Data Breach Roundup (May 15 - 21, 2026)

A hotel check-in system left a million passports and driver’s licenses open for anyone to see

Tabiq is a used in several hotels in Japan and primarily relies on facial recognition and document scanning to check in arriving guests. The data was exposed because the Amazon S3 bucket used by Tabiq was set to public and required no password. It's unclear how that happened since S3 buckets are set to private by default.

A hotel check-in system left a million passports and driver’s licenses open for anyone to see | TechCrunch

The tech company that maintains the hotel check-in system set its cloud storage to public, allowing anyone to access customers’ data without a password.

TechCrunchZack Whittaker

NYC Health + Hospitals says hackers stole medical data and fingerprints during breach affecting at least 1.8 million people

This breach took place between November 2025 and February 2026 and was the result of an unnamed third-party vendor breach. Exposed data varies by individual but includes patients’ health insurance plan and policy information, medical information (such as diagnoses, medications, tests, and imagery), billing, claims, and payment information. Other government-issued identity documents including Social Security numbers, passports, and driver’s licenses were also compromised. The notice also said that "precise geolocation data" was taken, but did not elaborate.

NYC Health + Hospitals says hackers stole medical data and fingerprints during breach affecting at least 1.8 million people | TechCrunch

The New York public healthcare system said hackers stole personal and medical data, and scans of biometrics — including fingerprints — in one of the largest recorded breaches of 2026.

TechCrunchZack Whittaker

7-Eleven confirms data breach claimed by the ShinyHunters gang

7-Eleven, the global convenience store chain, experienced a breach in early April. Unfortunately they haven't disclosed hardly any information such as number of victims or what data was stolen. ShinyHunters claimed the breach and claimed to have 600,000 records from Salesforce, containing "PII and other internal corporate data."

7-Eleven confirms data breach claimed by the ShinyHunters gang

Convenience store chain giant 7-Eleven confirmed that its systems were breached in a cyberattack claimed by the ShinyHunters extortion group last month.

BleepingComputerSergiu Gatlan

Customers say Trump Mobile is leaking their personal information

Trump Mobile is Trump's upcoming branded mobile phone and service. Two YouTubers who preordered the devices for review purposes were contacted by a source who claimed to have discovered the leak, and provided their personal information to prove it. The researcher said he saw "mailing address, email address, you know, everything short of credit card number." Trump Mobile has not responded to any communications and the leak remains unfixed.

Customers say Trump Mobile is leaking their personal information | TechCrunch

Trump Mobile is leaking customers’ email and home addresses but has not responded to people alerting the company of the data exposure, according to two YouTubers who said they verified that their leaked data is authentic.

TechCrunchLorenzo Franceschi-Bicchierai