 to December 2025.

On May 8, 2026, General Motors and OnStar agreed to a $12.75M settlement with California -- the largest CCPA penalty ever. GM collected and sold geolocation and driving behavior data from hundreds of thousands of California consumers to data brokers without adequate consent. This was the first data minimization enforcement action under CCPA, establishing that companies must limit data collection to what is reasonably necessary for the disclosed purpose.

Between April 18-20, 2026, Vercel suffered a data breach originating from a compromise of Context.ai, a third-party AI productivity tool. A Context.ai employee downloaded malware (Lumma Stealer), leading to credential theft and OAuth token compromise that gave attackers access to Vercel internal systems. Approximately 580 employee records, API keys, database credentials, source code, internal dashboards, and limited customer credentials were compromised. An attacker claiming to be 'ShinyHunters' demanded $2 million ransom. CEO Guillermo Rauch said the attack was 'significantly accelerated by AI.'

In March 2026, T-Mobile confirmed a data breach affecting 47.8 million people including current, former, and prospective customers. Approximately 7.8 million current postpaid customer records were stolen, ~40 million former/prospective customer records, and 850,000 active prepaid customers had phone numbers and account PINs exposed. Exposed data included names, dates of birth, Social Security numbers, and driver's license/ID information. T-Mobile discovered the breach through an online forum post and shut down the leak.

A $135 million Google settlement received preliminary court approval on March 5, 2026, resolving class action allegations that Google unlawfully surveilled and collected private information from cellular data purchased by Android users. The settlement covers over 100 million Americans, with payouts of up to $100 per person. As part of the settlement, Google will be required to obtain users' affirmative consent before using cellular data.

On February 19, 2026, West Virginia AG JB McCuskey filed a consumer protection lawsuit alleging Apple allowed child sexual abuse materials (CSAM) to be stored and distributed on iCloud services. The lawsuit claims Apple 'prioritized user privacy over child safety for years' - Apple filed only 267 CSAM reports to the National Center for Missing and Exploited Children in 2023, compared to Google's 1.47 million reports. The state seeks statutory and punitive damages plus injunctive relief requiring Apple to implement effective CSAM detection.

A bug (CW1226324) allowed Microsoft Copilot Chat to read and summarize customers' confidential emails without permission for approximately four weeks (January 21 to mid-February 2026). Emails marked with confidentiality labels and protected by DLP policies were incorrectly processed across Word, Excel, and PowerPoint. Affected organizations included the UK's National Health Service. Microsoft did not disclose the number of affected customers or what data was accessed. This was the second trust boundary violation in eight months, following CVE-2025-32711 'EchoLeak' in June 2025 (CVSS 9.3).

On February 11, 2026, California AG Rob Bonta announced the largest CCPA settlement to date with Disney. The company's opt-out webform only stopped sharing through Disney's own ad platform while continuing to sell data to third-party ad-tech companies. Disney failed to provide in-app opt-out in streaming apps, ignored device-specific Global Privacy Control signals for logged-in users, and required bundle subscribers to opt out up to 10 separate times to fully stop data sharing.

On February 10, 2026, PayPal disclosed a data breach affecting approximately 100 PayPal Working Capital loan applicants due to a software coding error. Personal data including Social Security numbers, dates of birth, and business contact information was exposed from July 1 to December 13, 2025. Some customers experienced unauthorized transactions and received refunds. PayPal offered 2 years of free credit monitoring through Equifax.

In February 2026, Anthropic aired anti-OpenAI advertisements during the Super Bowl, criticizing OpenAI's announced plans to add 'Instagram-style' advertising to ChatGPT. The ads resulted in an 11% boost in Anthropic users. Sam Altman called the ads 'deceptive.' The rivalry escalated at the India AI Summit where Altman and Dario Amodei refused to hold hands during a group photo with PM Modi.

On February 4, 2026, Kakao notified KakaoTalk's 47M+ users it would begin collecting and analyzing usage records and patterns for targeted advertising. After public backlash over privacy invasion, Kakao revised its terms on February 11, deleting some controversial provisions. This followed a September 2025 redesign debacle that was rolled back in 5 days after user revolt, and criticism of a location-sharing feature that allegedly enabled stalking.

Microsoft issued out-of-band security patches for a high-severity Microsoft Office zero-day vulnerability tracked as CVE-2026-21509, with a CVSS score of 7.8 out of 10.0. The vulnerability allows attackers to bypass document security checks and is being actively exploited in the wild via malicious files. The emergency patch was released outside Microsoft's normal Patch Tuesday schedule due to active exploitation.

Cisco released a patch for a critical vulnerability affecting its Unified Communications and WebEx products that allowed remote code execution. The vulnerability was actively exploited in the wild before the patch was released, representing a significant security risk to enterprise communications infrastructure.

Researchers demonstrated that Google's Gemini AI model could be tricked using prompt-injection attacks to leak private details about a user's calendar. The vulnerability allows malicious actors to extract sensitive personal information through carefully crafted prompts, highlighting security risks in AI systems with access to private user data.

Google agreed to pay $68 million to settle class action claims that Google Assistant-enabled devices (Google Home, Nest Hub, Pixel phones) surreptitiously recorded users' private conversations without consent. The recordings occurred due to 'false accepts' — the device mistakenly activating and recording when no wake word was spoken. Final approval hearing is scheduled for March 19, 2026.

A January 2026 Citizen Lab report found Cellebrite equipment was used in at least seven cases to extract data from phones seized from activists and a journalist detained during pro-Palestinian protests in Jordan between late 2023 and mid-2025. None of the individuals consented to the searches. All four devices forensically analyzed showed Cellebrite product use in 2024-2025.

Crunchbase confirmed it was hacked in January 2026 after the cybercriminal group ShinyHunters published samples of stolen data. The company stated they detected a cybersecurity incident where a threat actor exfiltrated certain documents from their corporate network. Investigators linked the attack to a broader ShinyHunters campaign focused on voice phishing targeting Okta single sign-on credentials, with similar techniques tied to recent breaches at SoundCloud and Betterment.

Nike disclosed it is investigating unauthorized access that resulted in the extraction of approximately 1.4 terabytes of internal data. The incident involves a large volume of files taken from internal systems, which signals sustained access rather than a short-lived intrusion. The breach represents a significant compromise of Nike's internal systems and data.

Google settled allegations that apps in its 'Designed for Families' programme, meant to help parents find safe apps for children, were actually tracking children's data. The programme was supposed to certify apps as safe for kids, but the tracked apps violated children's privacy protections.

A widespread malware campaign abused Google's Chrome Web Store for months, exposing private AI chatbot conversations and browsing data from roughly 900,000 users. The campaign involved two malicious browser extensions identified as 'ChatGPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI' and 'AI Sidebar with DeepSeek, ChatGPT, Claude.' The extensions remained available in the Chrome Web Store despite the security vulnerabilities.