Digital Privacy & Data Rights — 2026-05-22

This Week's Top Story

CISA GitHub Leak: 844 MB of Plain-Text Passwords and Cloud Tokens Exposed

• What happened: On May 14, GitGuardian discovered a public GitHub repository called "Private-CISA" containing 844 MB of plain-text passwords, AWS tokens, and Entra ID SAML certificates belonging to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The repository had been publicly accessible since November 2025 — roughly six months. Crucially, some credentials were confirmed still valid at the time of discovery. CISA pulled the repository offline within 26 hours of GitGuardian's notification.
• Who's affected: U.S. federal agency CISA and any cloud resources or partner systems tied to the exposed credentials; downstream contractors and federal systems integrated with CISA's AWS and Entra ID environments may be at risk.
• Why it matters: A government cybersecurity agency suffering a credential leak of this magnitude — and for this long — underscores that even security-focused organizations remain vulnerable to misconfigured repositories. The six-month exposure window raises serious questions about continuous secret-scanning practices inside federal IT. If valid credentials were exploited before takedown, the full blast radius remains unknown.

Data Breaches & Incidents

CISA — Credential/Token Repository Exposure

• Scope: 844 MB of plain-text secrets including passwords, AWS tokens, and Entra ID SAML certificates; some credentials confirmed still active at disclosure.
• Root cause: Misconfigured public GitHub repository named "Private-CISA," left openly accessible since approximately November 2025.
• User action: Federal employees and contractors who interact with CISA systems should rotate any shared credentials and monitor for unauthorized access to AWS and Azure AD-linked resources. Audit all repositories for secret exposure using automated scanning tools.

NYC Health + Hospitals — Medical, Financial & Biometric Data Breach

• Scope: At least 1.8 million individuals affected; exposed data includes medical records, financial information, and biometric data (fingerprints).
• Root cause: The intrusion is believed to have originated through a breach at an unnamed third-party vendor. NYCHH did not identify the vendor in its public notice.
• User action: Affected individuals should monitor their credit reports, enroll in any free credit monitoring offered by NYCHH, and be alert to medical identity theft — fraudulent use of health insurance or benefits using stolen medical records.

Dark Web Data Brokers — Recycled Breach Data Sold as Fresh Corporate Leaks

• Scope: No single count; affects potentially millions of records from prior breaches now being repackaged and re-sold as new corporate incidents across multiple industries.
• Root cause: Dark web brokers are systematically recycling old breach datasets, rebranding them as fresh corporate leaks to extract higher prices and create disproportionate alarm.
• User action: Before taking costly incident-response actions based on dark-web threat intelligence, verify whether leaked records actually match your current data formats and timestamps. Use Have I Been Pwned (haveibeenpwned.com) to check if your email was in historical breaches.

1 sources

gbhackers.com

Old Breaches Resold as New Corporate Data Leaks

ShinyHunters — Pattern of Large-Scale Credential Breaches in April 2026

• Scope: Three confirmed incidents: ADT (5.5 million customers), Amtrak (2.1 million confirmed records), McGraw-Hill (13.5 million student and educator accounts). All occurred in April 2026 and are relevant context for the current week's threat environment.
• Root cause: In all three cases, the attack vector began with compromised employee credentials obtained via social engineering — consistent with ShinyHunters' known methodology.
• User action: If you are an ADT, Amtrak, or McGraw-Hill customer or user, reset passwords and enable multi-factor authentication immediately. Be alert to phishing attempts using leaked personal details.

Regulatory & Enforcement Actions

EDPB — 2026 Coordinated Enforcement: Transparency & Information Obligations

• Ruling: The European Data Protection Board selected GDPR transparency and information obligations (Articles 13 and 14) as the focus of its fifth Coordinated Enforcement Framework action. Supervisory authorities across the EU will conduct coordinated audits of how organizations disclose their data-processing activities to individuals.
• Penalty: No fines announced yet; coordinated enforcement typically results in national DPA follow-up actions that can carry significant GDPR penalties.
• Precedent: This signals that privacy notices, cookie banners, and data-subject disclosures will face increased scrutiny across EU member states simultaneously in 2026. Organizations with inadequate or opaque privacy notices should treat this as an urgent compliance signal.

FTC — TAKE IT DOWN Act Enforcement Begins

• Ruling: The FTC began enforcing the TAKE IT DOWN Act (TIDA), a law requiring online platforms to remove intimate photos or videos shared without victims' consent at the victim's request.
• Penalty: Platform non-compliance carries FTC enforcement exposure; specifics of first enforcement actions are pending.
• Precedent: This marks the first major federal framework explicitly addressing non-consensual intimate image (NCII) removal obligations for platforms, setting a new content-moderation compliance standard that extends beyond existing state laws.

Legislation & Policy Moves

• United States — SECURE Data Act (Draft): U.S. House Committee on Energy and Commerce Republicans released a draft federal consumer privacy bill, the SECURE Data Act, on April 22, 2026, representing the first major federal comprehensive privacy bill introduced in years; the draft aims to create a uniform federal standard that would preempt the existing state-law patchwork — Introduced (draft stage); not yet voted on

• United States — FTC COPPA Age Verification Policy Statement: The FTC issued a policy statement on February 25, 2026 announcing it will not pursue enforcement under the Children's Online Privacy Protection Rule against operators that collect personal information solely to verify user age using approved age-verification technologies — Effective immediately upon issuance

Advocacy & Civil Society

No confirmed post-May 15, 2026 advocacy campaign stories were available from EFF, NOYB, or Privacy International in the research results for this specific week. The EFF Deeplinks page was captured in a screenshot but specific article content could not be extracted from the image format. Readers should check directly for the latest campaign updates.

1 sources

eff.org

eff.org

Industry & Tech Response

• GitGuardian: The company demonstrated an effective model for responsible disclosure by notifying CISA and achieving takedown of a major government credential leak within 26 hours — faster than most incident response timelines. The case is likely to renew calls for mandatory secret-scanning in all federal DevOps pipelines.

• Dark Web Intelligence Market: The emergence of recycled breach data being repackaged as new corporate leaks is forcing a credibility reckoning in the threat intelligence industry. Organizations are being advised to cross-reference claimed "new" breaches against known historical datasets before escalating incident response.

• Instructure / Canvas LMS: Law firm Schubert Jonckheer & Kolbe LLP announced an investigation into the Canvas data breach affecting allegedly nearly 275 million users — one of the largest education platform breaches on record. The investigation is ongoing, and no settlement or regulatory ruling has been announced yet.

Reader Action Items

• Check if you're affected: Visit and enter your email address to check exposure across known breaches including recent incidents. If you are an NYCHH patient, Amtrak passenger, ADT customer, or Canvas user, proactively rotate passwords and monitor your accounts for suspicious activity.

• Settings to review: (1) Enable multi-factor authentication on all accounts, especially those tied to healthcare, education, or financial services — credential-stuffing attacks exploit accounts with only a password. (2) If you use GitHub or any code repository, run a secret-scanning audit to ensure no API keys, passwords, or tokens have been accidentally committed — tools like GitGuardian's free tier or GitHub's built-in secret scanning can help.

• Rights you can exercise: EU residents can file a Subject Access Request (SAR) with any organization under GDPR Article 15 to learn exactly what personal data is held and whether it was involved in a third-party vendor breach — directly relevant to the NYCHH incident where a vendor's breach affected millions. U.S. residents in California can file a CCPA access request under similar principles.

What to Watch Next Week

• SECURE Data Act markup: Watch for whether the House Energy and Commerce Committee schedules a markup session for the draft federal privacy bill; industry lobbying over the state-law preemption clause is expected to intensify.
• Canvas / Instructure investigation: The class-action law firm investigation into the alleged 275 million-user Canvas breach may produce a formal complaint or regulatory referral — monitor for SEC disclosures or state AG notifications from Instructure.
• CISA post-incident review: Expect CISA to publish or brief Congress on the scope of the GitHub credential exposure; watch for any GAO or Inspector General referral, and listen for whether valid credentials were actually exploited during the six-month exposure window.

Crew Digital Privacy & Data Rights — curated weekly from EFF, regulators (EDPB/FTC/ICO), IAPP, and tech media.