Digital Privacy & Data Rights — 2026-04-29

This Week's Top Story

ADT Data Breach: ShinyHunters Exposes 5.5 Million Home Security Customers

• What happened: The ShinyHunters extortion group breached home security company ADT, stealing personal information belonging to approximately 5.5 million individuals. The breach was confirmed after ShinyHunters began leaking stolen data online. According to breach-notification service Have I Been Pwned and reporting from Tom's Guide, hackers claim to have exfiltrated over 10 million records total, containing personally identifiable information and corporate data.
• Who's affected: ADT customers in the United States — primarily homeowners and small businesses relying on ADT for physical security monitoring. ADT is one of the largest home security providers in North America.
• Why it matters: A breach of a home security provider is particularly alarming: attackers who obtain customer addresses, contact details, and account data could cross-reference this information to facilitate physical crimes or highly targeted phishing attacks. ShinyHunters' continued activity signals that no sector is safe from well-resourced extortion groups.

Data Breaches & Incidents

ShinyHunters — Salesforce-Linked Multi-Brand Data Leak (Udemy, Zara, 7-Eleven)

• Scope: ShinyHunters has published data allegedly linked to online learning platform Udemy, fashion retailer Zara, and convenience chain 7-Eleven. The threat actor claims the records were extracted from Salesforce-connected cloud systems.
• Root cause: The breach is attributed to compromised cloud infrastructure and what appears to be a Salesforce-linked supply chain or credential attack vector, though full technical details have not been confirmed.
• User action: Users with accounts on Udemy, Zara's e-commerce platform, or 7-Eleven loyalty programs should immediately change passwords, monitor for phishing emails referencing their accounts, and enable multi-factor authentication where available.

1 sources

hackread.com

hackread.com

Amtrak — Data Breach Exposes Millions of Customer Records

• Scope: Amtrak, the U.S. national passenger rail service, has disclosed a data breach potentially affecting millions of customer records. The exposed data may include names, contact information, and travel history tied to Amtrak loyalty accounts.
• Root cause: Details on the attack vector remain limited at the time of publication; the breach was surfaced within the past 24 hours.
• User action: Amtrak Guest Rewards members should log in and review account activity, reset passwords, and be alert for phishing attempts referencing Amtrak travel history.

1 sources

cyberguy.com

cyberguy.com

Context.ai / Vercel — OAuth Token Compromise Enables Employee Data Access

• Scope: Vercel, a major frontend cloud platform, disclosed a security incident this week tied to a compromise at third-party AI analytics provider Context.ai. Stolen OAuth tokens reportedly enabled unauthorized access to internal Vercel systems.
• Root cause: The incident originated at Context.ai, where OAuth tokens were stolen and subsequently used to gain access to Vercel employee-accessible data — illustrating a third-party/supply chain risk pattern.
• User action: Vercel users and developers who integrated Context.ai into their workflows should audit connected OAuth applications, revoke unused tokens, and review access logs for anomalous activity.

Regulatory & Enforcement Actions

FTC vs. Match Group / OkCupid — Deceptive Data Sharing with Third Parties

• Ruling: The FTC took action against Match Group (parent of OkCupid and Match.com) for deceiving users about the sharing of personal data — including sensitive relationship and sexual orientation data — with third parties. The March 30 action, listed as the latest enforcement update on the FTC's privacy enforcement page, confirms the agency is continuing to target data broker and people-finding ecosystems downstream from consumer platforms.
• Penalty: Fine amount and remediation terms were not fully disclosed in available public documentation at press time; the FTC press release is available at the FTC's enforcement tracker.
• Precedent: This action signals that the FTC under the current administration is willing to pursue dating and matchmaking platforms that collect particularly sensitive categories of data — including data on sexual orientation and relationships — under existing deceptive practices authority, even absent a comprehensive federal privacy law.

EDPB — 2026 Coordinated Enforcement Framework: AI Transparency and Information Rights

• Ruling: The European Data Protection Board (EDPB) launched its 2026 Coordinated Enforcement Framework (CEF) action, targeting how organizations inform users about their data rights and AI-based processing. Participating Data Protection Authorities (DPAs) across EU member states joined the initiative voluntarily and will conduct coordinated investigations throughout 2026.
• Penalty: This is an investigation and coordination phase — specific fines will be determined by individual national DPAs following their investigations.
• Precedent: The CEF action sets the stage for a wave of enforcement decisions in H2 2026 focused specifically on AI transparency obligations under GDPR. Organizations deploying AI that processes personal data should review their privacy notices and user-facing disclosures now.

Legislation & Policy Moves

• United States — SECURE Data Act: House Committee on Energy and Commerce Republicans introduced a draft comprehensive federal consumer privacy bill on April 22, 2026, intended to establish a uniform national standard and preempt the existing patchwork of state privacy laws; the draft covers data minimization, consumer rights, and data broker registration — introduced — no effective date yet as it remains a discussion draft.

• United States — FTC COPPA Age Verification Policy Statement: The FTC issued a policy statement in February 2026 announcing it will not bring enforcement actions against operators that collect personal information solely to determine user age through age verification technologies, intended to incentivize deployment of such tools to protect children online — signed/effective — February 25, 2026.

Advocacy & Civil Society

No verified fresh advocacy reports (EFF, NOYB, Privacy International, ACCESS NOW) with publication dates confirmed after April 22, 2026 were available in this week's research results. Check eff.org/deeplinks directly for the latest campaign updates.

1 sources

eff.org

eff.org

Industry & Tech Response

• Vercel disclosed a supply-chain OAuth token theft this week via third-party AI analytics provider Context.ai, becoming one of the first major developer-infrastructure platforms to publicly acknowledge AI-tooling vendor risk as a breach vector — a pattern likely to prompt the industry to tighten OAuth scopes for analytics integrations.

• CyberGhost VPN published fresh guidance this week on detecting and responding to data leaks on iPhone — covering how compromised passwords surface through iOS notifications, steps to check via HaveIBeenPwned, and hardening recommendations for iCloud Keychain users.

• ShinyHunters continued to operate as a major threat actor affecting consumer-facing platforms (ADT, Udemy, Zara, 7-Eleven), reinforcing industry conversations about hardening OAuth and cloud-credential management rather than relying on perimeter defenses alone. The group's apparent pivot to Salesforce ecosystem targets is particularly notable for enterprise security teams.

Reader Action Items

• Check if you're affected: If you are an ADT customer, an Amtrak Guest Rewards member, or have accounts with Udemy, Zara, or 7-Eleven loyalty programs, check haveibeenpwned.com with your email address immediately. ADT customers should also monitor account activity for unauthorized address or contact-information changes.
• Settings to review: Audit third-party OAuth app connections in your developer or productivity accounts (GitHub, Vercel, Slack). Remove any integrations with AI analytics vendors you no longer actively use. On your phone, go to Settings → Password & Security (iOS) or Google Account → Security → Third-party apps (Android) to review connected apps.
• Rights you can exercise: EU residents affected by any of this week's breaches can file a GDPR data subject access request (DSAR) with the relevant company to determine exactly what data was held. U.S. residents in California, Virginia, Texas, and other states with active privacy laws can file opt-out-of-sale and deletion requests directly — see the IAPP's state privacy law tracker for your state's specific rights.

What to Watch Next Week

• SECURE Data Act committee hearings: The draft federal privacy bill introduced April 22 will likely face its first committee scrutiny in early May — watch for markup sessions in the House Energy and Commerce Committee and reactions from state AGs who stand to lose preempted authority.
• EDPB coordinated enforcement action rollout: National DPAs are expected to announce their participation schedules and initial inquiry targets under the 2026 CEF on AI transparency — the first formal notices to organizations could arrive as soon as May.
• ShinyHunters attribution and law enforcement response: With ADT, Udemy, Zara, and 7-Eleven all confirmed or claimed in the same week, watch for any U.S. DOJ or Europol response; the group previously faced partial takedowns and may be under active investigation.

Crew Digital Privacy & Data Rights — curated weekly from EFF, regulators (EDPB/FTC/ICO), IAPP, and tech media.