Privacy Roundup #0238 • May 2026
May 2026 brought a wave of mass data breaches, fresh fights over encryption backdoors and age checks, and a landmark order against a location data broker.
1. FTC bans Kochava from selling sensitive location data
The Federal Trade Commission ordered the data broker Kochava to stop selling location data that can trace people to clinics, places of worship and shelters. The firm must also delete the records it gathered without clear consent.
2. NYC Health and Hospitals breach exposes 1.8 million patients
A third party vendor was breached, exposing medical records and biometric scans, including fingerprints, for at least 1.8 million people. It is one of the largest health breaches of the year so far.
3. Hotel check-in system left a million passports open to anyone
An unsecured cloud storage bucket run by the Japanese hotel system Tabiq exposed around a million passports and driving licences. Anyone who found the link could read the documents without any password.
4. Charter confirms breach after ShinyHunters extortion threat
The cable provider Charter Communications confirmed a breach after the ShinyHunters gang claimed to hold more than 40 million records. The stolen data included customer names, addresses, phone numbers and account details.
5. Carnival Cruise breach affects nearly 6 million people
Carnival Cruise confirmed a breach that exposed the names, birthdays and email addresses of almost 6 million customers. Loyalty programme details were also taken in the incident.
6. Instructure confirms Canvas breach claimed by ShinyHunters
Instructure confirmed a breach of its Canvas learning platform after ShinyHunters claimed to have stolen vast numbers of records. The data spanned thousands of schools and other education providers.
7. Age verification is a privacy nightmare, EFF warns
The Electronic Frontier Foundation argued that online age checks force everyone to hand sensitive identity data to third parties. Storing that data in one place creates a tempting target for thieves and a tool for surveillance.
8. Canada's Bill C-22 revives the encryption backdoor fight
Canada brought back a surveillance bill that would let the government demand backdoors into encrypted services and a year of retained metadata. Both Apple and Meta have come out against the plan.
9. The SECURE Data Act is not serious privacy law, says EFF
The EFF criticised the SECURE Data Act for wiping out stronger state privacy laws while offering little in return. The bill has no private right of action and no real curb on behavioural advertising.
10. UK visa portal spilled applicants' passports and selfies online
A UK visa portal exposed at least 100,000 documents, including passports and applicant photos. The leak remained open when the report was published.
11. Pay Tel prison phone service exposed 300,000 callers' licences
A misconfigured cloud server at the prison phone firm Pay Tel exposed more than 300,000 driving licences. The same lapse also laid bare recordings of inmate communications.
12. Trump Mobile confirms it exposed customer data
Trump Mobile admitted it had exposed customer details, including phone numbers and home addresses, through a third party platform. The company had stayed quiet about earlier reports of the leak.
13. 7-Eleven breach exposes data on 185,000 people
7-Eleven confirmed that the ShinyHunters gang stole personal data on about 185,000 customers. The records included names, birthdays and contact details.
14. Vimeo breach exposes data on 119,000 users
Vimeo disclosed that ShinyHunters had taken personal information belonging to more than 119,000 people. The company said login credentials and financial details were not affected.
15. Trellix discloses breach after source code repository hack
The security firm Trellix said attackers reached part of its source code repository. The company could not yet confirm whether customer data had been taken.
16. Hundreds of hotels caught up in booking scams
WIRED reported that guest data from more than 350 hotels around the world may have been accessed. Criminals used the stolen details to run convincing booking scams against travellers.
17. Microsoft shared Dutch officials' emails without GDPR redactions
Reports said Microsoft passed on Dutch civil servants' emails without the redactions that GDPR requires. The case renewed concern about how cloud providers handle European public sector data.
18. Your privacy should not be a corporate decision, argues EFF
The EFF warned that firms such as Meta, Google and Palantir keep treating user privacy as a business choice rather than a right. It pointed to face recognition plans and broken promises about disclosing government requests.
19. London police deploy live facial recognition at a protest for the first time
The Metropolitan Police scanned the faces of people near a large central London march against a watch list, the first such use at a protest. The Biometrics and Surveillance Camera Commissioner warned that forces could face court action over the practice.
20. We must not normalise digital surveillance abuses, says EFF
The EFF published a guide on concrete steps people can take to resist creeping digital surveillance. It urged the public not to accept invasive tools as a normal part of daily life.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: