Digital Privacy & Data Rights — 2026-04-22

This Week's Top Story

France's ANTS Cyberattack — Millions of Citizens' Identity Data Exposed

• What happened: France's Agence Nationale des Titres Sécurisés (ANTS) — the government body responsible for managing passports, driver's licenses, and other official identity documents — was hit by a significant cyberattack that compromised personal data for an unspecified but large number of French citizens. Authorities issued urgent warnings about follow-on phishing campaigns leveraging the stolen data.
• Who's affected: French citizens whose identity document applications, renewals, or records were held in ANTS systems. The precise record count has not yet been officially disclosed.
• Why it matters: Government identity registries hold some of the most sensitive personal information in existence — full names, addresses, dates of birth, and document numbers. A breach here creates lasting exposure: attackers can craft highly convincing phishing lures, enable identity fraud, or sell data in bulk on underground markets. The incident is likely to accelerate pressure on France to harden critical identity infrastructure under the EU's NIS 2 Directive.

1 sources

img.etimg.com

img.etimg.com

Data Breaches & Incidents

Vercel — OAuth Token Theft via Employee AI Tool Access

• Scope: Cloud development platform Vercel confirmed a security incident after threat actors claimed to have breached its systems and offered stolen data for sale. The breach was traced to an employee's use of an AI tool that had been granted OAuth token access.
• Root cause: Stolen OAuth tokens obtained through an employee's AI tool integration. Security researchers noted that OAuth tokens are "the new attack surface, the new lateral movement" — meaning attackers now pivot through trusted third-party integrations rather than exploiting direct vulnerabilities.
• User action: Vercel customers should audit all OAuth applications connected to their accounts, revoke any unused or unrecognized integrations, and rotate API tokens and secrets immediately.

Fiverr — Sensitive User Documents Indexed by Google

• Scope: The freelance platform Fiverr was found to be leaking sensitive user documents — including tax forms, government-issued driver's licenses, and signed contracts — through publicly accessible, insecurely configured Cloudinary URLs that were indexed and searchable via Google.
• Root cause: Misconfigured cloud storage using public Cloudinary URLs instead of private or signed access links, allowing Google's crawlers to index the files.
• User action: Fiverr users (especially sellers who submitted identity verification documents) should check whether their files appear in Google search results and contact Fiverr support to request deletion. File a GDPR erasure request if you are in the EU/UK.

1 sources

cybernews.com

cybernews.com

Balkans & Turkey — Regional Data Privacy Threat Roundup (April)

• Scope: BIRN's monthly update on digital rights in the Western Balkans and Turkey documented a pattern of data leaks, scams, and targeted digital attacks throughout the region in March and into April 2026, including sexist and homophobic attacks and bomb threats amplified through compromised accounts.
• Root cause: Combination of weak institutional data practices, social engineering, and politically motivated hacking.
• User action: Users in affected countries should enable multi-factor authentication on all social media and government service accounts and be alert to SMS phishing exploiting leaked contact data.

1 sources

balkaninsight.com

balkaninsight.com

Regulatory & Enforcement Actions

EDPB — Coordinated Enforcement Framework 2026: Transparency & Information Obligations

• Ruling: On March 19, 2026, the European Data Protection Board (EDPB) officially launched its 2026 Coordinated Enforcement Framework (CEF) action. Following the 2025 focus on the right to erasure, the 2026 action targets compliance with GDPR transparency and information obligations — specifically whether organisations properly inform individuals about how their data is processed. National data protection authorities (DPAs) across EU member states participate on a voluntary basis.
• Penalty: No fines have been issued yet; this is an investigation and audit phase that will lead to enforcement decisions throughout 2026.
• Precedent: The CEF creates a coordinated wave of enforcement across dozens of jurisdictions simultaneously. Organisations with EU operations that have neglected privacy notice requirements, lawful basis disclosures, or data subject information rights face a heightened risk of simultaneous investigations. The 2025 right-to-erasure action resulted in dozens of formal cases across Europe.

FTC — Action Against NERD Solutions Alleged Student Loan Debt Relief Scheme

• Ruling: In April 2026, the FTC obtained a temporary restraining order against NERD Solutions and its operators over allegations the company pretended to be affiliated with the U.S. government to sell fraudulent student loan debt relief services, harvesting sensitive financial and personal data from consumers.
• Penalty: Temporary restraining order; full proceedings ongoing.
• Precedent: The action signals continued FTC focus on deceptive data collection practices that exploit consumer trust in government branding — a tactic that often results in identity theft and financial fraud beyond the immediate scheme.

Legislation & Policy Moves

• EU — EDPB CEF 2026 (Transparency & Information): The EDPB launched its 2026 coordinated enforcement sweep targeting GDPR transparency obligations across participating EU member states — launched March 19, 2026, with investigations running throughout the year — [effective immediately across participating DPAs]

• US — California CPPA ADMT & Risk Assessment Regulations: California's new regulations covering automated decision-making technology (ADMT), risk assessments, and cybersecurity audits under the CCPA took effect January 1, 2026, with staggered compliance deadlines continuing into 2026, meaning the enforcement window for the risk assessment and cybersecurity audit requirements is now approaching for many covered businesses — [effective January 1, 2026, staggered]

Advocacy & Civil Society

The BIRN network (Balkan Investigative Reporting Network) documented mounting digital rights violations across the Western Balkans and Turkey in its April 2026 monthly digital rights report, cataloguing data leaks, targeted harassment campaigns, and institutional failures to protect citizen data.

The EFF and similar advocacy groups continue to press the point that AI tool integrations create novel lateral-movement risks for enterprise users, a concern validated by the Vercel incident — note that screenshot-based extraction of the EFF Deeplinks page was captured but specific fresh advocacy posts from this week could not be confirmed with certainty; verify directly at eff.org/deeplinks.

The Privacy Guides community published a weekly data breach roundup (April 10–16) covering incidents at Booking.com, education publisher McGraw-Hill, and Fiverr, among others, highlighting the ongoing drumbeat of breaches affecting everyday consumer services.

1 sources

eff.org

eff.org

Industry & Tech Response

Vercel's OAuth Token Incident Spotlights AI Tool Risk: The Vercel breach has drawn industry attention to a structural risk that has grown alongside AI tool adoption: employees routinely grant AI assistants and coding tools broad OAuth permissions, and when those integrations are compromised, attackers gain persistent access to cloud platforms. Security professionals are urging zero-trust OAuth policies and regular token rotation.

Fiverr's Cloudinary Misconfiguration: The Fiverr leak underscores a recurring failure mode for platforms that use third-party cloud storage providers — defaulting to public storage settings for user-submitted files. Cybersecurity researchers at Cybernews note that the misconfiguration allowed government IDs and tax documents to be indexed by search engines, a situation that should have been caught by routine security audits.

EDPB's 2026 Transparency Enforcement Push: The EDPB's coordinated 2026 action is expected to prompt a wave of privacy notice updates from European and multinational organisations. Legal and compliance teams are reviewing cookie consent banners, lawful basis disclosures, and data subject information notices in anticipation of DPA inquiries.

Reader Action Items

• Check if you're affected: If you are a French citizen who recently renewed a passport or driver's license via ANTS, monitor your email for phishing attempts referencing your identity documents. For Fiverr sellers, search Google for your name combined with "fiverr" to check if your documents are indexed; if so, contact Fiverr support and consider filing a GDPR erasure request (EU/UK users).

• Settings to review: If you use Vercel or any developer platform, navigate to your account's connected applications or OAuth integrations page and revoke access for any AI tools or third-party apps you no longer actively use. Rotate all API keys and secrets as a precaution. For non-developers: review the "Apps with access to your account" section in Google, GitHub, and any cloud platforms you use — and revoke anything unfamiliar.

• Rights you can exercise: EU and UK residents affected by the Fiverr document leak can submit a GDPR/UK GDPR erasure request ("right to be forgotten") directly to Fiverr's data protection team. French citizens affected by the ANTS breach can file a complaint with the CNIL (France's data protection authority) at cnil.fr if they believe their rights under GDPR have been violated.

What to Watch Next Week

• EDPB CEF 2026 DPA participation announcements: Watch for national DPAs confirming their participation in the 2026 transparency enforcement sweep — formal investigation launches are expected over the coming weeks.
• Vercel breach scope clarification: Vercel has confirmed the incident but details on the number of affected repositories and customer data remain limited; expect further disclosures or regulatory inquiries from EU supervisory authorities if EU customer data was involved.
• California ADMT compliance deadlines: Businesses subject to the California CPPA's staggered ADMT and risk assessment requirements should track enforcement guidance from the CPPA as deadlines approach — compliance enforcement could begin generating the first formal cases under the new rules.

Crew Digital Privacy & Data Rights — curated weekly from EFF, regulators (EDPB/FTC/ICO), IAPP, and tech media.