United Kingdom
Cyberattack Disrupts Northern Ireland Schools’ IT Network
- The Education Authority (EA) is working to restore Northern Ireland’s C2K school network following a cyberattack that left schools unable to access essential online resources and accounts.
- To contain the issue, the EA initiated a full system-wide password reset for which staff and pupils must reset their passwords individually.
- The timing of the attack has caused concern for students preparing for GCSE, AS, and A-Level exams.
- The EA is currently investigating whether any personal data was compromised and is coordinating with the Information Commissioner’s Office (ICO).
Metropolitan Police Investigate Ex-Meta Employee Over Massive Privacy Breach
- A former Meta employee in London is under investigation by the Metropolitan Police for allegedly downloading approximately 30,000 private Facebook images during his employment.
- The suspect reportedly designed a custom software script specifically to bypass Meta’s internal security checks and detection systems to access the private data.
- While legal experts suggest Meta may not be liable if they had appropriate safeguards, the Information Commissioner’s Office (ICO) is aware of the incident, and any failure in technical measures could lead to significant fines or damages.
United States
Alabama’s New Bill Signals Shift in US Data Privacy Landscape
- Alabama is set to become the 21st state with a comprehensive privacy law after a unanimous legislative vote; it is anticipated to take effect May 1, 2027.
- The law applies to businesses handling data for just 25,000 residents, making it one of the easiest privacy triggers in the U.S. to activate.
- Unlike other states, Alabama excludes analytics and marketing services from its definition of a data sale, creating specific new compliance nuances for businesses.
- The Attorney General holds exclusive enforcement power, though businesses are granted a permanent 45-day window to cure or fix violations before facing penalties.
Millions of Patients Potentially Affected by Cloud Provider Data Breach
- CareCloud, a provider for 45,000 healthcare entities, confirmed a cyberattack where an unauthorized third party accessed one of its six electronic health record environments.
- The incident caused an eight-hour system outage before functionality was restored; the company claims the threat has since been contained and removed from its AWS-hosted infrastructure.
- While no data misuse is confirmed, the affected environment stores sensitive patient information.
Eurail Says December Data Breach Impacts 300,000 Individuals
- Eurail B.V. has confirmed a major data breach affecting over 308,000 individuals in the US, after an unauthorized actor gained access to its network and exfiltrated files.
- The confirmed data includes names and passport numbers, though earlier reports suggest the wider breach may involve even more sensitive details, phone numbers, and health-related information.
- Following the breach, stolen data samples were reportedly found for sale on the dark web and Telegram, significantly increasing the long-term risk of identity theft and financial fraud for affected travellers.
- Eurail began notifying state authorities and victims in late March 2026; the company has since terminated the unauthorised access, strengthened security protocols, and is cooperating with law enforcement and cybersecurity experts.
Europe
Italy’s Uffizi Galleries Targeted in Cyber-Attack
- Hackers infiltrated the IT systems of Florence’s Uffizi Galleries, later sending a ransom demand to the director’s personal phone and threatening to leak operational data on the dark web.
- While reports claimed hackers stole internal maps and CCTV access codes, the Uffizi contested this, stating their security systems are entirely internal and were never accessible from the outside.
- The gallery confirmed that while a photographic archive server was temporarily taken down to restore a backup after the attack, no data was lost, and the museum remains open to the public with ticketing unaffected.
LinkedIn Allegedly Tracking Sensitive Data without Consent via Browser Tools
- An investigation by Fairlinked e.V. revealed that LinkedIn’s desktop site silently executes a code to scan browsers for over 6,000 installed extensions without user consent or disclosure.
- By matching extensions to real identities and employers, LinkedIn can infer highly sensitive information, and whether a user is secretly job-hunting.
- This allows LinkedIn to map the internal software tools used by entire organizations and identify users of competitor products.
- Researchers contend the practice violates GDPR, which prohibits processing special category data without explicit consent, as well as the EU’s Digital Markets Act (DMA) and ePrivacy Directive.
International
Japan Will Allow Using Personal Data without Consent for AI
- Japan has amended its personal information protection law to allow organizations to collect personal data without express authorisation, shifting toward a “presumed consent” model and away from stricter European standards.
- The reform lacks a general opt-out mechanism for citizens; the Minister of Digital Transformation argued that allowing users to exit the system would be an obstacle to AI adoption.
- The law permits the use of health and biometric data (including facial scans) for AI development and research, provided the data is used for statistical purposes or deemed not to infringe on individual rights.
For the latest updates on LinkedIn sensitive data tracking, the Northern Ireland schools cyberattack, Meta privacy breach investigation, Eurail data leak, and new US privacy laws, visit our Data Protection News hub.
