Connecticut AG Puts Businesses on Notice: Old Laws Still Apply to AI
Connecticut Attorney General William Tong issued an advisory warning that AI deployments remain fully subject to the state’s existing civil‑rights, privacy, data‑security, consumer‑protection and antitrust laws. The guidance, analyzed by Squire Patton Boggs, makes clear there is no AI‑specific statute creating a regulatory vacuum. It directs state agencies and private firms to treat AI compliance as an extension of current obligations and outlines enforcement priorities. Residents are encouraged to report AI‑related harms to the AG’s office.
State to Audit Ohio School Districts’ Cybersecurity Plans
The Ohio Auditor of State will launch audits of school districts' cybersecurity programs in July, as mandated by House Bill 96. The legislation requires districts to establish policies that protect data, information technology, and related resources while ensuring availability, confidentiality,...
Oklahoma State Tax Commission Fails To Notice Data Breach for 18 Months
The Oklahoma Tax Commission (OTC) experienced a data breach that went undetected for 18 months, spanning from July 2024 to December 2025. Unauthorized actors accessed W‑2 and 1099 files through the agency’s online taxpayer portal, exposing personal information. The breach was only...
Northern Ireland School IT Systems ‘Largely Restored’ After Cyber Attack
The Education Authority (EA) confirmed that the C2K network, which powers all IT services for Northern Ireland schools, has been largely restored after a cyber attack last week. The breach temporarily disabled online platforms, email, and learning management systems across...
Teen Arrested in Northern Ireland over Cyberattack on School Network
A 16‑year‑old was arrested in Portadown, Northern Ireland, on suspicion of breaching the Computer Misuse Act after a cyberattack crippled the region’s school network. The intrusion blocked access to online learning platforms used by potentially hundreds of thousands of students,...
California’s Cybersecurity Audit Rule Is Now in Effect: Its Impact for Class Litigation
The California Privacy Protection Agency’s new cybersecurity audit rule took effect on Jan. 1, 2026, obligating certain businesses to conduct and certify an annual audit covering 18 technical and organizational safeguards. While the audit report itself is not filed publicly, the certification...
A Silent Threat, Loud Consequences: Ransom Group Hits Law Firms Hard
The Silent Ransom Group (SRG) has publicly leaked data from more than 38 U.S. law firms that refused to pay its ransom demands, indicating at least 76 firms have been targeted. Wood Smith Henning & Berman LLP (WSHB) was hit...
Booking.com Warns Customers Their Private Travel Details May Have Been Accessed by ‘Unauthorised Party’
Booking.com has warned that an unauthorized third party may have accessed customers' personal travel information. The breach notification was sent to a subset of Australian users, indicating that names, booking details and itineraries could be exposed. The company said it...
GTA-Maker Rockstar Games Hacked Again but Downplays Impact
Rockstar Games, the studio behind Grand Theft Auto, suffered a second cyber intrusion within three years, as disclosed by cybersecurity outlets on Saturday. A hacker collective claimed responsibility, posting details of the breach online. Rockstar publicly downplayed the incident, stating...
MN: Spring Lake Park Schools Closed After Suspected Ransomware Attack
Spring Lake Park School District in Minnesota shut all campuses on Monday after a suspected ransomware attack crippled its computer systems. The intrusion forced the district to suspend classes and administrative operations as a precaution while local law enforcement and...
Brockton Hospital Still Dealing with Aftermath of Ransomware Attack
Brockton Hospital is reverting to paper‑based processes for the next two weeks after a ransomware attack crippled its electronic systems. The incident, attributed to the Anubis ransomware‑as‑a‑service group, forced ambulance diversions, cancelled chemotherapy sessions and halted new prescription orders. Federal...
Silent Ransom Group Leaked Another Big Law Firm: Orrick, Herrington & Sutcliffe
The Silent Ransom Group (SRG) breached law firm Orrick, Herrington & Sutcliffe in late January 2026 and spent a week inside its network before demanding a ransom. Negotiations stretched from early February to late February, with Orrick offering a maximum...
Lotte Card Given Notice of $3M Penalty, Business Suspension over Massive Data Breach
Lotte Card has been served a notice from South Korea's Financial Supervisory Service requiring a penalty of roughly 5 billion won (about $3.38 million) and a suspension of new customer sign‑ups for more than four months. The penalties will be finalized by...
86% of Businesses Refused to Pay Cyber Ransoms in 2025 — Coalition Insurance
Coalition’s 2026 cyber claims report, covering over 100,000 policyholders in the US, Canada, UK, Australia and Germany, found that 86% of the 1,400 high‑signal ransomware claims from 2025 did not result in a ransom payment. Ransom demands surged 47% year‑over‑year,...
Capita Under Investigation After Workers Hit by Pensions Data Breach
Capita, the administrator of the UK Civil Service Pension Scheme, is under government investigation after confirming a second data breach within three years. The latest incident affected up to 138 retirees, who either received incorrect annual statements or had their...
Madras High Court Dismisses Plea By Cyber Security Expert Seeking Probe Into Star Health Security Lapses
The Madras High Court dismissed cybersecurity specialist Himanshu Pathak’s appeal seeking a multi‑ministry investigation into alleged security lapses at Star Health Insurance. While his petition was pending, Star Health suffered a cyber‑attack on October 9 2024 that exposed policyholder data. Pathak, a policyholder,...
A Hacker Has Allegedly Breached One of China’s Supercomputers and Is Attempting to Sell a Trove of Stolen Data
A hacker claims to have exfiltrated over 10 petabytes of classified data from China’s National Supercomputing Center in Tianjin, including defense documents and missile schematics. The breach allegedly spanned months and went undetected, affecting more than 6,000 clients across scientific...
OCR Releases Risk Management Video
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has released a new video that explains the HIPAA Security Rule’s risk‑management requirement. The presentation, led by senior cybersecurity advisor Nicholas Heesters, expands OCR’s earlier Risk Analysis...
Hackers Steal and Leak Sensitive LAPD Police Documents
Hackers infiltrated the Los Angeles Police Department’s internal network and exfiltrated thousands of sensitive files, including officer personnel records, internal‑affairs investigations, and unredacted discovery documents. The data was posted online by the Distributed Denial of Secrets platform, which identified the...
Iowa AG Files Lawsuit Against Change Healthcare over 2024 Data Breach
Change Healthcare, a UnitedHealth Group subsidiary, faces a lawsuit filed by Iowa Attorney General Brenna Bird alleging violations of state consumer‑protection and data‑security laws. The suit stems from a February 2024 breach that went undetected for ten days, exposing Social...
Act-of-War Clauses Cloud Cyber Insurance Coverage
Geopolitical tensions are prompting insurers to insert act‑of‑war exclusions into cyber policies, a provision traditionally used in homeowners and travel insurance. The language lags behind the rapid evolution of cyberwarfare, leaving companies uncertain whether state‑sponsored attacks are covered. Lawyers and...
Who Really Runs Your VPN — and What that May Mean for Your Privacy
A new analysis of 50 VPN providers reveals that the majority rely on a handful of UK hosting firms—M247, Datacamp and CDN77—and rent space in data‑center buildings owned by US giants Equinix and Digital Realty. The study shows 73% of...
Russians Hijacking Routers for Cyber Spying
Russian GRU’s 85th Main Special Service Center has been hijacking vulnerable home routers, notably TP‑Link devices, since at least 2024 by exploiting CVE‑2023‑50224. The actors reconfigure DHCP/DNS settings to route traffic through their own resolvers, enabling man‑in‑the‑middle attacks that capture...
A String of Radio Hijacks Exposes a Deeper Broadcast Weakness
A series of radio broadcast hijacks, including the recent intrusion at Michigan's 107.7 The Bay, reveal a growing vulnerability in studio‑to‑transmitter links. The FCC’s November notice confirmed that attackers are repeatedly compromising unsecured Barix audio equipment to replace legitimate programming...
NL: Dutch Healthcare Software Vendor Goes Dark After Ransomware Attack
ChipSoft, the leading Dutch provider of hospital patient‑record software, was hit by a ransomware attack that took its website offline on April 7. The breach affects roughly 80 percent of the Netherlands’ hospitals, potentially disrupting access to electronic health records. Officials have...
HK: Man Arrested over Stolen Patient Personal Data
Hong Kong police have arrested a contractor employee accused of stealing personal data belonging to more than 56,000 patients in the Kowloon East Hospital Authority cluster. The breach involved unauthorized extraction of names, IDs, and medical details, which were later...
Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure
Iran‑affiliated advanced persistent threat actors are exploiting internet‑facing programmable logic controllers (PLCs) from Rockwell Automation/Allen‑Bradley across multiple U.S. critical infrastructure sectors. The attacks manipulate project files and alter data on HMI and SCADA displays, causing operational disruptions and financial losses....
1 Billion Microsoft Users Warned As Angry Hacker Drops 0-Day Exploit
Security researcher released the BlueHammer zero‑day exploit targeting Windows, affecting roughly one billion Microsoft users worldwide. The exploit enables privilege escalation at the kernel level and, unlike typical disclosures, no patch exists yet. Microsoft has acknowledged the threat and is...
Jones Day Confirms Limited Breach After Phishing Attack by Silent Ransom Group
Jones Day, one of the nation’s top law firms, confirmed a limited data breach after the Silent Ransom Group (SRG) posted files for ten clients on a dark‑web leak site. The attackers demanded roughly $13 million to delete the stolen data...
Maine House Advances McCabe Bill to Strengthen Cybersecurity at Maine Hospitals
The Maine House unanimously advanced Rep. Julie McCabe’s LD 2103, mandating hospitals adopt cybersecurity plans aligned with DHS and CISA best practices. The bill requires prompt law‑enforcement notification, backup communication systems, and annual staff training. It responds to spring cyber‑attacks that...
Microsoft Links Medusa Ransomware Affiliate to Zero-Day Attacks
Microsoft has identified Storm-1175, a China‑based financially motivated cybercrime group, as an affiliate of the Medusa ransomware operation. The gang is now leveraging both known (n‑day) and previously undisclosed (zero‑day) vulnerabilities in rapid, high‑velocity attacks. Microsoft’s intelligence shows Storm-1175 can...
Two Breaches, One Quarter: Valley Family Health Care’s Challenging Start to 2026
Valley Family Health Care (VFHC) disclosed a TriZetto Provider Solutions breach on Jan. 12 that exposed the personal and health‑insurance data of 4,300 patients. In March, the cyber‑crime group Insomnia listed VFHC on a dark‑web leak, claiming more than one million...
NYS School Data Incidents Rose 72% in 2025, with 44 Reported on Long Island
State education officials reported a sharp rise in compromised student data across New York schools in 2025, with incidents climbing 72% from 384 in 2024 to 662 this year. The surge was highlighted in an annual report from the Department...
Two Data Security Incidents Affected Immigration Law Firms and Their Clients
Immigration case‑management platform DocketWise disclosed a data breach that exposed personal information of 116,666 individuals, including Social Security numbers, passports, medical records, and payment details. The breach stemmed from compromised credentials to a third‑party partner, allowing attackers to clone repositories...
Germany Doxes “UNKN,” Head of RU Ransomware Gangs REvil, GandCrab
German authorities have unmasked the hacker known as “UNKN,” identifying him as 31‑year‑old Russian Daniil Maksimovich Shchukin. Shchukin led the notorious ransomware groups REvil and GandCrab, orchestrating at least 130 sabotage and extortion attacks in Germany between 2019 and 2021....
Researchers Didn’t Want to Glamorize Cybercrims. So They Roasted Them.
Security researchers at Trellix have launched the Dark Web Roast, a campaign that publicly mocks notorious cybercrime groups. The effort responds to calls from former CISA chief Jen Easterly and other industry leaders to stop glorifying threat actors with heroic...
The Breach Lasted 25 Minutes. How Long Will the Litigation Last?
On February 17, 2026, Auger & Auger suffered a 25‑minute unauthorized intrusion that exposed personal data of 5,102 individuals, including Social Security numbers and medical information. The firm notified affected parties on March 30 and provided a year of complimentary identity‑protection services. Within...
Hong Kong Hospital Authority Apologises for Data Breach Involving 56,000 Patients
Hong Kong’s Hospital Authority announced a data breach that exposed the personal and medical records of more than 56,000 patients from hospitals in Kowloon East. The unauthorized retrieval included names, identification numbers, contact details and health information. Hong Kong’s privacy...
Claude Code Leak Used to Push Infostealer Malware on GitHub
Threat actors are leveraging the recent Claude Code source‑code leak to create counterfeit GitHub repositories that distribute the Vidar information‑stealing malware. Claude Code, Anthropic’s terminal‑based AI coding agent, was exposed in a public dump, giving attackers a ready‑made framework to...
UK: School IT System Targeted in Cyber Attack Ahead of Exam Season
The Education Authority (EA) in Northern Ireland confirmed that its centralized school IT platform was hit by a cyber attack just days before the exam period. The breach prompted an emergency password reset for every user across the network. Authorities...
Meta Pauses Work With Mercor After Data Breach Puts AI Industry Secrets at Risk
Meta has indefinitely paused all collaborations with data‑contracting firm Mercor while investigating a significant security breach at the startup. The breach, which exposed proprietary training datasets, has prompted other leading AI labs—including OpenAI and Anthropic—to reevaluate their relationships with Mercor....
Questions Raised After Cherry Creek Students Notified of Data Breach, Lawsuit
The Cherry Creek School District confirmed that a recent email to families about a class‑action settlement for a Naviance data breach was legitimate, but the district itself was not affected. The settlement covers roughly 10 million students nationwide who used Naviance...
BakerHostetler’s 2026 Report: Findings From 1,250 Clients’ Breach Experiences in 2025
BakerHostetler’s 2026 Data Security Incident Response Report examined 1,250 breach clients from 2025. Network intrusions (47%) and email compromise (32%) dominated, while ransomware payments rose 36% to an average $682,702 after initial demands jumped 70% to $4.2 million. Class‑action lawsuits increased...
Nacogdoches Memorial Hospital Notifies 257,073 After January Data Breach
Nacogdoches Memorial Hospital in Texas disclosed a cyberattack that compromised personal data of over 257,000 individuals. The breach was detected on Jan. 31, after an intrusion that began Jan. 15, 2026. Exposed information includes names, addresses, phone numbers, email, Social Security numbers, dates...
Apex Recovers Stolen Personal Data After About 22K Impacted in Cyberattack: Town
In July 2024, an attempted ransomware attack stole personal data of roughly 22,000 Apex, North Carolina residents. The data was hosted on U.S.-based service Bublup, which refused release until a Wake County Superior Court temporary restraining order in October 2024...
Estonian Hospital Sends Patient Home with Other Peoples’ Health Data
West Tallinn Central Hospital gave a patient a USB drive that, instead of containing only their X‑ray images, also held the personal health records of several other patients. The hospital claims the drive was newly purchased from its own shop,...
Did You Sign up for the New White House App? Don’t Use It Until You Read This!
The White House launched a mobile app on March 28, 2026, branded “Unparalleled access to the Trump Administration.” Security researcher Thereallo decompiled the APK and uncovered multiple privacy and data‑security violations that breach federal cybersecurity standards. Patrick Quirk highlighted the...
CareCloud Notifies the SEC After Attack on One of Its EHR Environments
CareCloud disclosed to the SEC that an unauthorized third party accessed one of its six electronic health record (EHR) environments on March 16, causing an eight‑hour disruption that was fully restored the same evening. The company promptly notified its cyber‑insurance carrier,...
Thankfully, the Infinite Campus Incident Did Not Involve a Lot of Non-Directory Student Information
DataBreaches downloaded the Infinite Campus leak posted by ShinyHunters and examined its contents. The majority of files were proprietary or client‑related and did not contain personal student information. Approximately two dozen support tickets referenced students by name, with two tickets...
Woodfords Family Services Notifying Patients and Families About 2024 Ransomware Attack
Woodfords Family Services, a Maine provider for people with disabilities, disclosed a ransomware breach that first occurred on April 8, 2024 but was only publicly notified on March 27, 2026 for some victims. The organization previously reported a 2023 incident...