Notable events —data breaches
ShinyHunters claimed a March 2026 breach of Woflow, an AI-driven merchant data platform whose clients include Uber, DoorDash, and Walmart. Have I Been Pwned recorded 447,593 accounts; exposed data includes names, email addresses, phone numbers, and physical addresses, with over 2 TB of files released.
EU Parliament and Council reached a provisional deal on 7 May 2026 to amend the EU AI Act, banning AI nudification tools and delaying high-risk compliance deadlines by three to four months. Machinery sector systems are fully excluded; formal adoption is expected before August 2026.
Kyle Andrew Edwards, 59, of North Carolina pleaded guilty on 6 May 2026 to doxxing US Supreme Court justices, having posted home addresses and threats of violence on social media between April and June 2025. He faces up to five years in prison.
ShinyHunters defaced Canvas LMS login pages at thousands of US colleges and K-12 districts on 7 May, displaying ransom demands threatening to leak data from 275 million students. The disruption struck institutions including Penn, Brown, and Dartmouth during finals season.
Microsoft notified roughly 8,750 US employees, around 7% of its US workforce, of a voluntary separation program targeting senior directors and below whose age plus tenure totals 70 or more. It is the company's first-ever buyout program in 51 years.
Patrick Witt, executive director of Trump's Council of Advisors on Digital Assets, told Consensus Miami that a major announcement on the Strategic Bitcoin Reserve was coming in the next few weeks - the most concrete timeline since Trump's March 2025 executive order. The administration says congressional action via the BITCOIN Act is needed to begin accumulation.
Wake County Public Schools in North Carolina warned families that student and staff data accessed in the April 2026 Instructure Canvas breach may have impacted all NC districts. Notifications followed ShinyHunters' per-school extortion campaign.
Noyb filed complaint C104 with Austria's DSB against LinkedIn Ireland alleging Article 15 violations after LinkedIn refused to provide profile-visitor data via DSAR while making the same data available to Premium subscribers paying EUR 29.74 monthly.
The US Department of Homeland Security submitted to the Office of Management and Budget the final rule eliminating duration of status for F (student) and J (exchange visitor) visas, replacing it with fixed admission periods and tightening compliance and renewal requirements.
Real-estate giant Cushman & Wakefield confirmed a vishing-driven Salesforce breach after ShinyHunters listed 500,000 stolen records and Qilin separately added the firm to its leak site on May 4.
Education publisher McGraw Hill confirmed a data leak after ShinyHunters published 13.5 million account records exfiltrated via a Salesforce misconfiguration. Exposed data included names, addresses, phone numbers and emails; the company said SSNs, financial data and student platform data were not affected.
The FTC settled its long-running suit against data broker Kochava and subsidiary Collective Data Solutions, prohibiting sale of sensitive location data revealing visits to reproductive health, religious, shelter and addiction recovery sites.
Connecticut's House passed SB4 by 141-6 (Senate 31-4), sending one of the most expansive U.S. privacy bills to Governor Lamont. It creates a state data broker registry and one-click deletion portal, bans surveillance pricing and geolocation sales, and adds genetic-data consent rules.
Haaretz publishes Ghost Operators investigation linking Citizen Lab telecom findings to Verint/Cognyte's SkyLock tracking product, citing internal files showing sales to a Democratic Republic of Congo government client via SS7 roaming exploits.
Astronomers at the University of Warwick announced that their RAVEN machine-learning tool, applied to NASA TESS observations, confirmed more than 100 exoplanets, including 31 previously unrecognised worlds. The haul features ultra-short-period planets and unusual worlds inside the so-called Neptunian desert.
Senators Thom Tillis and Angela Alsobrooks released a CLARITY Act compromise banning stablecoin yield equivalent to bank deposits while permitting bona fide activities, breaking a months-long Senate logjam. Coinbase, Circle and crypto trade groups urged the Banking Committee to mark up the bill the week of May 11.
Interlock ransomware listed Winona County, Minnesota — located in the Mississippi River blufflands of south-eastern Minnesota — on its leak site in May 2026, claiming to have exfiltrated confidential data held by the county. Interlock has maintained consistent targeting of US county and municipal governments throughout 2025–2026. The listing appeared on 1 May 2026.
The Trump White House releases an updated National AI Strategy emphasising US AI dominance, removing regulatory barriers to AI deployment, and prioritising AI applications for economic competitiveness and national security. The strategy includes a National AI Infrastructure Initiative to build sovereign US AI compute capacity and directs agencies to accelerate AI procurement. Critics note the strategy reduces emphasis on AI safety and civil rights protections relative to prior administrations.
Cloud EHR and practice management vendor RXNT mailed notifications dated May 1, 2026 disclosing that an attacker accessed solution data March 1-3, 2026, stealing patient names, DOBs and demographics.
Microsoft's Digital Crimes Unit and the US Department of Justice, in coordination with Europol and international law enforcement, seized infrastructure supporting the Lumma Stealer malware-as-a-service operation. Lumma had infected hundreds of thousands of devices globally to steal credentials, cryptocurrency wallets, and sensitive files. The operation dismantled over 2,300 malicious domains used by the threat actor.
Instructure confirmed on May 1, 2026 that ShinyHunters exploited a vulnerability beginning April 30, claiming theft of 3.65TB and roughly 280 million records tied to students and staff at over 8,800 schools and universities. Exposed data included messages, names, emails and student ID numbers.
A Central District of California judge sentenced a dual China/St. Kitts national in absentia to 20 years for a USD 73M global crypto investment scam after he cut off his ankle monitor and absconded in December 2025.
Commercial real estate giant Cushman & Wakefield confirmed a vishing-related breach after ShinyHunters listed the firm on May 1, 2026 claiming theft of over 500,000 Salesforce records containing PII and internal corporate data. Qilin separately listed the firm on May 4.
Coinbase confirmed an insider breach in which a single contractor improperly accessed support-tool data on roughly 30 customers, including emails, names, dates of birth, phone numbers, KYC details and wallet data. Disclosure followed Telegram screenshots posted by Scattered Lapsus Hunters.
President Trump signed Promoting Efficiency, Accountability, and Performance in Federal Contracting, requiring agencies to default to fixed-price contracting and renegotiate their top 10 highest-value non-fixed-price contracts within 90 days. Cost-reimbursement deals over agency-specific thresholds now require head-of-agency approval.
Romanian authorities extradited 53-year-old Gavril Sandu to the Western District of North Carolina to face a 2017 federal indictment for a 2009-2010 vishing bank fraud scheme that hijacked small-business VoIP systems to impersonate banks, harvest card and PIN data, and cash out via cloned magnetic-stripe cards.
Dubai Police, FBI and China's Ministry of Public Security dismantled nine pig-butchering compounds, arrested 276 people and seized USD 701M in crypto tied to Ko Thet, Sanduo and Giant scam companies.
NIST released version 3.0 of the Cybersecurity Framework (CSF), significantly expanding the Govern function, incorporating AI and supply chain security considerations, and adding new implementation tiers reflecting the increasing maturity of organisational cybersecurity practices. The updated framework included sector-specific profiles for healthcare, financial services, and critical manufacturing.
UK NCSC, with Five Eyes partners, publishes advisory revealing GRU Unit 26165 APT28 compromised commonly used home and SMB routers globally to enable DNS hijacking, harvest webmail credentials and reroute UK user traffic through malicious servers.
Senate unanimously and House by 261-111 approved a 45-day Section 702 extension hours before midnight expiry, deferring a longer reauthorisation fight after Senate Republicans rejected the House's three-year bill containing CBDC riders.
