#data-breach

#data-breach

The unknown Claude user wrote Spanish-language prompts for the chatbot to act as an elite hacker, finding vulnerabilities in government networks, writing computer scripts to exploit them and determining ways to automate data theft, Israeli cybersecurity startup Gambit Security said in research published Wednesday.

Trusting cybercriminals is inherently flawed; there is no honour among thieves. There is absolutely no reliable way to verify that an extortionist has permanently deleted stolen data. Copies are frequently retained, shared, or sold months down the line.

The man, Catalin Dragomir, 45, of Constanta, Romania, obtained access to the computer network in June 2021. The hacker allegedly advertised admin access to the state's emergency management department, negotiated a $3,000 sale in Bitcoin, and accessed the network several times to prove the legitimacy of his claim. According to court documents, Dragomir provided a prospective buyer with samples of personal identifying information extracted from the compromised network, including an employee's login information, name, email address, and Social Security number.

Choice Hotels International disclosed a breach affecting franchisees and applicants. Its notification letter states that a "skilled person used social engineering" to gain access on January 14, 2026 to an application that contained records regarding franchisees and franchise applicants. The access occurred even though access required multifactor authentication (MFA). The information involved included names and Social Security numbers. There is no indication that any guest data was involved. No gang has publicly claimed responsibility for the attack as yet.

A UK councillor has dubbed her local authority's data breach "crazy" after the personal details of individuals behind a series of complaints were revealed to her. Dulcie Tudor, an independent councillor for the Threemilestone and Chacewater area in Cornwall, England, publicized the data protection gaffe via social media following complaints about comments she made during a November council meeting. Cllr Tudor received ten complaints after asking fellow councillor Leigh Knight whether a trans woman was a real woman.

PayPal is warning customers about a data breach that leaked personal data for six months. The leaked data includes social security numbers. The software error occurred in the PayPal Working Capital application, an app that allows small businesses to easily take out a business loan. The leak occurred between July 1, 2025, and December 13, 2025. In addition to names and email addresses, phone numbers, business addresses, social security numbers, and dates of birth were also compromised.

San Jose administrators have disclosed that private information for current and former city employees may have been compromised, following a data breach last month. The incident occurred on Jan. 9 when a "workforce member" lost a USB drive that may have contained Social Security numbers, according to a letter city officials sent to people whose data may have been involved in the breach. San José officials have not said how many people were affected by the breach.

The Information Commissioner's Office (ICO) originally fined DSG Retail £500,000 ($673,000) in 2020, the maximum financial penalty allowed under the Data Protection Act 1998 (DPA 1998) - the relevant legislation at the pre-GDPR time. Its monetary penalty notice (MPN) was upheld by the Court of Appeal's first-tier tribunal but later reversed by the upper tribunal [PDF], which sided with DSG Retail and, if that decision was final, would have effectively nullified the ICO's fine.

when a "workforce member" lost a USB drive that may have contained Social Security numbers, according to a letter city officials sent to people whose data may have been involved in the breach. San José Spotlight spoke with three people who said they received the city's letter in recent days, including a current employee and two former employees. One of the former employees said they last worked for the city in 2000. The individuals requested anonymity to protect their privacy.

Since the end of January, the hacker used the stolen credentials of an official to access and consult "parts of the file of all of the accounts open in French banks and which contains personal data such as bank account numbers, name of the account holder, address and in certain cases the account owner's tax number," the ministry said in a statement.

Allegations of an incident at Adidas emerged on February 16, when someone claiming to be the Lapsus$ Group posted on BreachForums (screenshot shared here on Daily Dark Web) that they compromised the sportswear giant's extranet. According to the crooks, the stolen files - 815,000 rows of information - allegedly include: first and last names, email addresses, passwords, birthdays, company names, and "a lot of technical data."

Conduent experienced a data incident on that is proving to have widespread repercussions. The business services provider offers a range of support for organizations, including printing/mailroom services, payment integrity, document processing, and back-office aid, so this attack on its network affected more entities than itself. On Jan. 13, 2025, Conduent found a cyber incident had affected part of its network. Upon this discovery, the organization secured networks and commenced an investigation alongside third-party forensic experts.

The chain of events reads less like a breach and more like an own goal. In connection with a separate investigation, the man contacted the police on February 12 to report he had images that might be relevant. An officer responded by sending him a link so he could upload the files - except the link sent was a download link, effectively giving him access to confidential police documents.

He wanted something in return for returning files to the Dutch police. What he got in return was an arrest. A press release from Dutch police sums it up: On Thursday evening around 7:00 PM, police arrested a 40-year-old man from Ridderkerk on Prinses Beatrixstraat in Ridderkerk for computer hacking. Due to a police error, the man had inadvertently gained access to confidential police documents.

A report by the National Cyber Security Centre found that documents prepared by the Office for Budget Responsibility were downloaded on "at least" 24,701 occasions in the hour before Rachel Reeves delivered her Budget speech on 26 November. The figure is far higher than the 43 downloads cited in an initial internal review. The NCSC said the first full download of the OBR's forecasts occurred shortly after 11.35am on Budget day,

Betterment, which offers automated investment and financial planning services, first disclosed the breach in January after detecting unauthorized access to certain internal systems on January 9. Betterment said the hacker gained entry through a social engineering scheme that relied on impersonation to infiltrate third-party marketing and operations tools, then used that access to send customers a fraudulent cryptocurrency promotion disguised as an official company message.

The rise of OpenClaw, a proactive agentic AI controlled through interfaces more familiar to the average user than tools like Anthropic's Claude Code, which enthralled early adopters over the holiday period, has been one of the most seismic shifts in the AI world since the release of ChatGPT. By piggybacking on user-friendly interfaces paired with powerful AI agent technology, OpenClaw has pushed AI further into the public eye.

Catch up quick: Researchers reported last month that bondu, an AI-powered conversational toy company, inadvertently exposed children's chat transcripts and personal data through a publicly accessible portal. Bondu, which allows parents to check their children's conversations, said it took down the exposed portal and relaunched it the next day with authentication measures, according to Wired. Driving the news: New Hampshire Senator Maggie Hassan, the ranking member of the Senate's Joint Economic Committee, is now asking bondu to explain how the exposure occurred.

The company became aware of the breach which included personal information of its website customers "including credit card information" on Friday, it told CBC News in a statement. Canada Computers & Electronics said the affected customers were informed on Monday, given recommendations about steps to take, and that the breach was reported to authorities. But neither the statement, nor the notices seen by CBC News that went out to customers, says when the breach happened, how long it lasted or how many customers were affected.