— Edition 1.247 52 verified trackers
ES EN
Politics · Technology · Digital regulation  ·  where data speaks before headlines
Snapshot data
AML/OFAC enforcement against banks and fintech — 418 penalties documented 418 AML/OFAC penalties documented across 177 countries and 379 regula… Corporate bankruptcy and insolvency (Chapter 11) — 4 major corporate bankrup… Corporate bankruptcies hit decade highs: over 717 in the year per S&P… High-impact litigation risk index — 4 high-impact litigations… The risk index (0-100) aggregates five objective factors —procedural … Merger control: multi-jurisdiction competition … — 9 decisions and jurisdict… Merger control diverges by jurisdiction in 2026: the Trump administra… PEPs and sanctions networks · Ibero-American graph — 40 PEP/company nodes with … Ibero-American PEP→company→sanction graph (core: Mapa del Poder, 424 … Sovereign debt distress and restructurings — 5 distress/restructuring … The IMF's 6th Global Sovereign Debt Roundtable report (April 15, 2026… Forced labor in supply chains: entity lists — 4 forced-labor exposure i… Upstream exposure intelligence densifies: the UFLPA Entity List reach… EU AI Act — designation of national authorities — 3/10/14 / 27 Member States Tracker's first event: 3 states with both authorities / 10 partial / … AI Act · Notified bodies for conformity assessment — 1 body with AI-specific a… Ecosystem 'not ready' as of Mar-2026 (standards unpublished, insuffic… Scandal → conviction gap — — milestones logged +1 mirror case: Uribe — 7 years to convict, 8 weeks to reverse, open-… Technology ↔ regulation gap — 26 regulatory milestones +1: Peru closes the generative-AI gap in ~3 years (DS 115-2025-PCM), … CNMC Spain · the Digital Services Coordinator g… — 6 documented milestones The gap becomes chronic: Congress struck down the CNMC's legal empowe… Corporate data breaches: from incident to response — 11 breaches documented +1: Canvas/Instructure, the largest known education breach (≈275M rec… Migration friction in corporate and event mobility — 3 incidents and policies … The 2026 World Cup works as a live stress test: 39 countries under fu… Power and corruption in the courts in Ibero-Ame… — 29 documented cases Jun-2026 review: Uribe updated — first-instance conviction overturned… Crypto · Licenses and authorizations by jurisdi… — 40+ CASPs with full MiCA au… July 1, 2026 cliff: the transitional regime expires (ESMA, Apr 17) wi… Data breaches · Class-action settlements — 5 settlements and mass ca… 271 million dollars across four settlements approved or with deadline… Digital regulatory risk index by country — 16 countries profiled Jun-2026 review: Brazil updated on two layers (EU adequacy Jan 26, 20… Digital services taxes (DST) by country — 3 tax-map milestones docu… About half of European OECD countries have a DST announced, proposed … Global election risk 2026: democracy and digita… — 32 elections profiled 32 electoral processes of 2026 profiled by political regime and digit… ESG · Greenwashing enforcement — 3 enforcement milestones … The legal floor arrives Sep 27, 2026 (ECGT across the 27; transpositi… EU · Digital & sustainability regulatory deadli… — 6 calendar milestones doc… Next critical deadlines: Jun 23, 2026 closes the high-risk classifica… Export controls · Entity List and advanced chips — 6 regime milestones docum… The 2026 shift: licensing for H200/MI325X and equivalents to China mo… GDPR · International transfers and adequacy dec… — 6 framework milestones do… The EU-US DPF remains in force after surviving its first judicial cha… LATAM · AI bills in legislative process — 150+ bills identified 150+ count re-verified; milestones: Peru only country with a regulate… LATAM · Judicial and regulatory sanctions on pl… — $5,2M USD · fine on X Corp. i… Paradigm shift: the STF declared Art. 19 of the Marco Civil partially… Digital political ad spending 2026 — 6 country-platform observ… AdImpact's revised projection (Jun 11): $11.6bn for the 2026 cycle — … Shadow fleet · Sanctioned vessels and enablers — 632 vessels designated by t… +46 vessels in the 20th package (Reg. 2026/506/509/511) to 632; Art. … Whistleblower awards · SEC, CFTC and equivalent… — 3 program milestones docu… The SEC awarded over $60M to 48 whistleblowers in fiscal year 2025 (2… AI Act · Sanctions regime and its actual enforc… — 0 documented AI Act fines… 0 AI Act penalties issued to date: enforcement of high-risk obligatio… Beneficial ownership transparency (UBO / CTA / … — 4 transparency milestones 4 beneficial-ownership transparency milestones documented; the EU req… Crypto industry: collapses, sanctions and convi… — 13 documented cases 13 cases of collapses, sanctions and convictions in the crypto sector… AI harms in court — litigation, rulings and set… — 103 documented cases 103 AI-related harm and rights lawsuits documented; 2026 milestones: … DMA · designated gatekeepers and real compliance — 9 documented DMA acts 9 DMA compliance actions documented against gatekeepers; 2026 develop… Documented electoral disinformation 2026 — 7 documented campaigns 7 electoral disinformation campaigns or patterns documented with open… GDPR · which national authority really sanctions — 11 authorities profiled 11 GDPR enforcement country profiles and milestones documented; 2026 … LATAM · Internet shutdowns and platform blocks — 8 documented events · 202… 8 internet shutdown and blocking episodes documented in Latin America… Operational resilience & cyber (DORA / NIS2 / SEC) — 4 regulatory milestones 4 operational-resilience milestones documented; 2026 is the first rea… Digital fines actually imposed — 61 sanctions recorded 61 high-value penalties across 18 jurisdictions and 6 continents; cov… Commercial spyware: documented cases worldwide — 23 documented cases 23 spyware and surveillance cases documented across the Ibero-America… Trade compliance & forced labor (UFLPA) — 4 actions documented 4 trade-compliance actions on forced labor documented; under UFLPA ar… US · the state AI regulation patchwork — 10 laws and milestones 10 state AI laws or milestones documented in the U.S.; 2026 developme… Electoral digital integrity 2026 — 13 elections profiled 13 elections profiled by digital integrity; 5 with transparent politi… Climate: the gap between pledge and action — 12 countries assessed 12 countries assessed by the Climate Action Tracker: 10 with insuffic… Content moderation: appeals and reversals — 19 documented decisions 19 appealed and reviewed moderation decisions, with their policy, ori… Public AI spending — global government contracts — 50 documented contracts 50 public AI contracts across 15 jurisdictions on 5 continents (45 wi… Campaign promises → fulfillment — 29 term evaluations 29 terms evaluated across 25 countries on five continents EU · Consolidated DSA enforcement decisions — €120M first DSA fine · X · 5 … 5 Member States referred to CJEU for insufficient DSC implementation LATAM · Digital spending in 2026 electoral camp… — $14.794M COP · highest declared … Only 8 of 13 campaigns had reported in Cuentas Claras by mid-May Ibero-America · documented public contracts wit… — 3 contracts verified with… DC registry kickoff · ongoing monthly manual sweep RSF · Press freedom in Latin America — 144 Peru's rank (the region… AR -11 · PE -14 · SV -8 · EC -31 · USA -7 AML/OFAC enforcement against banks and fintech — 418 penalties documented 418 AML/OFAC penalties documented across 177 countries and 379 regula… Corporate bankruptcy and insolvency (Chapter 11) — 4 major corporate bankrup… Corporate bankruptcies hit decade highs: over 717 in the year per S&P… High-impact litigation risk index — 4 high-impact litigations… The risk index (0-100) aggregates five objective factors —procedural … Merger control: multi-jurisdiction competition … — 9 decisions and jurisdict… Merger control diverges by jurisdiction in 2026: the Trump administra… PEPs and sanctions networks · Ibero-American graph — 40 PEP/company nodes with … Ibero-American PEP→company→sanction graph (core: Mapa del Poder, 424 … Sovereign debt distress and restructurings — 5 distress/restructuring … The IMF's 6th Global Sovereign Debt Roundtable report (April 15, 2026… Forced labor in supply chains: entity lists — 4 forced-labor exposure i… Upstream exposure intelligence densifies: the UFLPA Entity List reach… EU AI Act — designation of national authorities — 3/10/14 / 27 Member States Tracker's first event: 3 states with both authorities / 10 partial / … AI Act · Notified bodies for conformity assessment — 1 body with AI-specific a… Ecosystem 'not ready' as of Mar-2026 (standards unpublished, insuffic… Scandal → conviction gap — — milestones logged +1 mirror case: Uribe — 7 years to convict, 8 weeks to reverse, open-… Technology ↔ regulation gap — 26 regulatory milestones +1: Peru closes the generative-AI gap in ~3 years (DS 115-2025-PCM), … CNMC Spain · the Digital Services Coordinator g… — 6 documented milestones The gap becomes chronic: Congress struck down the CNMC's legal empowe… Corporate data breaches: from incident to response — 11 breaches documented +1: Canvas/Instructure, the largest known education breach (≈275M rec… Migration friction in corporate and event mobility — 3 incidents and policies … The 2026 World Cup works as a live stress test: 39 countries under fu… Power and corruption in the courts in Ibero-Ame… — 29 documented cases Jun-2026 review: Uribe updated — first-instance conviction overturned… Crypto · Licenses and authorizations by jurisdi… — 40+ CASPs with full MiCA au… July 1, 2026 cliff: the transitional regime expires (ESMA, Apr 17) wi… Data breaches · Class-action settlements — 5 settlements and mass ca… 271 million dollars across four settlements approved or with deadline… Digital regulatory risk index by country — 16 countries profiled Jun-2026 review: Brazil updated on two layers (EU adequacy Jan 26, 20… Digital services taxes (DST) by country — 3 tax-map milestones docu… About half of European OECD countries have a DST announced, proposed … Global election risk 2026: democracy and digita… — 32 elections profiled 32 electoral processes of 2026 profiled by political regime and digit… ESG · Greenwashing enforcement — 3 enforcement milestones … The legal floor arrives Sep 27, 2026 (ECGT across the 27; transpositi… EU · Digital & sustainability regulatory deadli… — 6 calendar milestones doc… Next critical deadlines: Jun 23, 2026 closes the high-risk classifica… Export controls · Entity List and advanced chips — 6 regime milestones docum… The 2026 shift: licensing for H200/MI325X and equivalents to China mo… GDPR · International transfers and adequacy dec… — 6 framework milestones do… The EU-US DPF remains in force after surviving its first judicial cha… LATAM · AI bills in legislative process — 150+ bills identified 150+ count re-verified; milestones: Peru only country with a regulate… LATAM · Judicial and regulatory sanctions on pl… — $5,2M USD · fine on X Corp. i… Paradigm shift: the STF declared Art. 19 of the Marco Civil partially… Digital political ad spending 2026 — 6 country-platform observ… AdImpact's revised projection (Jun 11): $11.6bn for the 2026 cycle — … Shadow fleet · Sanctioned vessels and enablers — 632 vessels designated by t… +46 vessels in the 20th package (Reg. 2026/506/509/511) to 632; Art. … Whistleblower awards · SEC, CFTC and equivalent… — 3 program milestones docu… The SEC awarded over $60M to 48 whistleblowers in fiscal year 2025 (2… AI Act · Sanctions regime and its actual enforc… — 0 documented AI Act fines… 0 AI Act penalties issued to date: enforcement of high-risk obligatio… Beneficial ownership transparency (UBO / CTA / … — 4 transparency milestones 4 beneficial-ownership transparency milestones documented; the EU req… Crypto industry: collapses, sanctions and convi… — 13 documented cases 13 cases of collapses, sanctions and convictions in the crypto sector… AI harms in court — litigation, rulings and set… — 103 documented cases 103 AI-related harm and rights lawsuits documented; 2026 milestones: … DMA · designated gatekeepers and real compliance — 9 documented DMA acts 9 DMA compliance actions documented against gatekeepers; 2026 develop… Documented electoral disinformation 2026 — 7 documented campaigns 7 electoral disinformation campaigns or patterns documented with open… GDPR · which national authority really sanctions — 11 authorities profiled 11 GDPR enforcement country profiles and milestones documented; 2026 … LATAM · Internet shutdowns and platform blocks — 8 documented events · 202… 8 internet shutdown and blocking episodes documented in Latin America… Operational resilience & cyber (DORA / NIS2 / SEC) — 4 regulatory milestones 4 operational-resilience milestones documented; 2026 is the first rea… Digital fines actually imposed — 61 sanctions recorded 61 high-value penalties across 18 jurisdictions and 6 continents; cov… Commercial spyware: documented cases worldwide — 23 documented cases 23 spyware and surveillance cases documented across the Ibero-America… Trade compliance & forced labor (UFLPA) — 4 actions documented 4 trade-compliance actions on forced labor documented; under UFLPA ar… US · the state AI regulation patchwork — 10 laws and milestones 10 state AI laws or milestones documented in the U.S.; 2026 developme… Electoral digital integrity 2026 — 13 elections profiled 13 elections profiled by digital integrity; 5 with transparent politi… Climate: the gap between pledge and action — 12 countries assessed 12 countries assessed by the Climate Action Tracker: 10 with insuffic… Content moderation: appeals and reversals — 19 documented decisions 19 appealed and reviewed moderation decisions, with their policy, ori… Public AI spending — global government contracts — 50 documented contracts 50 public AI contracts across 15 jurisdictions on 5 continents (45 wi… Campaign promises → fulfillment — 29 term evaluations 29 terms evaluated across 25 countries on five continents EU · Consolidated DSA enforcement decisions — €120M first DSA fine · X · 5 … 5 Member States referred to CJEU for insufficient DSC implementation LATAM · Digital spending in 2026 electoral camp… — $14.794M COP · highest declared … Only 8 of 13 campaigns had reported in Cuentas Claras by mid-May Ibero-America · documented public contracts wit… — 3 contracts verified with… DC registry kickoff · ongoing monthly manual sweep RSF · Press freedom in Latin America — 144 Peru's rank (the region… AR -11 · PE -14 · SV -8 · EC -31 · USA -7
/ trackers / corporate-data-breaches
Cybersecurity and accountability

Corporate data breaches: from incident to response

Record of major corporate data breaches and, above all, of how each company responded. It does not measure only how many records were exposed: it measures the notification conduct —whether the company notified affected people and the regulator on time, delayed, or concealed it— and the outcome (settlement, fine, class action). That is the gap that matters for due diligence: two companies can suffer a similar incident and behave in opposite ways, and that defines reputational and legal risk. Each record documents the company, the number of affected people, the data type, the notification conduct and the outcome, with its source.

Snapshot · June 12, 2026
11
breaches documented
↑ +1: Canvas/Instructure, the largest known education breach (≈275M records per the attacker), with ransom paid

Evolution

Data analysis

Statistical readings derived from the attributes of each recorded case. All figures come from the documented events; amounts are computed only over cases with a sum expressed in the indicated currency, without converting between currencies.

Notification conduct

How each company responded to the incident: notified on time, late, concealed it or in dispute. The tracker's most differential field.

Sector

The sector of the affected company: technology, finance, health, hospitality, telecoms, etc.

Outcome type

How the case was resolved: out-of-court settlement, regulator fine, class action or open investigation.

People affected (millions)

The number of people or records affected by each breach, in millions, as declared or alleged in the settlement.

Computed over 11 of 11 events with available data

Reading the data

When a company suffers a data breach, the number of affected people grabs the headline. But for due diligence something else matters more: how it behaved. Did it notify affected people and the regulator on time, take months, or conceal it? Two companies with similar incidents can respond in opposite ways, and that defines the real risk. This tracker measures conduct, not just damage.

YV
Yaneth Vickari S. · Digital regulation expert · Madrid
May 26, 2026 · 6 min read

Data breaches are almost always counted by their size: 131 million affected at Marriott, 147 at Equifax. That figure is real and serious, but it is also the least informative part for whoever must assess a company's risk. Because suffering an incident, in a world of constant cyberattacks, can happen to anyone. What distinguishes one company from another is not having been attacked, but how it responded. This tracker is built around that second question.

That is why the central field is not the number of affected people, but the notification conduct: whether the company notified affected people and the regulator on time, delayed, or outright concealed it. These are categories with very different legal consequences. Notifying late aggravates the sanction in almost every framework; concealing a breach can turn a technical incident into a case of directors' personal liability, as the scrutiny of Clearview AI illustrates.

Of the seven documented breaches, only one company notified on time. Three notified late, two are in dispute over their conduct and one concealed the incident. The outcome splits between regulator fines and out-of-court settlements —and they should not be confused: a settlement, like 23andMe's, usually closes without admission of guilt, while a final fine does declare the violation.

Why it is a due-diligence tool

For a CISO, a cyber-risk insurer, a law firm or a compliance team assessing a vendor or an acquisition target, this tracker answers the question that really matters: how does this company behave when things go wrong? A company that notified on time and cooperated with the regulator is a very different risk from one that concealed the incident for months, even if the number of exposed records is identical. The conduct record is predictive in a way the incident's size is not.

Equifax's case also shows the long tail of these events: the 2017 breach still generates obligations that appear as a risk factor in its SEC filings almost a decade later. A breach does not close when the fine is paid; it leaves a mark on the company's governance that the tracker lets you follow over time. That traceability —company, conduct, outcome, date— is exactly what turns a succession of headlines into an intelligence asset.

Methodology note

Each record documents a breach with its company, sector, affected people, data type, notification conduct and outcome, attributed to its source (data-protection authorities, settlements with state attorneys general, SEC filings, specialised compilations). The conduct is classified based on what the regulator or settlement found. A distinction is drawn between settlement (no admission of guilt) and final fine. The number of affected people is the one declared or alleged in the settlement; where unspecified, it is noted as such and not counted in the affected-people chart. No unpublished figures are imputed.

This is a sensitive topic; the tracker limits itself to cases with public resolution and attributes every assessment to its source. It is informational infrastructure, not legal or security advice.

Documented events (11)

May 1, 2026 US confirmed

US · Canvas/Instructure: the largest known education breach; the company paid the ransom

The ShinyHunters group accessed the Canvas education platform (Instructure) around April 25, 2026 through a vulnerability in the Free-For-Teacher service; the breach was disclosed on May 1 and a second wave hit some 330 portals on May 7. The attackers claim to have exfiltrated 3.65 TB with about 275 million records from 8,809 institutions, which would make it the largest known education-sector breach; the scope figures come from the attacker and have not been independently verified. On May 11, Inside Higher Ed confirmed Instructure reached a settlement and paid the ransom, a decision that reopened the debate over whether paying protects those affected or funds the next campaign.

June 1, 2025 DE confirmed

Vodafone Germany: €45M in two fines over security flaws and third-party oversight

Germany's federal data-protection commissioner fined Vodafone GmbH a combined €45 million in 2025: €30 million for security flaws in the MeinVodafone portal authentication enabling unauthorized access to eSIM profiles, and €15 million for failing to properly oversee third-party agency contracts.

April 1, 2024 US confirmed

Verizon: $46.9M FCC fine for sharing customer location data

The FCC fined Verizon $46.9 million in April 2024, as part of a joint action against major carriers for sharing customer location data without adequate consent. The case illustrates the location-privacy regulatory front in the US.

August 26, 2024 NL confirmed

Uber: €290M fine from the Dutch authority for transferring driver data to the US

In August 2024, the Dutch data-protection authority fined Uber €290 million for transferring sensitive European driver data to the United States without adequate safeguards. It is one of the year's largest data-protection fines.

October 9, 2024 US confirmed

Marriott: $52M settlement with 50 states over a multi-year breach (131 million affected)

Marriott reached a $52 million settlement with all 50 US states in 2024 over a multi-year data breach affecting more than 131 million users of its Starwood reservation database. The allegations included failure to comply with consumer-protection laws and data-security standards.

July 22, 2019 US confirmed

Equifax: up to $700M settlement over the 2017 breach that still binds the company

The 2017 Equifax breach exposed credit and identity data of around 147 million people. The subsequent settlement with the FTC and states reached up to $700 million. The company remains subject to obligations from that settlement, which still appear as a risk factor in its SEC filings years later.

September 1, 2024 NL confirmed

Clearview AI: €30.5M for building an illegal facial-recognition database by scraping

In September 2024, the Dutch authority fined Clearview AI €30.5 million for building an illegal facial-recognition database by scraping billions of images from the internet without consent. Beyond the fine, the Dutch DPA is considering holding directors personally accountable and foresees additional payments if violations continue.

May 20, 2026 US confirmed

US · Charter Communications: the 4.9-million breach that only came to light after the leak

The Charter Communications (Spectrum brand) breach became public only after the ShinyHunters extortion group listed the company on its leak site and published the data when no ransom was paid. The Have I Been Pwned service confirmed 4.9 million unique email addresses affected, with names, phone numbers and physical addresses. Charter confirmed the incident but disputed the scope claimed by the attackers (over 42 million records and CPNI data), stated no sensitive personal information was exfiltrated and, per reports, had not yet issued individual notifications to affected customers. The attack reportedly began with a voice phishing (vishing) call.

May 27, 2026 US confirmed

US · Carnival: nearly 6 million affected and notification six weeks after detecting the breach

Carnival Corporation, the world's largest cruise operator, notified 5,995,277 customers of a data breach. By its own timeline, the intrusion occurred on April 10, its security team detected the unauthorized activity on April 14 —an actor used social engineering to deceive an employee— and on April 22 confirmed personal data had been copied. However, notification letters and the incident page did not go out until May 27, 2026, nearly six weeks after detection; the company attributed the delay to analyzing the files to match data to each person. The data included names, addresses, dates of birth and government-issued ID numbers (licenses and passports). The ShinyHunters group claimed responsibility and, after the extortion failed, published the data.

March 19, 2026 US confirmed

US · Aura: the identity-protection company that suffered its own 900,000-record breach

Aura, a Massachusetts-based consumer digital-safety company that sells identity-theft protection and credit monitoring, disclosed in March 2026 a breach affecting around 900,000 records. An unauthorized third party accessed an employee account through a targeted voice-phishing attack and obtained names, addresses, phone numbers, emails and data from a marketing database. The ShinyHunters group claimed responsibility. The case drew attention for its irony: a company selling identity protection was itself breached. The company disclosed the incident publicly.

September 1, 2024 US confirmed

23andMe: $30M settlement over a genetic-data breach without multi-factor authentication

Genetic-testing company 23andMe reached a $30 million settlement in 2024 after a class action over a breach that exposed customers' ancestry data. The compromised accounts were not protected by multi-factor authentication and attackers are believed to have used reused credentials. 23andMe denied wrongdoing in the settlement.

Methodology

Type
event-log
Construction
Multi-source verified
Cadence
event-driven

Each record documents a corporate data breach with its company, sector, number of records or affected people (as declared or alleged in the settlement), type of compromised data, notification conduct and outcome. The notification conduct is classified into verifiable categories —notified on time, notified late, concealed/covered up, in dispute— based on what the regulator or settlement found, attributed to its source. The amount is the settlement or fine where one exists; a distinction is drawn between settlement (no admission of guilt) and final fine. No unpublished figures are imputed. Coverage prioritizes cases with public resolution (settlement, fine or judgment) for their due-diligence value.

Sources consulted

  1. Autoridades de protección de datos (DPC Irlanda, AP Países Bajos, AEPD, FTC, FCC) ↗ official
  2. Acuerdos judiciales y class actions (fiscalías estatales de EE.UU.) ↗ official
  3. Registros SEC (8-K de incidentes materiales de ciberseguridad) ↗ official