Data Breach Roundup (Mar 27 - Apr 2, 2026)

Dutch Police discloses security breach after phishing attack

There's no details at all at this time, but the Dutch National Police (Politie) are claiming that the breach was extremely limited and hasn't affected any citizen data. It's unclear if any employee data was impacted.

Iranian hackers claim breach of FBI director Kash Patel’s personal email account

TechCrunch confirmed that at least some of the emails leaked by Handala were from Patel’s alleged Gmail account by verifying information contained within the message headers. The emails seem to span from 2010-2019. Neither TechCrunch nor Reuters (who originally reported the story) commented on the contents.

Healthcare tech firm CareCloud says hackers stole patient data

At this time the company is still determining exactly how many patients and what data was impacted, but it does seem that the measures they had in place were helpful. It says that only one of six environments was compromised and only for about 8 hours. Obviously this is still bad, but it's good to see that they had systems in place to mitigate the damage, and they're being very quick with the disclosure (the event occurred March 16).

Money transfer app Duc exposed thousands of driver’s licenses and passports to the open web

Duc is a Toronto-based app that claims to offer money transfer services, even to overseas countries like Cuba. It has at least 100,000 downloads according to the Play store. This breach was the result of an exposed Amazon server, revealing hundreds of thousands of files going back to 2020 including government-issued IDs (such as driver's license or passport), selfies (for know-your-customer verification), and spreadsheets with names, addresses, and transaction details.

Telehealth giant Hims & Hers says its customer support system was hacked

Hims & Hers sells weight loss dugs and "sexual health prescriptions." According to a spokesperson, attackers used social engineering to gain access to the stolen data. The company confirmed only that names and contact information were stolen, along with "other unspecified personal data" in the support tickets, but said only that health records were unaffected. The number of victims is also unknown, but California law requires disclosure if it's more than 500, so we know it has to be at least that many.

CERT-EU: European Commission hack exposes data of 30 EU entities

This breach took place March 19 as part of the Trivy supply chain attack, and was discovered March 24. We are now learning the scope and scale of the breach. About 340 GB of data was stolen including names, email addresses, email content, usernames, personal information, and more. It may affect as many as 42 internal EU clients and 29 other EU entities using the "europa.eu" web hosting service.