10 Data Breaches to Know About (April 2026)

The April breach roundup signals a shift from traditional ransomware to supply‑chain and AI‑centric attack vectors. Mercur’s loss, traced to a LiteLLM proxy, illustrates how third‑party model‑serving layers can become blind spots for enterprises that embed AI into core workflows. Vercel’s incident reinforces the same lesson: AI‑enabled tools, while boosting productivity, also broaden the attack surface when they inherit insecure configurations or unchecked permissions. Security teams must now audit not only their own code but also the AI services they consume, adopting continuous monitoring and strict access controls.

Government and critical‑infrastructure targets featured prominently, from an FBI surveillance platform allegedly compromised by state‑aligned actors to a Chinese supercomputer breach that may have siphoned 10 petabytes of classified data. The French ANTS agency and the LAPD also suffered massive exposures, underscoring that public‑sector data stores remain attractive high‑value prizes. These incidents revive calls for stricter cyber‑security standards, cross‑border information sharing, and mandatory breach‑notification frameworks that can mitigate reputational fallout and protect citizen privacy.

For businesses, the cumulative exposure of tens of millions of consumer records—whether through McGraw Hill’s Salesforce misconfiguration or ADT’s contact‑info leak—drives home the cost of inadequate data hygiene. Regulators are likely to tighten enforcement of privacy laws such as GDPR equivalents and the U.S. state‑level privacy statutes, while insurers may raise premiums for firms with weak controls. Companies that invest early in zero‑trust architectures, automated configuration checks, and AI‑risk assessments will be better positioned to weather the next wave of breaches and preserve stakeholder trust.