2026 Data Breaches: Cybersecurity Incidents Explained

March was a volatile month for data breaches and ransomware. The most prominent was the attack on Stryker. While that incident didn’t expose data, it still had a significant effect on the company. As always, knowing where sensitive data is and remediating it accordingly provides you with the best assurance for breach resiliency.

Stryker, a medical device company, was recently the target of a hack deployed by an Iran-linked group, Handala. It caused system outages throughout the organization. It was not a ransomware attack. Rather, this was a data theft and wipe strike. Windows-based devices, including laptops and mobile devices, were wiped. As of March 30, the company had restored most manufacturing sites.

• Scale of breach: Company applications and internal systems
• Breach cause: Handala gained access to the company’s Active Directory Services, using the Microsoft endpoint management tool, Microsoft Intune.

Key Lessons

This is a unique incident. Hackers didn’t steal data; they wiped in from internal systems, which triggered operational fallout. The attack on endpoint systems wasn’t to exfiltrate or hold for ransom; it was about disruption.

When there’s a compromise to endpoints, cyber criminals can deploy software to wipe, encrypt, or exfiltrate data as well as disable security mechanisms.

While you cannot eliminate this risk, you can do these things:

Ensure automated sensitive data discovery, so you always know where data is.

Use policy-based protection to determine what to do with the discovered data consistently (e.g., encrypt, mask, redact, etc.).

Enable persistent encryption that stays with data regardless of where it goes.

Aura announced a data breach via a targeted phishing attack that led to the exposure of marketing data lists. The company identified the breach within an hour and activated its incident response plan. Aura announced that the hack did not expose any sensitive data.

• Scale of breach: 900,000 records
• Data exposed: Names and email addresses
• Breach cause: ShinyHunters claimed responsibility via a phishing attack.
• Data breach notifications: See Aura’s statement here.

Key Lessons

Aura did an excellent job of responding quickly. Often, it takes weeks or even months to detect unauthorized access. Even though data stolen wasn’t sensitive, it’s still a reminder that organizations should deploy data-centric encryption, which is “sticky.” It stays with the data no matter where it goes.
Data breach resiliency strategies can reduce the effects of ransomware. Such programs involve enterprise-wide visibility of sensitive data and preemptive protections, such as encryption, masking, and redaction.

An exposed API was a weak link for an attacker to gain unauthorized access. The hackers stole personal and health-related data. Their investigation revealed that the threat actor acquired information from December 22, 2025, to January 15, 2026.

• Scale of breach: 2.7 million people
• Data exposed: Social Security numbers, account data, names, dates of birth, phone numbers, email addresses, and health plan information
• Breach cause: Exposed API
• Data breach notifications: Read Navia’s notice here.

Key Lessons

Perimeter defenses were insufficient to thwart unauthorized actors. They stole PII and PHI; data that should be encrypted at rest and in transit. Persistent encryption driven by enterprise-wide policies could have made a difference. The hackers may have taken the data, but with encryption, it would have been unusable.

Pathstone Family Office, a wealth management firm, was the victim of a data breach perpetrated by ShinyHunters. The theft included 641,000 records of sensitive and proprietary information. The group attempted to extort Pathstone Family Office, threatening to release data.

• Scale of breach: 641,000 records
• Data exposed: Social Security numbers, dates of birth, addresses, and potentially detailed financial profiles of clients
• Breach cause: ShinyHunters ransomware

Key Lessons

Attorneys filed a class action against Pathstone, alleging inadequate cybersecurity practices and noncompliance. Those claims will have to play out in court. Pathstone has yet to issue breach notifications or public responses. Any breach indicates a gap in perimeter security; access controls likely failed. Modern encryption that stays with data could have rendered it useless to the cyber criminals.

The University of Hawaiʻi was the victim of a ransomware attack. It impacted research systems, exposing personal information.

• Scale of breach: 1.2 million individuals
• Data exposed: Social Security numbers, driver’s license details, and health-related research information
• Breach cause: Ransomware
• Breach notification: See the statement from the university here.

Key Lessons

An unauthorized user was able to encrypt and exfiltrate data during the attack. UH said that they have no reports of hackers publishing any stolen data. They continue to investigate the root cause. This incident brings to the forefront the discussion on knowing where all sensitive data resides.

The breached files were part of a subset and were collected between 1993 and 2007. This was likely old data that UH may no longer have needed to keep. It could have been “forgotten data,” which carries risk. Having policies in place to delete or remove old data would have potentially prevented this.

Even though February is a short month, there were numerous 2026 data breaches. Healthcare, fintech, marketplaces, and publishing platforms all experienced incidents. Many involve lawsuits from customers.

BridgePay, a payments platform, confirmed a ransomware attack that led to a system disruption. City governments are a large part of the company’s customer base, and many reported outages. As of February 28, BridgePay had restored all its infrastructure.

• Scale of breach: The company stated there was no exposure of credit card numbers.
• Data exposed: Unknown
• Breach cause: Ransomware
• Data breach notifications: BridgePay’s statement

Key Lessons

Ransomware continues to be a risk for any organization. Proactively securing data against it is your best approach. Key components of a proactive data security program include automated data discovery and protection. Discovery is a critical first step since you must know where all sensitive information is to protect it.

Using policy-driven protection controls enables you to define them centrally and apply them consistently across your enterprise. You can also ensure secure data exchange with certificate-free, modern encryption.

The University of Mississippi Medical Center closed clinics after a ransomware attack in February. The impact included IT systems and EHRs, requiring manual processes for patient care. They were able to reopen clinics on March 2.

• Scale of breach: Impacted data included phone and email access. It also forced clinicians to move to downtime procedures.
• Data exposed: The organization has not disclosed whether there was any breach of PII or PHI.
• Breach cause: Ransomware
• Data breach notifications: The organization has yet to send any data breach notifications. They announced the issue on their social media profiles and published a statement on March 2 about reopening clinics.

Key Lessons

Healthcare remains an attractive target for ransomware. Few are ready, as almost 40% of organizations facing an incident took a month or more to recover.

Data breach resiliency strategies can reduce the effects of ransomware. Such programs involve enterprise-wide visibility of sensitive data and preemptive protections, such as encryption, masking, and redaction.

Over 780,000 people had their information stolen in this healthcare data breach. The company detected the breach in 2025. It only recently came to light when the organized issued breach notifications in multiple states. Marquis stated that the SonicWall hack was to blame and has since filed suit against them.

• Scale of breach: 780,000 individuals
• Data exposed: Names, addresses, Social Security numbers, dates of birth, account numbers, credit/debit card numbers, and taxpayer identification numbers
• Breach cause: Ransomware breach on SonicWall cloud backup hack
• Data breach notifications:
  • New Hampshire
  • Maine
  • Massachusetts

Key Lessons

The source of the breach was Marquis’s cybersecurity partner, SonicWall, as alleged in their lawsuit. Marquis’s investigation found that the attacker leveraged configuration data extracted from SonicWall’s cloud backup infrastructure tied to an API code change.

Marquis also stated its firewall was up to date and had other security controls in place, including MFA.

This incident underscores the importance of auditing partners that support technology, networks, or other infrastructure. Additionally, companies must take steps to ensure exfiltrated data isn’t usable by encrypting, masking, or redacting it properly and consistently.

Substack, a subscription-based publishing platform, suffered a data breach that exposed subscriber information. The company confirmed that no passwords, payment card data, or financial records were part of the incident.

• Scale of breach: Unknown
• Data exposed: Email addresses and phone numbers
• Breach cause: Unauthorized third-party access
• Data breach notifications: The company sent this email to users.

Key Lessons

Since the hacker had limited account access, there was no PII or PHI breached. However, this incident serves as a warning against depending too much on perimeter controls as the last line of defense. Unfortunately, weaknesses are common here. The best way to bolster defenses is with data-centric protections that are always present. When data has persistent protection, if stolen, data is typically unusable.

CarGurus, an online automotive marketplace, revealed a data breach affecting over 12 million users. An Australian cybersecurity consultant, Troy Hunt, was the first to report this after finding published PII data.

The company reported a system compromise involving stored customer account information. They investigated, secured the impacted platforms, and implemented more safeguards in response. Victims have filed class action lawsuits.

• Scale of breach: 12 million+
• Data exposed: Names, email addresses, physical addresses, IP addresses, and phone numbers
• Breach cause: ShinyHunters claimed responsibility via social engineering.
• Data breach notifications: One lawsuit alleges that CarGurus did not provide a data breach notice. There are no formal notices, but the company did acknowledge it, stating it was “limited in scope.”

Key Lessons

Employees can be a weak link in cybersecurity. While training helps, hackers have become very sophisticated in their social engineering attacks. As such, you can’t always count on employees to recognize and report phishing.

To further safeguard data against such a breach, persistent, modern encryption should be part of a data protection program. When it is, it never leaves the data, so anything hackers steal won’t be of value if they can’t decrypt it.

We’re kicking off 2026 data breaches with a review of January. The incidents in January cover multiple industries. What’s unique about this batch is that there was exposure of both consumer and corporate data. Explore the cases in January and the key insights into preventing these in your organization.

Both Illinois and Minnesota experienced a system failure that exposed the personal data of nearly one million people. In the Illinois incident, sensitive information was on display publicly and was visible for four years. 

The Minnesota breach was the result of excessive internal access, leading to improper disclosure.  

• Scale of breach: Around one million individuals 

• Data exposed: Names, addresses, case numbers, case status, and referral information (Illinois); names, addresses, email addresses, dates of birth, phone numbers, Medicaid ID, the first four digits of Social Security numbers, and other protected information (Minnesota). 

• Breach cause: In Illinois, an error caused patient data to be publicly viewable. In Minnesota, the culprit was unauthorized access to data that was outside the scope of employee work assignments. 

• Data breach notifications: 

• • Report from HIPAA Journal (Illinois) 

• • DHS Notification (Minnesota) 

Key Lessons  

It's imperative for every organization to have complete visibility of where sensitive data resides. Automated discovery provides this visibility enterprise-wide and centralized, policy-based protection ensures consistent security of data. For four years, the data of Illinois residents was available online. Having an always-up-to-date inventory with data-centric protection can prevent such exposure.

Identity access control (IAC) plays a key role in thwarting unauthorized access, but relying on it as the last line of defense has shortcomings. IAC doesn't truly protect your critical data and sensitive data can be exposed if data moves or credentials are compromised. Protecting data through encryption, masking, or redaction secures data at rest and in motion and ensures that exfiltrated data is useless to bad actors.

Ledger, a crypto wallet platform, confirmed a customer data breach related to its e-commerce payment partner, Global-e. While there were no crypto assets stolen, hackers later used this information in phishing campaigns.  

• Scale of breach: Unknown 

• Data exposed: Name, addresses, email addresses, phone numbers, and order details. 

• Breach cause: The company identified unusual activity in its cloud systems and moved to secure it. They did not disclose the root cause.  

• Data breach notification: Global-e Statement 

Key Lessons  

Companies should adopt persistent encryption and protection across all environments. With such a proactive strategy in place, organizations can protect across the enterprise. When security is data-centric, it reduces the effect of breaches.

The threat actor Zestix has been selling corporate data stolen from multiple companies. They are acting as an initial access broker (IAB) on the dark web. The hack occurred due to stolen credentials. ShareFile, Nextcloud, and OwnCloud were all victims of the attack. There were impacted organizations across many sectors, including aviation, defense, healthcare, utilities, mass transit, telecom, legal, real estate, and government. 

• Scale of breach: Unknown 

• Data exposed: Highly sensitive corporate data, including health records and government contracts. 

• Breach cause: Stolen credentials and lack of multi-factor authentication 

• Breach investigation: Infostealers published a detailed analysis of the hacks. 

Key Lessons 

Cloud exposure has been a risk component for many years. MFA has become mandatory in many regulations. Will this alone be enough to reduce unauthorized access? No, but enterprise-wide data encryption, redaction, and masking limit the fallout of such an attack. 

On January 24, Nike launched an investigation into a possible cyber attack. This action came after WorldLeaks claimed it had stolen and posted 1.4 terabytes of internal company data.  

• Scale of breach: 1.4 terabytes of company data 

• Date exposed: Product development intellectual property and supply chain logistics 

• Breach cause: Not defined, but threat intelligence firms have suggested a connection to supply chain infrastructure. 

• Breach report: The National CIO Review provided an extensive review of the attack and leak. 

Key Lessons

This data breach involves corporate data versus customer data. Investigators did not find personal identifiers. However, the leak of IP and other trade secrets could have been of value to competitors.  

Organizations should enforce security controls and cybersecurity best practices with supply chain vendors. Additionally, security embedded into data follows it wherever it goes. 

Crunchbase confirmed a data breach in January after a hack. ShinyHunters, a cybercrime group, claimed responsibility. The company revealed there was file exfiltration but said there were no operational disruptions. The incident is still under investigation, and they have yet to send any notifications to customers.  

• Scale of breach: Two million records 

• Data exposed: PII and corporate data (e.g., contracts and internal documents) 

• Breach cause: Social engineering campaign using voice phishing techniques 

• Breach report: SecurityWeek was the first to report the story and received confirmation from Crunchbase. 

Key Lessons

Social engineering, especially deepfakes, is much more sophisticated than ever before. They are emerging as a key way for hackers to compromise credentials. While you can't eliminate all breach risk, you can take proactive steps to minimize the impact. Examples include: 

• Identifying older files and enforcing data retention policies 

• Using encryption mechanisms that stay with data 

• Applying data discovery and classification solutions to build an inventory of sensitive information 

The family of Match dating apps finishes out the list of the major 2026 data breaches in January. ShinyHunters was also the cyber criminal in this case. The group claimed they have millions of documents, while Match called it a "security incident" that is still under investigation.  

• Scale of breach: 10 million records 

• Data exposed: User and corporate data 

• Breach cause: According to ShinyHunters dark web leak site, it cited AppsFlyer as the entry point. AppsFlyer is a marketing analytics company for apps.  

• Breach report: The Register published a review of the breach and exposures.  

Key Lessons

It appears this is another third-party system failure. Data sharing for analytics is essential to any business but carries risk. Secure data exchange, internally or externally, with modern encryption allows for access while safeguarding data.