Search Results for "personally identifiable information"

Marcus & Millichap April 12, 2026 • [ hacking, extortion, data leak ] In April 2026, the commercial real estate brokerage firm Marcus & Millichap was named as one of multiple alleged victims of the ShinyHunters hacking and extortion group. Data alleged to have been obtained from the company was subsequently released publicly and included 1.8M unique email addresses, along with names, phone numbers and employment-related information including employer, job title and physical company address. In their disclosure notice, Marcus & Millichap advised that data which may have been accessed appeared limited to "company forms, templates, marketing materials, and general contact information".

SongTrivia2 April 2, 2026 • [ data breach, data leak, password hashes ] In April 2026, the music trivia platform SongTrivia2 suffered a data breach that was subsequently published to a public hacking forum. The data contained a total of 291k unique email addresses sourced from either Google OAuth logins or accounts created on the site, the latter also containing bcrypt password hashes. The data also included names, usernames and avatars.

P3 Global Intel March 18, 2026 • [ data breach, data leak, personally identifiable information ] DataBreaches summarized reporting that hackers calling themselves The Internet YIFF Machine stole data from cloud-based tip and intelligence management company P3 Global Intel and provided it to DDoSecrets. The exposed dataset includes millions of tips and extensive personal data about people accused in tips, including names, email addresses, dates of birth, phone numbers, home addresses, license plate numbers, Social Security numbers, and criminal histories. The platform is used by thousands of clients, including Crime Stoppers programs, local and federal law enforcement agencies, public schools, and the U.S. military, so the breach has broad downstream exposure across many organizations.

FBI surveillance system March 6, 2026 • [ data breach, surveillance system, law enforcement sensitive information ] Reporting stated the White House was working with the FBI, NSA, and CISA to respond to an apparent breach of an FBI surveillance system disclosed to Congress. The system is unclassified but contains law-enforcement sensitive information, including returns from legal process such as pen register and trap-and-trace surveillance returns, and personally identifiable information about subjects of FBI investigations. The report did not identify the attacker, intrusion vector, or the full scope/timeline of access.

Woflow March 5, 2026 • [ supply-chain risk, extortion, data leak ] ShinyHunters claimed it compromised Woflow, an AI-driven merchant data platform, in what was described as a supply-chain risk for major clients. The group threatened to leak data by March 6, 2026 if demands were not met, and claimed it stole internal corporate information, personally identifiable information, and transaction/order details. Reporting noted the group did not provide a verifiable public data sample and Woflow did not provide a public response at the time, so the incident remains an alleged breach based on the extortion claim.

Wilhelmsen Ship Management (Norway) AS February 27, 2026 • [ ransomware, data leak, operational disruption ] A ransomware incident affected systems on a single Wilhelmsen-managed ship and disrupted that vessels operations. Later reporting said passport and next-of-kin information relating to personnel on that ship was also compromised.

Mexico City Civil Registry February 26, 2026 • [ data leak, unauthorized access, exfiltration ] Attackers gained unauthorized access to Mexican government civil registry databases and exfiltrated sensitive records. Stolen data reportedly includes birth certificate information and national identification numbers from Mexico Citys civil registry.

Odido February 12, 2026 • [ data breach, extortion, data leak ] In February 2026, the Dutch telco Odido was the victim of a data breach and subsequent extortion attempt. Following the incident, 1M records containing 317k unique email addresses was published publicly, with a threat by the attackers to continue leaking more data in the following days. The data also included names, physical addresses, phone numbers, bank account numbers and notes about customers left by service operators. Odido has published a disclosure notice detailing the extent of the incident, providing an FAQ and advising the incident also impacted dates of birth, passport and drivers licence numbers.

Odido February 12, 2026 • [ data breach, extortion, data leak ] In February 2026, Dutch telco Odido was the victim of a data breach and subsequent extortion attempt. Shortly after, 1M records containing 317k unique email addresses were published, followed by further releases exposing an additional 371k and then 833k unique email addresses, with the latter also including passport, drivers licence and European national ID numbers. The exposed data includes names, physical addresses, phone numbers, bank account numbers and customer service notes. Odido has published a disclosure notice advising that impacted data may also include dates of birth and government-issued identity document numbers.

European Commission January 30, 2026 • [ cyberattack, data leak, vulnerability exploitation ] The European Commission disclosed it detected traces of a cyberattack on January 30, 2026 targeting its central infrastructure used to manage staff mobile devices. The Commission said the incident may have resulted in access to staff names and mobile phone numbers for some employees, but it had not found evidence that managed mobile devices themselves were compromised. The Commission stated its response contained and cleaned the system within nine hours. The article notes the Commission did not disclose the initial access method, but the incident appeared linked to attacks exploiting vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM).

Valtori (Finnish Government ICT Centre) mobile device management service January 30, 2026 • [ data breach, mobile device management, zero-day vulnerability ] Valtori reported a data breach identified on January 30, 2026 in the mobile device management service it provides to Finlands government shared ICT services. Valtori said the attacker accessed information used to operate the service, including names, work email addresses, phone numbers, and device details, and that investigation later found the scope could involve a substantially larger number of users (about 50,000). Valtori stated no data stored directly on mobile devices was compromised. The root cause was described as exploitation of a zero-day vulnerability in a commercial mobile management product, compounded by the systems failure to permanently delete historical data.

CarMax January 24, 2026 • [ data breach, extortion, data leak ] In January 2026, data allegedly sourced from US automotive retailer CarMax was published online following a failed extortion attempt. The data included 431k unique email addresses along with names, phone numbers and physical addresses.

Starbucks January 19, 2026 • [ phishing, credential theft, data breach ] Starbucks disclosed a data breach affecting nearly 900 employees after attackers accessed Partner Central (the employee portal used to manage personal details, payroll, and benefits). Starbucks detected the incident on February 6, 2026 and said attackers obtained employee credentials through a phishing attack using fake websites mimicking the Partner Central portal. The company stated unauthorized access to employee accounts occurred between January 19 and February 11, 2026. Starbucks said some employees personal information may have been accessed,including names, Social Security numbers, dates of birth, and bank account and routing numbers, and that affected employees were offered identity-protection services.

French national bank accounts database (FICOBA) / Ministry of Economy and Finance January 18, 2026 • [ data leak, stolen credentials, unauthorized access ] Frances Ministry of Economy and Finance stated that part of the national database listing bank accounts in France was illegally accessed, exposing information linked to about 1.2 million accounts. The ministry said that starting in late January 2026, a malicious actor used stolen credentials belonging to an official to access part of the database. The exposed data includes bank details (RIB/IBAN), identity and address of the account holder, and in some cases a tax identification number. Authorities said they restricted access, stopped the intrusion, and notified banks to warn customers to be vigilant.

Endesa January 13, 2026 • [ data breach, unauthorized access, data exfiltration ] SecurityWeek reported that Spanish energy company Endesa notified customers about a data breach involving unauthorized access to its commercial platform, also impacting customers of its gas distributor Energia XXI. Endesa stated that attackers accessed and likely exfiltrated basic customer identification information, contact details, national identification numbers (DNI), contract information, and payment details including IBANs. The company said passwords were not compromised and that the incident was contained quickly, with additional safeguards implemented and notifications sent to affected customers.

Navia Benefit Solutions, Inc. December 22, 2025 • [ data breach, unauthorized access, personally identifiable information ] BleepingComputer reported that Navia notified nearly 2.7 million people of a data breach after an investigation determined an unauthorized actor accessed and acquired certain information between December 22, 2025 and January 15, 2026; suspicious activity was discovered on January 23. Navia stated the exposed data can include full name, date of birth, Social Security number, phone number, email address, and benefits-administration details such as HRA participation, FSA information, and COBRA enrollment, while stating that claims and financial details were not exposed. The company reported notifying law enforcement and offering identity protection services.

Alpine Lumber December 14, 2025 • [ ransomware, data leak, personally identifiable information ] Alpine Lumbers posted notice states that on December 22, 2025 it determined certain network devices were encrypted with ransomware. The companys investigation found that between December 14 and December 22, 2025 an unauthorized actor viewed and obtained files stored on a file server. Alpine completed its file review and determined on February 5, 2026 that the affected files included employment-purpose information such as names, addresses, Social Security numbers, dates of birth, and health insurance plan enrollment information, and may also have included policy numbers, medical information, government IDs, financial account data, and payment card data. Alpine stated it notified law enforcement and began mailing letters and offering credit monitoring.

Kaplan October 30, 2025 • [ data leak, unauthorized access, personally identifiable information ] The Record reported Kaplan notified regulators and individuals about a fall 2025 cybersecurity incident in which an unauthorized actor accessed Kaplans servers for 19 days (Oct. 30 to Nov. 18, 2025) and leaked/removed personal data. Kaplans notifications across several states totaled at least 230,941 people in states that publish counts, and an update said Kaplan later informed Oregon that 1.4 million people were affected. The exposed data included Social Security numbers and drivers license numbers (and related identifiers). The report did not name the attacker or provide a detailed intrusion method, but confirmed the access window and sensitive identifiers involved.

Thayer Hotel at West Point September 19, 2025 • [ unauthorized access, data breach, personally identifiable information ] On 19 September 2025 the Thayer Hotel at West Point experienced unauthorized access to its computer systems, prompting a forensic investigation and containment measures. The hotel later confirmed that an Undetermined actor accessed systems holding data on roughly 33,053 individuals and that exposed information could include names, dates of birth, postal addresses, Social Security numbers, drivers license and passport numbers, state IDs, email addresses and some medical or financial data for guests and employees. A formal Notice of Data Security Incident dated 31 October 2025 describes the breach, and law firms have begun investigating potential claims while the hotel offers credit monitoring through Kroll.

Insight Hospital and Medical Center August 22, 2025 • [ unauthorized network access, data leak, medical records breach ] Insight Hospital and Medical Center issued a substitute notice stating it detected unusual network activity in September 2025 and determined an unauthorized individual accessed its network between August 22 and September 11, 2025. The notice stated affected individuals would be notified after completion of a file review and listed potentially involved data types, including identifiers (name, SSN, DOB), government IDs, financial account information, and treatment/insurance-related information. The DataBreaches post notes the incident after data was reported as leaked/appearing online.

Search Results (personally identifiable information)