Privacy Roundup #0236 • March 2026
March brought huge healthcare and supply-chain breaches, a wave of GDPR court rulings, and fresh proof that the government buys location data from the advertising industry.
1. French health software firm Cegedim leaks 15.8 million patient records
Attackers stole personal details on up to 15.8 million French patients from Cegedim Santé, one of the largest healthcare leaks in European history. The data included names, contact details and sensitive medical notes for some patients, and the regulator CNIL was notified.
2. FBI confirms it buys Americans' location data to track citizens
Under questioning from Senator Ron Wyden, FBI Director Kash Patel told the Senate that the bureau purchases commercially available location data. It was the first time since 2023 that the FBI admitted buying data that brokers harvest from ordinary phone apps.
3. UK Companies House confirms flaw exposed five million firms' data
A bug in the WebFiling service let any logged-in user view the dashboard of any of the five million registered companies, exposing directors' home addresses and dates of birth. The flaw had been live since an October 2025 update, and the service was taken offline until a fix was confirmed.
4. Luxembourg court annuls Amazon's €746 million GDPR fine
Luxembourg's Administrative Court threw out the record €746 million fine against Amazon because the regulator skipped two legally required steps. The court upheld most of the underlying violations and sent the case back to the watchdog to begin those analyses again.
5. France's top court upholds Criteo's €40 million GDPR fine
The Conseil d'État rejected the ad-tech firm Criteo's appeal and confirmed the full €40 million penalty from the CNIL. The regulator found that Criteo could not prove it had valid consent for its tracking cookies and failed to honour erasure requests.
→ noyb.eu
6. CBP bought phone location data from the online advertising system
An internal document obtained by 404 Media shows Customs and Border Protection tracked phones using location data drawn from real-time advertising bids. It is the first time the agency has admitted that the data it buys comes from the same system that serves ordinary online adverts.
7. Proton Mail payment data helped the FBI unmask a protester
Court records show Proton Mail handed Swiss authorities payment data tied to a Stop Cop City email account, which was then shared with the FBI. The email itself stayed encrypted, but the credit card identifier was enough to trace the account holder.
8. FTC acts against Match and OkCupid over secret data sharing
The Federal Trade Commission said OkCupid quietly gave nearly three million user photos and location data to an unrelated startup in which its founders had invested. The settlement bars Match and OkCupid from misrepresenting their privacy promises in future.
9. EFF weighs the SAFE Act as Section 702 nears its deadline
With the warrantless surveillance power Section 702 due to expire, the EFF examined the bipartisan SAFE Act and called it an imperfect vehicle for real reform. The bill would require a warrant before the FBI reads Americans' messages, but the group warned it still leaves gaps.
10. Anthropic and the Pentagon clash over surveillance use
The military ended a contract after Anthropic refused to let its technology be used for mass surveillance of people in the United States. The EFF welcomed the stance but argued that privacy should rest on law, not on the goodwill of a few company bosses.
11. Ameriprise Financial breach exposes data on 48,000 customers
The wealth manager disclosed a breach that exposed names, addresses, account numbers, dates of birth and Social Security numbers for about 48,000 customers. The firm detected the intrusion in March and offered affected people credit and identity monitoring.
12. Hackers expose millions of anonymous crime and school tips
A hacker claims to have taken more than eight million records from P3 Global Intel, the platform behind many Crime Stoppers programmes and thousands of US schools. The leaked files held names, addresses and other details, and the data was reportedly stored in plain text despite claims of encryption.
13. Foster City declares emergency after ransomware attack
Ransomware knocked out nearly all municipal services in Foster City, California, and the council declared a local state of emergency. Emergency lines stayed open, but the attack showed how small towns holding resident data lack the budgets to defend it.
14. Judge rules Flock camera images are public records
A Washington court held that images from Flock automatic licence plate readers are public records that anyone can request. The ruling found the cameras serve a government purpose and are paid for with public money, prompting some cities to pause their systems.
15. Marquis ransomware breach hits more than 672,000 people
The Texas fintech firm Marquis told regulators that a 2025 ransomware attack stole personal and financial data on over 672,000 people. The stolen files included bank account numbers, card details and Social Security numbers, and the attack disrupted dozens of banks.
16. Telus Digital confirms breach after claim of one petabyte theft
The outsourcing giant Telus Digital confirmed a breach after the ShinyHunters group claimed to have taken close to one petabyte of data. The stolen material reportedly spans customer records, voice recordings and call data across many of the firm's clients.
17. European Commission confirms data breach after Europa.eu hack
The European Commission confirmed that data had been taken from its Europa.eu platform after the ShinyHunters group claimed to have stolen more than 350 gigabytes from a cloud account. The Commission said it was notifying the Union entities that might be affected, while insisting its internal systems stayed intact.
18. Jury finds Meta and Google negligent over app design
A California jury found Meta and Google negligent in the design of their apps and awarded a young plaintiff six million dollars in damages. The verdict was the first to hold the companies to account for the structure of their products rather than for hosted content.
19. Meta ordered to pay $375 million in New Mexico child-safety case
A separate jury found Meta liable for failing to protect children and for misleading users about safety, ordering it to pay 375 million dollars. The two verdicts together may shape thousands of pending lawsuits against social media firms.
20. UK regulators promise action on weak age checks
The ICO and Ofcom said together that they would act against online services that fail to enforce minimum ages with proper age assurance. Critics warned that the checks, which can demand ID or biometric data, raise their own privacy risks if the data is exposed.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: