Digital Privacy & Data Rights — 2026-05-25

This Week's Top Story

ShinyHunters Publishes 7-Eleven Franchise Applicant Data After Company Refuses to Pay

• What happened: The ShinyHunters ransomware group confirmed a breach of 7-Eleven's systems, stealing Social Security numbers and driver's licenses belonging to franchise applicants. After 7-Eleven declined to pay the ransom, the group published a 9.4-gigabyte archive of the stolen files publicly. The breach follows the same attack pattern ShinyHunters used in April 2026 against ADT (5.5 million customers), Amtrak (2.1 million confirmed records), and McGraw-Hill (13.5 million student and educator accounts).
• Who's affected: Current and past franchise applicants to 7-Eleven stores in the United States; the affected population size has not yet been disclosed by the company.
• Why it matters: This incident illustrates the growing "extortion-then-publish" playbook used by organized threat actors. The release of government ID numbers and SSNs exposes victims to identity theft for years. The pattern also shows ShinyHunters operating at industrial scale — hitting multiple high-profile brands within weeks using the same credential-compromise entry vector.

1 sources

techtimes.com

techtimes.com

Data Breaches & Incidents

Healthcare Sector — Nine HIPAA-Regulated Entities Breach Round-Up

• Scope: At least 9 HIPAA-regulated healthcare entities disclosed data breaches this week, including University of Nebraska Medical Center, Singing River Health System, and Tampa-area providers. Data types exposed include protected health information (PHI), billing data, and in some cases biometric records.
• Root cause: Attack vectors varied across entities; the round-up did not specify individual causes but patterns suggest third-party vendor compromises and network intrusions consistent with ransomware activity.
• User action: If you are a patient of any named healthcare providers, request a copy of their breach notice, freeze your credit at all three bureaus, and monitor your Explanation of Benefits statements for fraudulent claims.

1 sources

hipaajournal.com

hipaajournal.com

Data Breach Roundup (May 15–21, 2026) — Facial Recognition Systems and Biometrics Exposed

• Scope: The week of May 15–21 featured several "particularly noteworthy" incidents involving facial recognition systems, fingerprint scans, and data from Trump Mobile, according to Privacy Guides' weekly roundup.
• Root cause: Details on specific root causes were not fully disclosed in public notices at time of publication; biometric data exposure is especially sensitive because such data cannot be changed once compromised.
• User action: If you have accounts with any services that stored facial or fingerprint data for authentication, consider whether you can switch to alternative authentication methods and monitor for identity fraud.

NYC Health + Hospitals — 1.8 Million Records Breached Including Fingerprints (Ongoing Impact)

• Scope: New York City's public healthcare system confirmed hackers stole personal and medical data plus biometric scans — including fingerprints — from at least 1.8 million people in one of the largest recorded breaches of 2026. The intrusion may have originated through an unnamed third-party vendor.
• Root cause: Third-party vendor compromise; NYCHH did not identify the vendor in its public disclosure notice.
• User action: NYC Health + Hospitals patients should enroll in the offered credit monitoring, file a freeze on biometric data with relevant state registries where available, and watch for unusual medical billing activity.

1 sources

techcrunch.com

techcrunch.com

Regulatory & Enforcement Actions

FTC Enforces TAKE IT DOWN Act — New Powers Against Non-Consensual Intimate Imagery

• Ruling: The Federal Trade Commission began enforcement of the TAKE IT DOWN Act — passed by Congress — which targets the publication of non-consensual intimate images (NCII), including AI-generated deepfakes. The FTC published consumer guidance this week explaining what the law means and how enforcement will work.
• Penalty: The law grants the FTC authority to bring enforcement actions; specific fine amounts and remediation orders will be set on a case-by-case basis in individual proceedings.
• Precedent: This is the first federal law in the United States specifically empowering the FTC to pursue NCII cases, including AI-generated material. It sets a baseline floor that applies nationally, addressing a gap that previously left victims relying solely on inconsistent state statutes.

FTC v. Kochava (Active Enforcement)

• Ruling: The FTC's enforcement action against Kochava, Inc. — the data broker accused of selling sensitive location data enabling the tracking of individuals to sensitive locations like reproductive health clinics — remains active on the FTC's enforcement docket as of this week.
• Penalty: Final penalty and remediation terms have not yet been publicly resolved.
• Precedent: The case continues to define the limits of location data brokerage under FTC authority and signals that the agency views precise geolocation trading as an unfair and deceptive practice warranting enforcement.

Legislation & Policy Moves

• United States — SECURE Data Act: House Republicans on the Energy and Commerce Committee introduced the SECURE Data Act on April 22, 2026 — the first major comprehensive federal consumer privacy bill released in years, developed over 14 months by a Republican-only Privacy Working Group; the bill would create a uniform federal standard and preempt the patchwork of existing state privacy laws — Introduced — effective date not yet determined

• United States — TAKE IT DOWN Act: Federal legislation specifically targeting non-consensual intimate imagery including AI-generated deepfakes, granting the FTC enforcement authority — Signed/Passed — FTC enforcement began this week

Advocacy & Civil Society

No confirmed fresh advocacy campaign reports from EFF, NOYB, Privacy International, or Access Now fell within the strict post-2026-05-18 window based on available research results this week. The EFF Deeplinks page was captured but specific post-dates could not be independently verified from screenshot metadata alone. Readers should check directly for the latest campaigns.

1 sources

eff.org

eff.org

Industry & Tech Response

• ShinyHunters / Threat Actor Pattern: Security researchers tracking ShinyHunters note the group is now operating on an accelerated publishing timeline — moving from breach to public data dump faster than ever when companies refuse payment. The April–May 2026 campaign hit ADT, Amtrak, McGraw-Hill, and now 7-Eleven within roughly six weeks, all using the same credential-compromise vector. Organizations in retail, education, and transport are advised to audit third-party access and rotate credentials immediately.

• LeakWatch 2026 — Week 21 (Pentecost Week): The German security analysis publication igorslabde published its calendar week 21 LeakWatch report this week, flagging fake AI voice scams and a deteriorating trust environment for digital authentication alongside ongoing breach coverage. The report raises the question of whom users can still trust in an environment where voice synthesis and deepfake tooling are now broadly accessible.

• Ransomware Gang Gets Ransomed: Security Boulevard's "Breach of Confidence" column (May 22, 2026) reported that a ransomware operation calling itself "The Gentlemen" — which ran tiered service levels, customer support, and an HR department — was itself breached using its own tactics, in what researchers are calling a notable counterattack in the cybercriminal ecosystem.

Reader Action Items

• Check if you're affected: 7-Eleven franchise applicants should immediately visit and place fraud alerts. NYC Health + Hospitals patients (1.8 million records) should contact the healthcare system's breach hotline and enroll in offered monitoring services.
• Settings to review: If you use any service that stores biometric authentication data (fingerprint, facial recognition), navigate to that app or platform's security settings and review whether biometric data can be deleted or replaced with a PIN or passkey. Also review whether your accounts use the same password as any affiliated employer or franchise application.
• Rights you can exercise: New York residents affected by NYCHH breach can file a complaint with the New York State Attorney General under NY SHIELD Act provisions. California residents can submit data deletion requests under CCPA to any data broker that may hold your SSN or driver's license data — start at . For NCII victims, file a report with the FTC at under the new TAKE IT DOWN Act authority.

2 sources

ftc.gov

Privacy and Security Enforcement | Federal Trade Commission

ftc.gov

FTC Issues COPPA Policy Statement to Incentivize the Use of Age Verification Technologies to Protect

What to Watch Next Week

• SECURE Data Act markup: House Energy and Commerce Committee Republicans are expected to advance the SECURE Data Act toward markup hearings. Watch for Democratic amendments and advocacy group responses — particularly from EFF and consumer groups — on the state preemption provisions, which are highly contentious.
• 7-Eleven breach investigation: Law enforcement and the company are expected to provide further updates on the scope of the ShinyHunters franchise applicant breach. Any ransom negotiation details or attribution evidence will clarify how broadly the group's current campaign extends.
• AI deepfake + NCII enforcement precedents: Following the TAKE IT DOWN Act taking effect, the first FTC enforcement actions under the new authority will set the tone for how aggressively AI-generated intimate imagery is policed — a trend accelerating across state and federal levels.

Crew Digital Privacy & Data Rights — curated weekly from EFF, regulators (EDPB/FTC/ICO), IAPP, Privacy Guides, and tech media.