European Commission
January 30, 2026
•[ cyberattack, data leak, vulnerability exploitation ]
The European Commission disclosed it detected traces of a cyberattack on January 30, 2026 targeting its central infrastructure used to manage staff mobile devices. The Commission said the incident may have resulted in access to staff names and mobile phone numbers for some employees, but it had not found evidence that managed mobile devices themselves were compromised. The Commission stated its response contained and cleaned the system within nine hours. The article notes the Commission did not disclose the initial access method, but the incident appeared linked to attacks exploiting vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM).
CarMax
January 24, 2026
•[ data breach, extortion, data leak ]
In January 2026, data allegedly sourced from US automotive retailer CarMax was published online following a failed extortion attempt. The data included 431k unique email addresses along with names, phone numbers and physical addresses.
Starbucks
January 19, 2026
•[ phishing, credential theft, data breach ]
Starbucks disclosed a data breach affecting nearly 900 employees after attackers accessed Partner Central (the employee portal used to manage personal details, payroll, and benefits). Starbucks detected the incident on February 6, 2026 and said attackers obtained employee credentials through a phishing attack using fake websites mimicking the Partner Central portal. The company stated unauthorized access to employee accounts occurred between January 19 and February 11, 2026. Starbucks said some employees personal information may have been accessed,including names, Social Security numbers, dates of birth, and bank account and routing numbers, and that affected employees were offered identity-protection services.
French national bank accounts database (FICOBA) / Ministry of Economy and Finance
January 18, 2026
•[ data leak, stolen credentials, unauthorized access ]
Frances Ministry of Economy and Finance stated that part of the national database listing bank accounts in France was illegally accessed, exposing information linked to about 1.2 million accounts. The ministry said that starting in late January 2026, a malicious actor used stolen credentials belonging to an official to access part of the database. The exposed data includes bank details (RIB/IBAN), identity and address of the account holder, and in some cases a tax identification number. Authorities said they restricted access, stopped the intrusion, and notified banks to warn customers to be vigilant.
Endesa
January 13, 2026
•[ data breach, unauthorized access, data exfiltration ]
SecurityWeek reported that Spanish energy company Endesa notified customers about a data breach involving unauthorized access to its commercial platform, also impacting customers of its gas distributor Energia XXI. Endesa stated that attackers accessed and likely exfiltrated basic customer identification information, contact details, national identification numbers (DNI), contract information, and payment details including IBANs. The company said passwords were not compromised and that the incident was contained quickly, with additional safeguards implemented and notifications sent to affected customers.
Pecan Tree Dental, PLLC
January 11, 2026
•[ data breach, data exfiltration, personally identifiable information ]
Pecan Tree Dental, PLLC, a dental practice in Grand Prairie, Texas, discovered a cybersecurity incident on January 11, 2026. Sinobi claimed responsibility and claimed to have exfiltrated 250 GB of data. HHS/OCR-style reporting listed 13,300 affected individuals, while DataBreach.com indexed 24,504 rows containing Social Security numbers, email addresses, and phone numbers. Public reporting did not confirm successful encryption or operational disruption.
Navia Benefit Solutions, Inc.
December 22, 2025
•[ data breach, unauthorized access, personally identifiable information ]
BleepingComputer reported that Navia notified nearly 2.7 million people of a data breach after an investigation determined an unauthorized actor accessed and acquired certain information between December 22, 2025 and January 15, 2026; suspicious activity was discovered on January 23. Navia stated the exposed data can include full name, date of birth, Social Security number, phone number, email address, and benefits-administration details such as HRA participation, FSA information, and COBRA enrollment, while stating that claims and financial details were not exposed. The company reported notifying law enforcement and offering identity protection services.
Alpine Lumber
December 14, 2025
•[ ransomware, data leak, personally identifiable information ]
Alpine Lumbers posted notice states that on December 22, 2025 it determined certain network devices were encrypted with ransomware. The companys investigation found that between December 14 and December 22, 2025 an unauthorized actor viewed and obtained files stored on a file server. Alpine completed its file review and determined on February 5, 2026 that the affected files included employment-purpose information such as names, addresses, Social Security numbers, dates of birth, and health insurance plan enrollment information, and may also have included policy numbers, medical information, government IDs, financial account data, and payment card data. Alpine stated it notified law enforcement and began mailing letters and offering credit monitoring.
New York Life Insurance Company
December 2, 2025
•[ unauthorized access, email compromise, personally identifiable information ]
New York Life Insurance Company discovered unauthorized access to one of its agents' email accounts on December 2, 2025. After securing the account and completing its investigation, the company confirmed on April 8, 2026 that the compromised account contained some clients' personal information, including identifiers, financial information, medical information, and health insurance information. Public reporting did not identify a responsible actor, data volume, ransomware, or operational disruption.
Kaplan
October 30, 2025
•[ data leak, unauthorized access, personally identifiable information ]
The Record reported Kaplan notified regulators and individuals about a fall 2025 cybersecurity incident in which an unauthorized actor accessed Kaplans servers for 19 days (Oct. 30 to Nov. 18, 2025) and leaked/removed personal data. Kaplans notifications across several states totaled at least 230,941 people in states that publish counts, and an update said Kaplan later informed Oregon that 1.4 million people were affected. The exposed data included Social Security numbers and drivers license numbers (and related identifiers). The report did not name the attacker or provide a detailed intrusion method, but confirmed the access window and sensitive identifiers involved.
Thayer Hotel at West Point
September 19, 2025
•[ unauthorized access, data breach, personally identifiable information ]
On 19 September 2025 the Thayer Hotel at West Point experienced unauthorized access to its computer systems, prompting a forensic investigation and containment measures. The hotel later confirmed that an Undetermined actor accessed systems holding data on roughly 33,053 individuals and that exposed information could include names, dates of birth, postal addresses, Social Security numbers, drivers license and passport numbers, state IDs, email addresses and some medical or financial data for guests and employees. A formal Notice of Data Security Incident dated 31 October 2025 describes the breach, and law firms have begun investigating potential claims while the hotel offers credit monitoring through Kroll.
Insight Hospital and Medical Center
August 22, 2025
•[ unauthorized network access, data leak, medical records breach ]
Insight Hospital and Medical Center issued a substitute notice stating it detected unusual network activity in September 2025 and determined an unauthorized individual accessed its network between August 22 and September 11, 2025. The notice stated affected individuals would be notified after completion of a file review and listed potentially involved data types, including identifiers (name, SSN, DOB), government IDs, financial account information, and treatment/insurance-related information. The DataBreaches post notes the incident after data was reported as leaked/appearing online.
Sterling Seacrest Pritchard, Inc.
August 12, 2025
•[ unauthorized access, email breach, data leak ]
Sterling Seacrest Pritchard disclosed unauthorized access to its email environment that may have exposed personal information.
Snake River Correctional Institution
July 7, 2025
•[ insider threat, unauthorized access, data breach ]
A former Snake River Correctional Institution Library Coordinator, Demetre Gennette, improperly acquired Oregon Department of Corrections records between July 7, 2025 and early January 2026. The extraction involved more than 7.5GB of data across more than 33,000 files and resulted in unauthorized access to personal information belonging to staff, vendors, adults in custody, and visitors. Gennette was later indicted on charges including computer crime, aggravated theft, official misconduct, supplying contraband, and custodial sexual misconduct.
Sentinel Security Life and Atlantic Coast Life
July 4, 2025
•[ unauthorized access, personally identifiable information, social security numbers ]
Sentinel Security Life Insurance Co. and Atlantic Coast Life Insurance Co. disclosed a cyber incident involving unauthorized access that occurred between April 7 and April 15, 2025. The companies reported that personally identifiable information associated with policyholders, beneficiaries, and other individuals connected to the firms may have been exposed. Potential data elements cited in reporting include names, Social Security numbers, taxpayer identification numbers, financial account information, dates of birth, medical records, and health insurance details; the companies stated they were unaware of misuse at the time of reporting.
PayPal
July 1, 2025
•[ data exposure, software error, personally identifiable information ]
PayPal disclosed that a software error in its PayPal Working Capital (PPWC) loan application exposed sensitive personal information, including Social Security numbers, for nearly six months in 2025. The exposure window was reported as beginning July 1, 2025 and ending when PayPal fixed/rolled back the problematic code and blocked further access on December 13, 2025. PayPal stated it notified affected customers and offered credit monitoring, and reporting noted some accounts showed unauthorized activity that PayPal said it reimbursed. The incident was characterized as a data exposure caused by an application error rather than a compromise of PayPals broader systems.
Arthur Ashe Institute for Urban Health Inc.
May 18, 2025
•[ unauthorized access, personally identifiable information, health information ]
Unauthorized access to systems at Arthur Ashe Institute for Urban Health Inc. between April 4 and May 18, 2025 may have exposed personally identifiable and health information according to breach notifications.
Pillsbury Winthrop Shaw Pittman LLP
April 1, 2025
•[ social engineering, data leak, personally identifiable information ]
Global law firm Pillsbury Winthrop Shaw Pittman reported that in April 2025 a sophisticated social-engineering attack allowed an intruder to gain limited access to its internal systems. The attacker convinced a single user to grant access and then rapidly downloaded a set of documents containing sensitive personal information, including names, Social Security numbers, addresses, birthdates, and some financial account details for thousands of people. Pillsbury stated that the activity was quickly detected and blocked, and it subsequently bolstered its security controls and notified affected individuals, with public disclosure occurring on November 6, 2025. The breach has since led to class-action litigation alleging inadequate safeguards and delayed notification.
Orthopaedic Specialists of Connecticut
March 2, 2025
•[ data leak, unauthorized access, personally identifiable information ]
Names, dates of birth, Social Security numbers, insurance and medical information for 22,541 individuals were exposed after an unauthorized third party accessed the practices network on March 2, 2025, per the provider notice and HHS filing.
Freddie Mac
February 19, 2025
•[ data leak, personally identifiable information ]
Breach notice filed with Massachusetts AG on Feb 19, 2025; unauthorized access to files containing consumers SSNs.
