A former DOGE software engineer told co-workers at their new job that he "possessed two tightly restricted databases of U.S. citizens' information" and was planning to use the information at his new company, according to the report, which added that the Social Security Administration's inspector general is investigating the whistleblower complaint.
According to BleepingComputer, a recent breach on LexisNexis gave hackers access to nearly 4 million database records, thousands of accounts, password hashes, and cloud records. The company admitted the hackers gained access by exploiting an unpatched React vulnerability in its systems.
In the Oracle EBS hacking campaign, the Cl0p ransomware and extortion group exploited zero-day vulnerabilities to gain access to data stored by more than 100 organizations in the enterprise management software. Madison Square Garden (MSG), the world-famous arena located in New York City, was named by the hackers as a victim of the campaign in November 2025.
The main issue, Khan said, was that all apps that are vibe-coded on Lovable's platform are shipped with their backends powered by Supabase, which handles authentication, file storage, and real-time updates through a PostgreSQL database connection. However, when the developer - in this case AI - or the human project owner fails to explicitly implement crucial security features like Supabase's row-level security and role-based access, code will be generated that looks functional but in reality is flawed.
Trusting cybercriminals is inherently flawed; there is no honour among thieves. There is absolutely no reliable way to verify that an extortionist has permanently deleted stolen data. Copies are frequently retained, shared, or sold months down the line.
Choice Hotels International disclosed a breach affecting franchisees and applicants. Its notification letter states that a "skilled person used social engineering" to gain access on January 14, 2026 to an application that contained records regarding franchisees and franchise applicants. The access occurred even though access required multifactor authentication (MFA). The information involved included names and Social Security numbers. There is no indication that any guest data was involved. No gang has publicly claimed responsibility for the attack as yet.
A UK councillor has dubbed her local authority's data breach "crazy" after the personal details of individuals behind a series of complaints were revealed to her. Dulcie Tudor, an independent councillor for the Threemilestone and Chacewater area in Cornwall, England, publicized the data protection gaffe via social media following complaints about comments she made during a November council meeting. Cllr Tudor received ten complaints after asking fellow councillor Leigh Knight whether a trans woman was a real woman.
PayPal is warning customers about a data breach that leaked personal data for six months. The leaked data includes social security numbers. The software error occurred in the PayPal Working Capital application, an app that allows small businesses to easily take out a business loan. The leak occurred between July 1, 2025, and December 13, 2025. In addition to names and email addresses, phone numbers, business addresses, social security numbers, and dates of birth were also compromised.
San Jose administrators have disclosed that private information for current and former city employees may have been compromised, following a data breach last month. The incident occurred on Jan. 9 when a "workforce member" lost a USB drive that may have contained Social Security numbers, according to a letter city officials sent to people whose data may have been involved in the breach. San José officials have not said how many people were affected by the breach.
The Information Commissioner's Office (ICO) originally fined DSG Retail £500,000 ($673,000) in 2020, the maximum financial penalty allowed under the Data Protection Act 1998 (DPA 1998) - the relevant legislation at the pre-GDPR time. Its monetary penalty notice (MPN) was upheld by the Court of Appeal's first-tier tribunal but later reversed by the upper tribunal [PDF], which sided with DSG Retail and, if that decision was final, would have effectively nullified the ICO's fine.
when a "workforce member" lost a USB drive that may have contained Social Security numbers, according to a letter city officials sent to people whose data may have been involved in the breach. San José Spotlight spoke with three people who said they received the city's letter in recent days, including a current employee and two former employees. One of the former employees said they last worked for the city in 2000. The individuals requested anonymity to protect their privacy.
The Compensatii platform enables residents to register and apply for compensation for energy bills, including heating, natural gas, and electricity, during the colder months. To register, applicants need to provide: The name, surname, and IDNP of all persons residing in the declared household; Data from energy consumption invoices; Mortgage loan amount and cadastral number (if applicable); The monthly income of each member for the months of April-September; Personal IBAN account for transferring the compensation.
Since the end of January, the hacker used the stolen credentials of an official to access and consult "parts of the file of all of the accounts open in French banks and which contains personal data such as bank account numbers, name of the account holder, address and in certain cases the account owner's tax number," the ministry said in a statement.
Allegations of an incident at Adidas emerged on February 16, when someone claiming to be the Lapsus$ Group posted on BreachForums (screenshot shared here on Daily Dark Web) that they compromised the sportswear giant's extranet. According to the crooks, the stolen files - 815,000 rows of information - allegedly include: first and last names, email addresses, passwords, birthdays, company names, and "a lot of technical data."
On February 3rd, we identified evidence of a problem with our systems that allowed an unauthorized third party to access limited user data without permission, including email addresses, phone numbers, and other internal metadata,
Conduent experienced a data incident on that is proving to have widespread repercussions. The business services provider offers a range of support for organizations, including printing/mailroom services, payment integrity, document processing, and back-office aid, so this attack on its network affected more entities than itself. On Jan. 13, 2025, Conduent found a cyber incident had affected part of its network. Upon this discovery, the organization secured networks and commenced an investigation alongside third-party forensic experts.
The chain of events reads less like a breach and more like an own goal. In connection with a separate investigation, the man contacted the police on February 12 to report he had images that might be relevant. An officer responded by sending him a link so he could upload the files - except the link sent was a download link, effectively giving him access to confidential police documents.
He wanted something in return for returning files to the Dutch police. What he got in return was an arrest. A press release from Dutch police sums it up: On Thursday evening around 7:00 PM, police arrested a 40-year-old man from Ridderkerk on Prinses Beatrixstraat in Ridderkerk for computer hacking. Due to a police error, the man had inadvertently gained access to confidential police documents.
