Notable events —data breaches
The EU AI Act's obligations for General-Purpose AI model providers become fully applicable, with GPAI providers required to maintain technical documentation, comply with EU copyright law, publish summaries of training data, and implement systemic-risk mitigation measures for the most capable models. The EU AI Office begins formal oversight of GPAI compliance across all member states.
Microsoft's Digital Crimes Unit and the US Department of Justice, in coordination with Europol and international law enforcement, seized infrastructure supporting the Lumma Stealer malware-as-a-service operation. Lumma had infected hundreds of thousands of devices globally to steal credentials, cryptocurrency wallets, and sensitive files. The operation dismantled over 2,300 malicious domains used by the threat actor.
The Trump White House releases an updated National AI Strategy emphasising US AI dominance, removing regulatory barriers to AI deployment, and prioritising AI applications for economic competitiveness and national security. The strategy includes a National AI Infrastructure Initiative to build sovereign US AI compute capacity and directs agencies to accelerate AI procurement.
ThreeAM ransomware listed Wyoming County, New York — a county government providing job opportunities, economic development, and community services in western New York State — on its extortion site in May 2026. ThreeAM is a known ransomware operation associated with former Conti/Ryuk infrastructure, targeting primarily US government and business entities.
Interlock ransomware listed Winona County, Minnesota — located in the Mississippi River blufflands of south-eastern Minnesota — on its leak site in May 2026, claiming to have exfiltrated confidential data held by the county. Interlock has maintained consistent targeting of US county and municipal governments throughout 2025–2026. The listing appeared on 1 May 2026.
With the EU AI Act's high-risk AI system obligations set to apply from 2 August 2026, the EU AI Office and national market surveillance authorities intensified compliance readiness activities in April 2026. Providers of high-risk AI systems in areas including employment screening, credit scoring, biometric identification, and critical infrastructure management began conformity assessment procedures.
NIST released version 3.0 of the Cybersecurity Framework (CSF), significantly expanding the Govern function, incorporating AI and supply chain security considerations, and adding new implementation tiers reflecting the increasing maturity of organisational cybersecurity practices. The updated framework included sector-specific profiles for healthcare, financial services, and critical manufacturing.
The EU AI Office releases preparatory guidance for AI systems used in employment contexts (recruitment, performance monitoring, task allocation), which will be regulated as high-risk systems from August 2026. Guidance covers worker information rights, algorithmic management transparency, and workers' representative consultation requirements. Several trade unions file formal complaints regarding existing AI-enabled workforce monitoring systems.
Bayou Title, Inc., the largest title insurance agent and closing/settlement services provider in Louisiana with 19 full-service locations statewide, was claimed by the Aurora ransomware group.
The UK government introduces the AI Regulation Bill to Parliament, establishing a statutory framework for AI oversight that empowers existing sector regulators (FCA, ICO, CMA, MHRA) to apply AI-specific requirements within their domains. The bill establishes a cross-sectoral AI Authority with coordinating and standards-setting powers.
Spain's Agencia Española de Protección de Datos fined Meta €2.5 million for sharing WhatsApp user data with Facebook for advertising personalisation without adequately informing Spanish users or obtaining valid consent.
The European Parliament voted down a proposal from several member states to create an exemption allowing broader use of real-time AI facial recognition by law enforcement in counterterrorism operations, beyond the narrow exceptions permitted under the EU AI Act.
Payload ransomware listed the Rural Municipality of Gimli, Manitoba, Canada — a local government district on the western shore of Lake Winnipeg known for its Icelandic heritage and recreational tourism — on its extortion site in April 2026. The municipality administers residential and lakefront communities and holds resident and administrative data.
A series of AI-generated deepfake videos targeting candidates in the 2026 US midterm elections prompt the FEC to issue emergency guidance and Congressional hearings on AI in political advertising. Multiple states introduce or accelerate legislation requiring disclosure of AI-generated political content.
The NSA and CISA issued a classified advisory (later declassified in summary form) revealing that Volt Typhoon had maintained persistent access to US military-adjacent telecommunications and logistics infrastructure in Guam. The disclosure intensified congressional debate over the security of US military assets in the Indo-Pacific region and accelerated defensive cyber operations targeting Volt Typhoon infrastructure.
Ireland's Data Protection Commission fined Google €350 million for GDPR violations in its real-time bidding (RTB) online advertising system, finding that Google's Authorised Buyers programme broadcast detailed personal profiles of EU internet users to hundreds of advertising partners without adequate safeguards or data processing agreements.
Baidu releases ERNIE 5.0, its latest flagship large language model with enhanced multimodal capabilities in Chinese and English. The model shows improved performance on Chinese-language benchmarks and is integrated into Baidu's search engine, enterprise platform, and autonomous driving stack. Baidu positions ERNIE 5.0 as competitive with international frontier models for Chinese enterprise customers.
Ireland's Data Protection Commission fined eBay €30 million for failing to provide adequate privacy information to users regarding data processing activities and for unlawful retention of user data beyond stated retention periods. The fine followed a complaint-based investigation and required eBay to undertake compliance measures within six months.
Ireland's Data Protection Commission fined eBay €27 million for GDPR violations related to its behavioural profiling of users for targeted advertising without adequate legal bases, and for providing insufficient transparency about how eBay profiles users across its marketplace and advertising ecosystem.
Commonwealth Fusion Systems announced successful operation of its SPARC high-temperature superconducting magnet technology at full design parameters in a prototype configuration, a key milestone toward its planned SPARC fusion reactor.
Security researchers identified a large-scale Magecart digital skimming campaign targeting e-commerce websites running WooCommerce and Magento platforms. The skimmer used advanced obfuscation and injected into third-party payment widgets to avoid detection. Hundreds of online retailers were compromised, with payment card data for over 200,000 customers exfiltrated to attacker-controlled servers.
Frost Bank, a major Texas-based financial institution and subsidiary of Cullen/Frost Bankers, Inc. founded in 1868 and headquartered in San Antonio, was listed by the Everest ransomware group. Frost Bank operates across major Texas cities offering personal and commercial banking, wealth management, insurance, and investment services to a large customer base.
Citizens Bank, a major American retail and commercial bank headquartered in Providence, Rhode Island, was listed by the Everest ransomware group. Citizens Financial Group is one of the largest bank holding companies in the United States, serving millions of personal and business banking customers. The Everest group threatened publication of corporate and customer financial data.
European election monitoring bodies documented a significant surge in AI-generated disinformation content including synthetic candidate videos, fabricated audio clips, and coordinated inauthentic social media campaigns ahead of multiple national elections in 2026.
The EU AI Office imposed the first fine under the EU Artificial Intelligence Act, fining a large GPAI model provider approximately €10 million for failing to publish required technical documentation and capability evaluation results within the deadlines set under the GPAI transparency obligations that entered force in August 2025.
The G7, meeting under Canada's 2026 presidency, issues a joint communique on AI governance endorsing the Hiroshima AI Process principles and committing member states to mutual recognition of AI safety evaluation results.
Multiple Pakistani government websites were defaced and temporarily taken offline following an escalation of India-Pakistan regional tensions. Indian hacktivist groups claimed responsibility for the disruptions, while Pakistani state-linked threat actors reportedly conducted retaliatory intrusion attempts against Indian government and financial sector targets. Both governments denied state involvement in the attacks.
The European Parliament formally adopts the AI Liability Directive, which harmonises national tort law rules for AI-related damage claims across the EU. The directive introduces a rebuttable presumption of causality for high-risk AI systems and requires that providers disclose evidence about AI systems involved in harm claims.
The Securities and Exchange Commission charged four publicly traded companies for failing to timely disclose material cybersecurity incidents under the SEC's 2023 cybersecurity disclosure rules. The companies failed to report significant breaches within the required four-business-day window and provided misleading characterisations of incident severity. Fines totalling $18 million were assessed.
Apple previewed the iPhone 17 lineup at a spring event, highlighting significant improvements to Apple Intelligence including a fully redesigned Siri with multi-app reasoning, personalised on-device AI models, and enhanced Private Cloud Compute capabilities. The devices featured Apple's A19 chip with substantially increased Neural Engine performance.
