May 1, 2026 US confirmed
US · Canvas/Instructure: the largest known education breach; the company paid the ransom
The ShinyHunters group accessed the Canvas education platform (Instructure) around April 25, 2026 through a vulnerability in the Free-For-Teacher service; the breach was disclosed on May 1 and a second wave hit some 330 portals on May 7. The attackers claim to have exfiltrated 3.65 TB with about 275 million records from 8,809 institutions, which would make it the largest known education-sector breach; the scope figures come from the attacker and have not been independently verified. On May 11, Inside Higher Ed confirmed Instructure reached a settlement and paid the ransom, a decision that reopened the debate over whether paying protects those affected or funds the next campaign.
June 1, 2025 DE confirmed
Vodafone Germany: €45M in two fines over security flaws and third-party oversight
Germany's federal data-protection commissioner fined Vodafone GmbH a combined €45 million in 2025: €30 million for security flaws in the MeinVodafone portal authentication enabling unauthorized access to eSIM profiles, and €15 million for failing to properly oversee third-party agency contracts.
April 1, 2024 US confirmed
Verizon: $46.9M FCC fine for sharing customer location data
The FCC fined Verizon $46.9 million in April 2024, as part of a joint action against major carriers for sharing customer location data without adequate consent. The case illustrates the location-privacy regulatory front in the US.
August 26, 2024 NL confirmed
Uber: €290M fine from the Dutch authority for transferring driver data to the US
In August 2024, the Dutch data-protection authority fined Uber €290 million for transferring sensitive European driver data to the United States without adequate safeguards. It is one of the year's largest data-protection fines.
October 9, 2024 US confirmed
Marriott: $52M settlement with 50 states over a multi-year breach (131 million affected)
Marriott reached a $52 million settlement with all 50 US states in 2024 over a multi-year data breach affecting more than 131 million users of its Starwood reservation database. The allegations included failure to comply with consumer-protection laws and data-security standards.
July 22, 2019 US confirmed
Equifax: up to $700M settlement over the 2017 breach that still binds the company
The 2017 Equifax breach exposed credit and identity data of around 147 million people. The subsequent settlement with the FTC and states reached up to $700 million. The company remains subject to obligations from that settlement, which still appear as a risk factor in its SEC filings years later.
September 1, 2024 NL confirmed
Clearview AI: €30.5M for building an illegal facial-recognition database by scraping
In September 2024, the Dutch authority fined Clearview AI €30.5 million for building an illegal facial-recognition database by scraping billions of images from the internet without consent. Beyond the fine, the Dutch DPA is considering holding directors personally accountable and foresees additional payments if violations continue.
May 20, 2026 US confirmed
US · Charter Communications: the 4.9-million breach that only came to light after the leak
The Charter Communications (Spectrum brand) breach became public only after the ShinyHunters extortion group listed the company on its leak site and published the data when no ransom was paid. The Have I Been Pwned service confirmed 4.9 million unique email addresses affected, with names, phone numbers and physical addresses. Charter confirmed the incident but disputed the scope claimed by the attackers (over 42 million records and CPNI data), stated no sensitive personal information was exfiltrated and, per reports, had not yet issued individual notifications to affected customers. The attack reportedly began with a voice phishing (vishing) call.
May 27, 2026 US confirmed
US · Carnival: nearly 6 million affected and notification six weeks after detecting the breach
Carnival Corporation, the world's largest cruise operator, notified 5,995,277 customers of a data breach. By its own timeline, the intrusion occurred on April 10, its security team detected the unauthorized activity on April 14 —an actor used social engineering to deceive an employee— and on April 22 confirmed personal data had been copied. However, notification letters and the incident page did not go out until May 27, 2026, nearly six weeks after detection; the company attributed the delay to analyzing the files to match data to each person. The data included names, addresses, dates of birth and government-issued ID numbers (licenses and passports). The ShinyHunters group claimed responsibility and, after the extortion failed, published the data.
March 19, 2026 US confirmed
US · Aura: the identity-protection company that suffered its own 900,000-record breach
Aura, a Massachusetts-based consumer digital-safety company that sells identity-theft protection and credit monitoring, disclosed in March 2026 a breach affecting around 900,000 records. An unauthorized third party accessed an employee account through a targeted voice-phishing attack and obtained names, addresses, phone numbers, emails and data from a marketing database. The ShinyHunters group claimed responsibility. The case drew attention for its irony: a company selling identity protection was itself breached. The company disclosed the incident publicly.
September 1, 2024 US confirmed
23andMe: $30M settlement over a genetic-data breach without multi-factor authentication
Genetic-testing company 23andMe reached a $30 million settlement in 2024 after a class action over a breach that exposed customers' ancestry data. The compromised accounts were not protected by multi-factor authentication and attackers are believed to have used reused credentials. 23andMe denied wrongdoing in the settlement.