Key developments
Million-plus hotel IDs exposed in cloud bucket
Japan-based startup Reqrea exposed more than one million identity documents after leaving an Amazon cloud storage bucket publicly accessible for its Tabiq hotel check-in platform. The files included passports, driving licences and facial verification selfies from guests using the system at several hotels in Japan. Independent researcher Anurag Sen reported the issue and the data was later secured, but the public exposure window remains unknown.
Why it matters
The incident put passport and biometric check-in data at immediate risk of identity theft and fraud.
Sources & driving stories
NDTV
NDTV coverageChicago voice lawsuits target tech firms
Nine class-action lawsuits filed in Chicago federal court accuse Google, Amazon, Apple, Microsoft, Meta, Adobe, Samsung, NVIDIA and ElevenLabs of using journalists', podcasters' and voice actors' recordings without permission to train AI systems. The complaints say the companies ingested voices to build foundational voice models without written consent and failed to provide the notice required under Illinois' Biometric Information Privacy Act. Plaintiffs argue voiceprints are permanent biometric identifiers similar to fingerprints.
Why it matters
The cases could force courts to decide whether voice data used for AI training is protected biometric information under Illinois law.
Sources & driving stories
CAPITOL NEWS ILLINOIS · Hannah Meisel
Capitol News Illinois coverageCalifornia Supreme Court lowers CMIA breach bar
In J.M. v. Illuminate Education, Inc., the California Supreme Court held on May 14 that plaintiffs suing under the state's Confidentiality of Medical Information Act do not need to allege actual viewing by unauthorized parties if they can plead a significant risk of unauthorized access. The court also narrowed the statute's reach by finding an education technology platform was not a provider of health care and by limiting claims where the school district, not the student, obtained the services. Law360 reported the decision as one that may let more breach suits survive early dismissal.
Why it matters
The ruling makes some California medical-data breach claims easier to file while preserving defenses for companies outside the statute's core health-care scope.
Sources & driving stories
LAW360 · Allison Grande
Law360 coverageNIXON PEABODY
Nixon Peabody coverageWorth noting
WORTH NOTING
US Tiger Securities breach disclosed
The notice says names, Social Security numbers, driver’s license numbers, government IDs, medical information and health insurance data may have been taken, and lawyers are already assessing class-action claims.
WORTH NOTING
Fidelity settles 2024 breach
The $2.5 million settlement covers allegations that a 2024 breach exposed more than 77,000 customers' names, Social Security numbers, financial account details and driver’s license information.
Still unclear
OPEN QUESTION
Will voiceprints qualify as biometrics under BIPA?
That question will largely determine whether the Chicago AI-training lawsuits can survive and how expensive voice-model training becomes for major platforms.
OPEN QUESTION
How far will CMIA's risk standard reach?
The California ruling may expand breach litigation, but the statute's narrowed provider definition leaves open which organizations can still be sued.