#data-breach

#data-breach

The main issue, Khan said, was that all apps that are vibe-coded on Lovable's platform are shipped with their backends powered by Supabase, which handles authentication, file storage, and real-time updates through a PostgreSQL database connection. However, when the developer - in this case AI - or the human project owner fails to explicitly implement crucial security features like Supabase's row-level security and role-based access, code will be generated that looks functional but in reality is flawed.

Trusting cybercriminals is inherently flawed; there is no honour among thieves. There is absolutely no reliable way to verify that an extortionist has permanently deleted stolen data. Copies are frequently retained, shared, or sold months down the line.

The threat actor gained access to Optimizely's systems through a sophisticated voice-phishing attack, but was unable to escalate privileges, install software, or create any backdoors in the Optimizely environment. The incident was confined to certain internal business systems including Zendesk, records in our Salesforce CRM, and a limited set of internal documents used for back-office operations.

Choice Hotels International disclosed a breach affecting franchisees and applicants. Its notification letter states that a "skilled person used social engineering" to gain access on January 14, 2026 to an application that contained records regarding franchisees and franchise applicants. The access occurred even though access required multifactor authentication (MFA). The information involved included names and Social Security numbers. There is no indication that any guest data was involved. No gang has publicly claimed responsibility for the attack as yet.

A UK councillor has dubbed her local authority's data breach "crazy" after the personal details of individuals behind a series of complaints were revealed to her. Dulcie Tudor, an independent councillor for the Threemilestone and Chacewater area in Cornwall, England, publicized the data protection gaffe via social media following complaints about comments she made during a November council meeting. Cllr Tudor received ten complaints after asking fellow councillor Leigh Knight whether a trans woman was a real woman.

PayPal is warning customers about a data breach that leaked personal data for six months. The leaked data includes social security numbers. The software error occurred in the PayPal Working Capital application, an app that allows small businesses to easily take out a business loan. The leak occurred between July 1, 2025, and December 13, 2025. In addition to names and email addresses, phone numbers, business addresses, social security numbers, and dates of birth were also compromised.

San Jose administrators have disclosed that private information for current and former city employees may have been compromised, following a data breach last month. The incident occurred on Jan. 9 when a "workforce member" lost a USB drive that may have contained Social Security numbers, according to a letter city officials sent to people whose data may have been involved in the breach. San José officials have not said how many people were affected by the breach.

The Information Commissioner's Office (ICO) originally fined DSG Retail £500,000 ($673,000) in 2020, the maximum financial penalty allowed under the Data Protection Act 1998 (DPA 1998) - the relevant legislation at the pre-GDPR time. Its monetary penalty notice (MPN) was upheld by the Court of Appeal's first-tier tribunal but later reversed by the upper tribunal [PDF], which sided with DSG Retail and, if that decision was final, would have effectively nullified the ICO's fine.

when a "workforce member" lost a USB drive that may have contained Social Security numbers, according to a letter city officials sent to people whose data may have been involved in the breach. San José Spotlight spoke with three people who said they received the city's letter in recent days, including a current employee and two former employees. One of the former employees said they last worked for the city in 2000. The individuals requested anonymity to protect their privacy.

Since the end of January, the hacker used the stolen credentials of an official to access and consult "parts of the file of all of the accounts open in French banks and which contains personal data such as bank account numbers, name of the account holder, address and in certain cases the account owner's tax number," the ministry said in a statement.

Allegations of an incident at Adidas emerged on February 16, when someone claiming to be the Lapsus$ Group posted on BreachForums (screenshot shared here on Daily Dark Web) that they compromised the sportswear giant's extranet. According to the crooks, the stolen files - 815,000 rows of information - allegedly include: first and last names, email addresses, passwords, birthdays, company names, and "a lot of technical data."

Conduent experienced a data incident on that is proving to have widespread repercussions. The business services provider offers a range of support for organizations, including printing/mailroom services, payment integrity, document processing, and back-office aid, so this attack on its network affected more entities than itself. On Jan. 13, 2025, Conduent found a cyber incident had affected part of its network. Upon this discovery, the organization secured networks and commenced an investigation alongside third-party forensic experts.

The chain of events reads less like a breach and more like an own goal. In connection with a separate investigation, the man contacted the police on February 12 to report he had images that might be relevant. An officer responded by sending him a link so he could upload the files - except the link sent was a download link, effectively giving him access to confidential police documents.

He wanted something in return for returning files to the Dutch police. What he got in return was an arrest. A press release from Dutch police sums it up: On Thursday evening around 7:00 PM, police arrested a 40-year-old man from Ridderkerk on Prinses Beatrixstraat in Ridderkerk for computer hacking. Due to a police error, the man had inadvertently gained access to confidential police documents.

A report by the National Cyber Security Centre found that documents prepared by the Office for Budget Responsibility were downloaded on "at least" 24,701 occasions in the hour before Rachel Reeves delivered her Budget speech on 26 November. The figure is far higher than the 43 downloads cited in an initial internal review. The NCSC said the first full download of the OBR's forecasts occurred shortly after 11.35am on Budget day,

A High Court judge has ruled that thousands of people affected by a major data breach at Capita can continue with their legal action against the outsourcing group, in a decision being described as a landmark for large-scale data privacy claims in the UK. In a judgment handed down on 9 February, Master Dagnall rejected arguments from Capita's legal team that solicitors acting for more than 8,000 claimants had abused the court process.

Betterment, which offers automated investment and financial planning services, first disclosed the breach in January after detecting unauthorized access to certain internal systems on January 9. Betterment said the hacker gained entry through a social engineering scheme that relied on impersonation to infiltrate third-party marketing and operations tools, then used that access to send customers a fraudulent cryptocurrency promotion disguised as an official company message.