Key developments
ShinyHunters breach exposes 5.5 million ADT records
BleepingComputer reported that ADT detected unauthorized access to certain cloud-based environments on April 20, and the ShinyHunters extortion group claimed it got in through a vishing attack that compromised an employee Okta SSO account and reached Salesforce data. Have I Been Pwned estimated the breach exposed 5.5 million people. ADT said the data was limited to names, phone numbers and addresses, with a small subset including dates of birth and the last four digits of Social Security or Tax ID numbers, and said payment data and customer security systems were not affected.
Why it matters
A large consumer-data exposure tied to active extortion raises regulatory, litigation and notification risk for a major home-security provider.
Sources & driving stories
BLEEPINGCOMPUTER · Sergiu Gatlan
BleepingComputer coverageTHE REGISTER · Carly Page
The Register coverageMercor faces class actions over breach claims
The Jerusalem Post reported that AI startup Mercor is facing several class-action lawsuits after plaintiffs said an early-April breach exposed recorded job interviews, facial biometric data, screenshots from workers' computers and background-check materials. Lapsus$ claimed it stole 4 terabytes of data, including nearly 1 terabyte of source code and 3 terabytes of video and verification data, and Mercor later confirmed it was targeted while denying wrongdoing. Meta has suspended Mercor contracts while the investigation continues.
Why it matters
The case could shape how AI vendors handle biometric, interview and contractor-monitoring data.
Sources & driving stories
THE JERUSALEM POST
The Jerusalem Post coverageMassachusetts settles Fidelity breach disclosure case
Wealth Management reported that Massachusetts Secretary of the Commonwealth William Galvin agreed to a $1.25 million settlement with Fidelity over a 2024 breach that ran from Aug. 17 to Aug. 19, 2024. The order says hackers made about 23.7 million image calls and accessed roughly 373,000 unique document images containing Social Security, passport, driver's license, financial, insurance, medical and credit-card data, including information tied to beneficiaries and other non-customers. Fidelity said it terminated access, brought in outside experts and saw no evidence of account or funds access, while agreeing to hire an independent cybersecurity consultant, strengthen controls and notify Massachusetts residents who were not previously informed.
Why it matters
It is a fresh regulatory penalty for delayed or incomplete breach notice tied to sensitive financial and identity data.
Sources & driving stories
WEALTH MANAGEMENT · Patrick Donachie
Wealth Management coverageWorth noting
WORTH NOTING
Washington agencies start ALPR compliance
Bellingham cut private-camera access and Mount Vernon is retraining deputies as Washington's Driver Privacy Act begins limiting ALPR use, retention and warrantless access to private camera data.
WORTH NOTING
Itron reports internal IT intrusion
Security Affairs reported unauthorized access to part of Itron's internal IT systems, but the company says customer-hosted systems were unaffected and no material impact is expected.
Still unclear
OPEN QUESTION
Will ADT's notice scope expand?
The 5.5 million-person estimate and ADT's limited disclosure leave open the final affected count and whether additional data fields were exposed.
OPEN QUESTION
Will Mercor's lawsuits reshape AI contractor data collection?
The allegations involve biometric data, recorded interviews and device monitoring, so the outcome could influence privacy practices across AI hiring and data-labeling services.