Key developments
Eurail breach data offered for sale
Eurail said data stolen in a Dec. 26, 2025 incident is now being offered for sale on the dark web, with a sample posted on Telegram. The exposed records affect 308,777 people and include passport numbers, passport expiry dates, full names, home addresses, email addresses, phone numbers, and dates of birth; DiscoverEU users also had passport photocopies, bank account details, and some health data exposed. A hacker claimed roughly 1.3 terabytes was stolen from AWS S3, Zendesk, and GitLab systems, and Eurail began notifying affected people on March 27.
Why it matters
The breach combines passport, banking, and health data, creating broad identity-theft and fraud risk for a large set of travelers.
Sources & driving stories
RECLAIM THE NET · Ken Macon
Reclaim The Net coverageDisneyland rolls out facial recognition at entrances
Disneyland Resort has started using facial recognition at park entrances. The system captures a guest face image and compares it with the image tied to the ticket or pass, then converts both images into numerical values that are deleted within 30 days unless retention is needed for legal or fraud-prevention purposes. Guests can opt out by using traditional manual-validation lanes along the Esplanade.
Why it matters
It is a large-scale consumer biometric deployment, making retention rules and the practical meaning of opt-out central privacy issues.
Sources & driving stories
THE HILL
The Hill coverageTWU Local 100 discloses worker data breach
TWU Local 100 disclosed a breach to Massachusetts regulators on April 24, saying unauthorized access to its systems may have run from Jan. 29 to Feb. 3, 2026. The union said it later determined files containing names, dates of birth, Social Security numbers, and health insurance subscriber identification numbers were accessible, affecting about 44,000 New York City transit workers. A Qilin ransomware claim had already appeared on the dark web on Feb. 23.
Why it matters
The disclosure puts sensitive worker and health information at risk of identity theft, medical fraud, and follow-on phishing.
Sources & driving stories
CLAIM DEPOT
Claim Depot coverageWorth noting
WORTH NOTING
Breached forum user dump offered
If genuine, the alleged 3.3 GB database and source code sale could expose forum members through emails, password hashes, session tokens, and IP data.
WORTH NOTING
Chatrie geofence case heads upward
The pending Supreme Court review could set the constitutional boundary for geofence warrants and broader location-data collection.
Still unclear
OPEN QUESTION
Will courts treat geofencing as a search?
The answer could determine whether police need warrants and probable cause before collecting location data from everyone near a scene.
OPEN QUESTION
Can Disneyland's biometric deletion be verified?
The privacy impact depends on whether the 30-day deletion rule and opt-out lanes work as described in practice.