#data-breach

#data-breach

Curzon cinema has admitted a major app failure that left dozens of customers' personal details exposed to complete strangers. The upmarket cinema chain which runs 10 venues across London plus its Curzon Home Cinema streaming service said the error meant other users could see people's names, emails, phone numbers, dates of birth, profile photos and membership tiers. In some cases, even the last four digits of saved bank cards were visible.

A stalkerware maker who was banned from the surveillance industry after a data breach that exposed the personal information of its customers, as well as the people they were spying on, will not be able to go back to selling the invasive software, according the U.S. Federal Trade Commission. The FTC denied a request to cancel that ban made by Scott Zuckerman, the founder of consumer spyware company Support King and its subsidiaries SpyFone and OneClickMonitor.

Last week, pet products and services giant Petco confirmed that it experienced a data breach involving customers' personal information, without specifying what type of data was affected. On Friday, in a legally required filing with Texas' attorney general's office, Petco reported that the affected data included: names, Social Security numbers, driver's license numbers, financial information such as account numbers, credit or debit card numbers, and dates of birth.

An AI image creator startup left its database unsecured, exposing more than a million images and videos its users had created-the "overwhelming majority" of which depicted nudes and even nude images of children. A US inspector general report released its official determination that Defense Secretary Pete Hegseth put military personnel at risk through his negligence in the SignalGate scandal, but recommended only a compliance review and consideration of new regulations.

Their demand lands amid fierce criticism of the regulator's decision not to formally investigate the Ministry of Defence over what has been described as the most serious data breach in British history: the leaking of a spreadsheet revealing the identities and locations of more than 19,000 Afghans fleeing the Taliban. Information Commissioner John Edwards defended his stance at a DSIT-hosted hearing last month, insisting the incident was a "one-off" error rather than evidence of systemic non-compliance inside the MoD.

Thalha Jubair 19, from East London, and Owen Flowers, 18, from Walsall in the West Midlands spoke only to confirm their names and enter pleas at the brief hearing. They are both charged with conspiring to commit unauthorised acts against Transport for London (TfL) under the Computer Misuse Act. In addition, Mr Flowers is accused of attempting to hack computer systems belonging to California-based Sutter Health and another US company, SSM Healthcare Corporation. Mr Jubair has also been charged with failing to provide passwords for his devices.

Privacy watchdogs in Ontario and Alberta issued their findings Tuesday after investigating a mass data breach of a student information system used across Canada, concluding that school boards lacked adequate breach response plans, among other issues. Ontario's privacy commissioner says PowerSchool, a software and storage company for school systems in the U.S. and Canada, was a victim of a cyberattack and ransom threat in December 2024 that compromised the data of current and former students, parents and staff.

The researcher, Jonathan Clark, says he knows this for a fact because he reported the attack to Coinbase on January 7 after the criminals tried to scam him. According to Clark, Coinbase's Head of Trust and Safety Brett Farmer responded to his "comprehensive security report" the same day he emailed it to the company's security@ address. In a blog about the incident, Clark says Farmer replied: "This report is super robust and gives us a lot to look into. We are investigating this scammer now."

A person claiming to be one of the University of Pennsylvania hackers says that about "1.2 million lines of data" will be kept private for the group to sell before it is made public. The group also plans to make other documents public. In comments to The Verge, the hacker or hackers distanced themselves from earlier hacks of other private universities including Columbia - which were aimed at demonstrating colleges had maintained unlawful pro-diversity policies.

Today's reminder of the insider threat comes to us from the National Health Service in the U.K. Craig Meighan and Billy Gaddi report: A woman has been charged after Scots patients had their private medical records accessed during an NHS data breach. Reports suggest around 100 patients in NHS Lothian could have had their records accessed as a result of the incident. The health board said it discovered patients in the region may have had their information "inappropriately accessed" during routine monitoring.

On 9 October 2025 the Federal Court of Australia (the Court) imposed an AU$5.8 million civil penalty on Australian Clinical Labs Limited, one of Australia's largest private hospital pathology service providers (the Company), for systemic failures that led to the unauthorised access to and exfiltration of the sensitive personal information of more than 223,000 individuals.

While scanning for unsecured databases at the end of September, an ethical security researcher stumbled upon the exposed cache of data and discovered that it was part of a site called DomeWatch. The service is run by the House Democrats and includes videostreams of House floor sessions, calendars of congressional events, and updates on House votes. It also includes a job board and résumé bank.

An unencrypted, non-password-protected database was discovered by Cybersecurity Researcher Jeremiah Fowler. This database contained files from an email marketing platform and held approximately 40 billion records (13 TB). The records appeared to belong to Netcore Cloud Pvt. Ltd (Netcore), an India-based company providing marketing services. Fowler sent a message to Netcore to inform them of the exposure, and the database was restricted the same day.