As we dive into Data Privacy Week 2026 (January 26–30), it’s worth looking back at the year we left behind. 2025 was a wake-up call, with a steady stream of data breaches exposing just how fragile digital trust can be and how often privacy is treated as an afterthought.
This year’s theme, “Prioritize Privacy by Design,” is a timely reminder that many of last year’s breaches were not caused by sophisticated attacks, but by broader gaps in security and privacy practices.
Here is a look at some of the most notable data breaches from 2025, showing how attackers exploited weaknesses and the lessons these incidents offer for shaping privacy and security priorities in 2026.
January: ICAO – International Aviation Organization
The International Civil Aviation Organization (ICAO) disclosed an information security incident linked to a threat actor targeting international organizations. The breach affected 11,929 individuals and involved unauthorized access to recruitment application data. The compromised information included names, email addresses, dates of birth, and employment history. ICAO confirmed the incident was limited to its recruitment database and did not impact aviation safety or security systems.
February: PowerSchool – Education Technology
In February, PowerSchool, a widely used student information system, disclosed a massive data breach affecting tens of millions of students. Exposed records included names, academic data, Social Security numbers, and medical information. The scale of the incident highlighted the risks associated with centralized education platforms that serve thousands of institutions globally.
March: Yale New Haven Health System (YNHHS) – Healthcare
Yale New Haven Health System (YNHHS) identified unauthorized access to its network following unusual system activity. The incident involved the copying of certain patient data, including demographic information, Social Security numbers, and medical record identifiers, though its electronic medical record system was not accessed. Patient care was not disrupted, and the organization notified affected individuals, offered credit monitoring services, and engaged law enforcement, highlighting ongoing cybersecurity challenges within the healthcare sector.
April: MTN Group – Telecommunications
MTN Group reported a cybersecurity incident involving unauthorized access to personal information of some customers in select markets. Core network, billing, and financial systems were unaffected, and there was no evidence of direct compromise of customer accounts or wallets. MTN activated its cybersecurity response, notified law enforcement and relevant authorities, and began notifying affected customers, underscoring the importance of vigilance and strong security practices in the telecom sector.
May: Coinbase – Cryptocurrency and Financial Services
Coinbase, one of the world’s largest cryptocurrency platforms, confirmed a data breach involving unauthorized access by overseas customer support contractors. While no crypto assets were stolen, sensitive customer information, including identity data, was compromised. The breach highlighted insider risk and the challenges of managing access in global fintech operations.
June: Zoomcar – Mobility and Transportation
Zoomcar Holdings disclosed a cybersecurity incident involving unauthorized access to its information systems. The breach affected a subset of approximately 8.4 million users, exposing names, phone numbers, car registration numbers, addresses, and email addresses. Financial information and passwords were not compromised. The company activated its incident response plan, engaged cybersecurity experts, enhanced security measures, and notified authorities, highlighting ongoing privacy risks in the mobility sector.
July: City of Saint Paul – Government and Public Services
The City of Saint Paul experienced a significant cyberattack that exceeded local response capacity. The Minnesota National Guard was deployed to assist with cybersecurity efforts, working alongside city, state, and federal officials to restore systems and protect vital services. The incident highlighted the growing cybersecurity challenges faced by municipal governments and the importance of rapid, coordinated response capabilities.
August: Inotiv – Scientific and Pharmaceutical Services
Inotiv disclosed a cybersecurity incident in which a threat actor gained unauthorized access to and encrypted portions of its systems. The attack disrupted access to internal data storage and business applications, temporarily impacting operations. The company initiated incident response measures, engaged external cybersecurity experts, notified law enforcement, and activated business continuity plans while recovery efforts continued. The full scope and impact of the incident remained under investigation.
September: Volvo Group – Automotive and Manufacturing
Volvo Group reported that a ransomware attack on its HR software supplier, Miljödata, may have exposed personal information, including names and Social Security numbers, of certain employees. Volvo’s systems were not compromised. The supplier promptly investigated the incident, implemented enhanced security measures, and Volvo offered affected individuals 18 months of credit monitoring and identity protection services. The incident highlighted the risks posed by third-party vendors in complex supply chains.
October: Conduent – Government and Healthcare Services
Conduent Business Services disclosed a data breach affecting more than 10.5 million individuals connected to its government and healthcare clients. The incident stemmed from unauthorized access to Conduent’s network that began in late 2024 and went undetected for several months. Compromised data included names, dates of birth, Social Security numbers, and healthcare and claims information. Delayed notifications to affected individuals raised concerns around regulatory compliance and incident response practices in organizations handling highly sensitive public-sector data.
November: SitusAMC – Financial Services and Real Estate Advisory
SitusAMC reported a cybersecurity incident that resulted in the compromise of certain corporate data related to client relationships, including accounting records and legal agreements. Some client customer data may also have been affected. The company contained the incident, engaged third-party experts, and notified federal law enforcement. Services were fully restored, and the investigation into the scope and impact of the breach remained ongoing.
December: Manage My Health – Healthcare and Digital Services
Manage My Health reported a cybersecurity incident affecting its New Zealand application, potentially impacting 6–7% of its 1.8 million users. The company engaged forensic experts, notified the Office of the Privacy Commissioner and New Zealand Police, and began identifying affected users. The incident highlighted the sensitivity of health data and the importance of rapid, transparent response to maintain trust in digital healthcare systems. (Manage My Health Update On Cyber Security Incident | Manage My Health)
Turning Lessons into Action
The data breaches of 2025 serve as a stark reminder that digital risk is not hypothetical. Each incident shows how lapses in security and privacy can have far-reaching consequences for organizations and the individuals they serve. As we move into 2026, the responsibility falls on businesses, governments, and individuals to treat privacy and security as fundamental principles. By learning from the past, prioritizing proactive measures, and embedding privacy by design into every system and process, we can turn these lessons into lasting action because safeguarding data is essential for trust, resilience, and the future of the digital world.
