Weekly Privacy Roundup: Cross-Border Transfer Risks, AI-Driven Attacks, and Major Corporate Breaches
Stay compliant with our weekly digest of global privacy news, from EU-US transfer threats to autonomous AI cyberattacks and major data breaches.
Welcome to the PrivaScan weekly privacy roundup. This week, we track significant developments in international data transfers, a wave of massive corporate data breaches, emerging artificial intelligence threat vectors, and the rising legal liabilities associated with third-party vendor vulnerabilities. Keeping your website and data infrastructure compliant requires a proactive approach to monitoring where and how user data flows.
Regulatory Developments and Cross-Border Transfer Hurdles
- EU-US Data Transfer Agreement Threatened: A recent Supreme Court decision has cast uncertainty over the stability of the EU-US data transfer agreement. For businesses relying on transatlantic data flows, keeping a close eye on compliance is critical. Utilizing tools like PrivaScan's cross-border detection can help organizations map where their user data is being routed.
- GDPR Public Enforcement Trends: Current developments in the public enforcement of the GDPR highlight ongoing regulatory scrutiny across Europe, emphasizing the necessity of robust data protection frameworks.
- UK Policy Delays and Security Concerns: The launch of the UK's National Cyber Action Plan has been delayed due to the Labour leadership crisis. Meanwhile, critics warn that a new security bill could risk terrorism prosecutions for UK journalists and NGOs, signaling a tense environment for information security and press freedom.
Massive Corporate Data Breaches
- Novo Nordisk Ransomware Claim: Pharmaceutical giant Novo Nordisk has reportedly been targeted in a breach, with attackers claiming a $25 million ransom and the theft of 1.3TB of data.
- Medtronic and Aflac Impact Millions: Medical technology firm Medtronic reported a data breach impacting 3.8 million people, while insurance giant Aflac disclosed a breach affecting millions of individuals.
- Shun Hing Group Attack: In Hong Kong, the Shun Hing Group suffered a cyberattack affecting 920,000 customers, resulting in the encryption of 1.05 million files.
- St. Paul Notifications: Following a cyberattack in July 2025, the city of St. Paul has begun notifying 12,484 residents and employees of potential data exposure.
Legal Consequences and Vendor Risks
- UWM Facing Vendor Breach Lawsuit: United Wholesale Mortgage (UWM) is facing legal action following a data breach tied to a third-party vendor. This underscores the importance of maintaining an up-to-date GDPR Article 30 data inventory to understand third-party exposures.
- Serviceaide Settles Litigation: Serviceaide has agreed to pay $1.8 million to resolve litigation stemming from a past data breach.
- Texas Hearing Institute Legal Risks: Following a reported data breach at the Texas Hearing Institute, class-action litigation is currently anticipated.
The Evolving Threat Landscape: Autonomous AI and Cloud Exploits
- First Autonomous AI Cyberattack: In a landmark security event, an artificial intelligence agent has carried out a cyberattack without any human oversight for the first time.
- AdaptHealth Cloud Breach: Attackers successfully utilized social engineering tactics to infiltrate AdaptHealth's cloud systems, resulting in the theft of sensitive patient data.
- New Gmail Compromise Toolkit: Security experts at Kaspersky Lab have discovered a new attack vector and toolkit designed specifically to compromise corporate Gmail accounts.
- US Lifts AI Export Controls: The US government has lifted export controls on Anthropic's frontier cybersecurity AI models, reflecting the dual-use nature of defensive and offensive AI technologies.
Surveillance, Free Speech, and Cyber Enforcement
- Spyware Found on EP Member's Phone: A European Parliament member actively investigating spyware usage discovered that their own phone had been compromised by spyware.
- Global Schools Holdings Legal Maneuvers: Global Schools Holdings has cited two injunctions in an attempt to restrict reporting on its security posture, drawing criticism from journalists.
- Scattered Spider Extradition: A teenage suspect linked to the high-profile Scattered Spider hacking group has been extradited to the United States to face charges.
What this means for you
The legal and financial risks of data management continue to escalate, especially concerning third-party vendor integrations and cross-border transfers. To protect your organization, ensure you have complete visibility over all active scripts on your website. Implementing pre-consent tracker scanning and maintaining a comprehensive data inventory are practical steps to help mitigate these risks.
Disclaimer: This roundup is provided for informational purposes only and does not constitute legal advice. For specific compliance guidance, please consult a qualified legal professional.
Sources
- AdaptHealth says attackers sweet-talked their way into cloud systems and stole patient data — DataBreaches.net
- Novo Nordisk Breach: $25M Ransom, 1.3TB Claimed [2026] - tech-insider.org — tech-insider.org
- An AI just carried out a cyber attack without any human oversight for the first time — DataBreaches.net
- HK: Shun Hing Group data breach affects 920,000 customers, 1.05m files encrypted in cyber attack — DataBreaches.net
- Medtronic Data Breach Impacts 3.8 Million People - SecurityWeek — SecurityWeek
- Spyware found on phone of European Parliament member probing it — The Record
- Current Developments in Public Enforcement of the GDPR - orrick.com — orrick.com
- Launch of UK's National Cyber Action Plan delayed amid Labour leadership crisis — The Record
- St. Paul data breach: 12,484 residents, employees notified after July 2025 cyberattack - FOX 9 Minneapolis-St. Paul — FOX 9 Minneapolis-St. Paul
- Global Schools Holdings Cites Two Injunctions in a Bid to Chill Our Reporting. It Won’t Work. — DataBreaches.net