In a recently released report titled Cybersecurity in Global Sport: Threats, Signals, and Strategic Implications for a Digitized Industry, cybersecurity firm Darktrace has outlined “the current challenges the global sporting sector faces and…forward-looking views on future challenges as AI increasingly becomes adopted across the sector.”

The Report’s conclusions were the result of a survey to 875 IT cybersecurity professionals across sports organizations located in the U.S., U.K., Australia, and Germany.

Because the global sports industry “has undergone a rapid and continuous digital transformation” (including digital ticketing platforms, broadcasting, mobile applications, and third-party vendor support), and sports organizations are adopting generative AI and agentic AI tools, emerging cybersecurity threats are targeting these organizations.

The Report’s key takeaways include:

  • 84% of professional sports organizations surveyed have experienced at least one cyber incident in the past 12 months, with more than half (57%) hit multiple times. This underscores that cyber risk is already an operational issue for the sector.
  • 34% of respondents cited stadium operations as the most critical function to protect during a live event, reinforcing that cyber resilience in sport is defined by high-visibility moments where downtime is least acceptable.
  • Sports sector customers received 19% more phishing emails than non-sports sector customers, reinforcing that email and identity remain dominant attack vectors for sports organizations.
  • 21% of phishing emails targeting sports sector customers were sent to VIPs, while 37% contained novel social engineering techniques, highlighting how attackers are focusing on high value identities and adapting tactics to exploit urgency, trust, and operational complexity in the sports sector.
  • 47% of respondents cited AI prompt risks and attacks and AI development risks and deployment as top concerns for AI use within their organizations.
  • 72% of IT cybersecurity professionals from sports organizations surveyed believe AI will increase cyber risk over the next 12 months as adoption grows in high stakes areas including stadium operations, ticketing and fan engagement, and business operations.

Sports organizations have been victimized by various threats including: “client-side payment skimming, ransomware outbreaks, and compromise of ecommerce infrastructure through third-party scripts. Fan platforms and mobile applications have been accessed via exposed keys and weak API security, placing large user populations at risk.”

Darktrace suggests that organizations treat cyber risk “as an operational and governance challenge” to be resilient against attacks. This includes:

1.         Threat modeling for emerging technologies, including AI misuse;

2.         Rigorous supply chain governance and vendor access control;

3.         Strong segmentation across IT, OT, and fan-facing systems;

4.         Identity-centric security with anomaly detection and universal multi-factor authentication (MFA);

5.         Phishing resilience across all channels, including QR-based vectors; and

6.         Operational playbooks aligned to live event constraints.

The Report is a must read for those in the sports sector

Researchers from Mandiant and Google Threat Intelligence Group are warning the higher education sector, including universities, that ShinyHunters has exploited an Oracle PeopleSoft zero-day vulnerability and has “potentially infiltrated the networks of more than 100 organizations in an attack spree that largely impacted higher education.” ShinyHunters has reportedly started publishing the names of the compromised victims and stolen data.

The vulnerability (CVE-2026-35273) “allows unauthorized attackers to execute remote code and takeover affected servers.” Oracle has published mitigation steps, but a patch has not yet been released. According to Mandiant, “This campaign is still active.” Google adds that “most of the potential victim pool is based in the United States and 68% are in the higher education sector.” If you are in the higher education sector, implement Oracle’s mitigation steps  as soon as possible, and look out for a released patch.

A recent court order from the Northern District of California offers a useful reminder that not every alleged collection of browsing data will support an invasion-of-privacy claim. In Campbell v. Honey Science, LLC (N.D. Cal. June 15, 2026), the plaintiffs alleged that PayPal’s Honey browser extension promised to search for and apply the “best” coupons or discount codes when users shopped online, but sometimes failed to provide the lowest available price. According to the complaint, Honey allegedly did not actually search the internet for discount codes and instead used codes from affiliate networks, a website, or Honey subscribers, while also allegedly maintaining vendor agreements that affected which discounts would be applied. The plaintiffs asserted claims under California’s Unfair Competition Law, unjust enrichment, and invasion of privacy.

On the invasion of privacy front, the plaintiffs alleged that Honey examined users’ visited websites and browser cookies without adequate disclosure or consent. The court assumed, for purposes of the motion, that browsing history could involve a legally protected privacy interest and a reasonable expectation of privacy. However, the court held that this was not enough. To state a California invasion-of-privacy claim, according to the court, the plaintiffs also had to allege conduct that was “highly offensive” and amounted to a serious invasion of privacy.

That element turned on context. The court contrasted Honey with cases involving more surreptitious tracking, including tracking after a user logged out of an account. Honey, by contrast, was a browser extension downloaded for the “express purpose” of monitoring online shopping activity and applying coupon codes at checkout. Therefore, the court held that the alleged collection looked more like “routine commercial behavior” than a highly offensive privacy intrusion.

The court also held that the pleading lacked the details needed to turn tracking into an actionable privacy claim. The plaintiffs did not allege what specific browsing behavior Honey tracked, what information was collected, or why that information was “embarrassing, invasive, or otherwise private” enough to make the collection highly offensive. The court rejected the idea that collection of browsing data, standing alone, was enough “without more detail.”

Browser extensions, plug-ins, apps, shopping tools, and loyalty technologies should still be built around clear disclosures, appropriate consent flows, and data minimization. Still, where data collection aligns with the product’s apparent function, plaintiffs may need specific allegations of sensitive, unexpected, or intrusive tracking to state a privacy claim.

The Federal Communications Commission (FCC) has narrowed its foreign-produced drone restrictions by removing a specific category of “Toy Drones” and “Toy Drones that contain foreign-produced components” from the FCC Covered List. The June 15, 2026, Public Notice follows a June 12, 2026, National Security Determination from the Department of War, which found that this defined class of devices does not pose an unacceptable risk to U.S. national security or to the safety and security of U.S. persons. The update refines the FCC’s broader December 2025 action, which added foreign-produced uncrewed aircraft systems and UAS critical components to the Covered List, subject to later specific determinations that particular systems or components do not present the same level of risk.

The key takeaway is that the exception is narrow. To qualify as a “Toy Drone,” a device must meet a detailed set of technical and marketing criteria, including a maximum take-off weight of 150 grams, line-of-sight operation of 100 meters or less, maximum sustained altitude of 300 feet, no GPS or equivalent navigation system, no internet, mobile app, cellular, or Wi-Fi connectivity, no imaging or sensing capabilities, flight time of 10 minutes or less, and marketing as a toy for recreational use. The Department of War framed the distinction around capability: low-risk toys lack the range, endurance, sensing, payload, connectivity, and data collection or storage features that raise national security concerns in more capable UAS.

For drone manufacturers, importers, retailers, and equipment authorization applicants, the notice offers a clearer view into how federal officials are separating low-risk consumer toy products from higher-risk drone systems. The Covered List now expressly excludes foreign-produced Toy Drones, as defined in the National Security Determination, and Toy Drones that contain foreign-produced components, while leaving the broader restrictions in place for foreign-produced UAS and UAS critical components that do not fit an exception. Companies should treat the update as a targeted compliance opening rather than a general relaxation of the FCC’s drone-related supply chain restrictions

On June 12, 2026, the U.S. Departments of Justice and Homeland Security announced that deepfake domains CFAKE.com and SOCFAKE.com were seized and taken down using the TAKE IT DOWN Act. The seized domains “were being used to publish thousands of digitally forged images and videos depicting famous women as nude and sometimes engaged in sexual activity, without their consent.” The deepfakes included royalty, journalists, television personalities, athletes, entertainers, and others. According to the press release, “The website allowed people to browse by tags that included topics like ‘rape,’ ‘forced,’ and ‘degradation.’”

U.S. authorities were alerted to the website by Italy’s Polizia di Stato Postal and Cybersecurity Policy. After a U.S. investigation, evidence was shared with French authorities, who also investigated and made an arrest in Nice on June 10, 2026. This is a great example of how important international law enforcement cooperation is in prosecuting individuals outside of the U.S. and taking down harmful and illegal domains. This is a big win for law enforcement in the U.S., Italy, and France in combatting deepfakes.

For years, companies have treated anonymization as a legal comfort zone. Remove names, emails, phone numbers, and other identifiers, and the remaining dataset was often viewed as safer to share, analyze, monetize, and retain. That assumption is getting harder to defend. Artificial intelligence (AI) has changed the practical re-identification analysis by making it easier to connect patterns across datasets, infer identity from indirect signals, and combine “anonymous” information with public, breached, scraped, or commercially available data. Location trails, purchase histories, voiceprints, facial geometry, writing style, device signals, and other data points may not identify someone on their own, but AI can make those fragments far more revealing when viewed together.

The legal and business takeaway is important: anonymization should no longer be treated as a permanent status. It is better understood as a technical condition that can degrade over time. Regulators are beginning to reflect that reality, including through frameworks that do not automatically exclude anonymized, de-identified, or pseudonymized data when re-identification remains realistic. The question is shifting from “Did we remove direct identifiers?” to “Could a reasonably capable actor re-identify individuals using current tools and available data?” That shift matters for consent strategies, disclosure obligations, litigation exposure, vendor contracting, AI training rights, audit provisions, and liability allocation.

De-identification still matters, but it needs to sit inside a more modern governance model. Companies should evaluate re-identification risk on a recurring basis, account for external data sources, restrict downstream use, prohibit re-identification attempts, and apply technical controls such as differential privacy, synthetic data, aggregation, and formal risk testing where appropriate. The organizations best positioned for this next phase will treat identifiability as a spectrum, not a binary switch. In an AI-driven data ecosystem, “anonymous” is not the end of the privacy analysis. It is the beginning of a continuing risk management obligation.

June 15, 2026, was designated World Elder Abuse Awareness Day. One of the ways seniors are victimized is through financial scams. According to the Federal Trade Commission (FTC), “in 2025, [elderly] people reported losing about $16 billion to scams, compared to $12.8 billion the previous year. And because not everyone who experiences a scam reports it, this likely represents only a fraction of the actual amount lost.”

Imposter scams are one of the most common ways seniors become financial fraud victims. An imposter pretends to be someone else, such as a government, bank, or law enforcement, friend or family member and contacts the victim through phone, text, email, or other messaging to obtain information to further financial fraud. Threat actors commonly pose as an Internal Revenue Service agents and call the victim to let them know they are behind on their taxes and if they don’t pay up immediately, something dreadful will happen. They use scare tactics to quickly obtain credit card information, cash, or personal information from the victim.

Awareness of imposter scams can prevent you from becoming a victim. Here are some tips to help you avoid them.

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the Department of Energy (DOE), the Environmental Protection Agency (EPA), the Transportation Security Administration (TSA), the Department of Transportation (DOT), and the U.S. Department of Agriculture (USDA) recently issued an alert warning of

malicious cyber activity targeting U.S.-based automatic tank gauge (ATG) systems. ATG systems are widelyused throughout the Energy, Chemical, Food and Agriculture, and Transportation Systems Sectors forautomated and remote monitoring of storage tank parameters, including fuel and liquid levels,temperature, and possible leak detection. The authoring organizations urge ATG owners and operators todefend against this malicious activity by securing their ATG systems with strong passwords and byremoving them from the internet to reduce public exposure.

According to the alert, the recent malicious cyber activity “involves cyber threat actors compromising internet-exposed ATG systems and subsequently modifying them through command execution.”

This means that cyber actors could “disrupt or manipulate the below critical functions by interfacing directly with the tank management as though they possessed legitimate physical access to the system console.”

This would enable the threat actors to:

  • Alter system(s) attributes, such as network settings, product identifiers, tank volumes, and pump controls;
  • Compound operational malfunctions; components operating incorrectly could create a denial of view condition of tank fill levels, which could cause permanent damage to the tank system’s critical function;
  • Disable system alerts, reducing an operator’s ability to detect and mitigate system issues increases the risk of environmental or physical hazards from incidents such as leaks or relay failures.

The alert provides mitigation steps which should be implemented immediately.

On May 5, 2026, the parties in In re Doxim, Inc. Data Security Incident Litigation (E.D. Mich. June 13, 2024), filed a proposed $5.5 million class action settlement arising from a cyber incident involving Doxim, a software provider serving credit unions, wealth management service providers, and banking sectors in the United States and Canada.

Doxim detected suspicious activity on December 30, 2023, in the part of its network supporting credit union services. It later determined that files had been removed from its network and that those files included names, mailing addresses, account numbers, and/or Social Security numbers. Doxim began notifying affected individuals on approximately May 31, 2024.

In the litigation that followed, Plaintiffs alleged that Doxim failed to implement and maintain reasonable safeguards, failed to comply with industry-standard data security practices, failed to properly train employees, failed to timely detect the unauthorized access, and failed to timely notify impacted individuals. The proposed settlement class includes 1,100,911 individuals identified by Doxim’s records.

The case illustrates how a vendor incident can become a customer-data incident. If a service provider processes, stores, or transmits sensitive customer information, a breach at the service provider can still affect the organization’s customers and create risk around whether reasonable safeguards were in place, whether the vendor followed industry-standard security practices, whether employees were properly trained, and whether unauthorized access was timely detected and disclosed. For organizations using vendors to handle sensitive customer data, the diligence question is not only whether the vendor can perform the service, but whether it has appropriate safeguards for the data it receives.

A member of Kaiser Permanente, an integrated managed care consortium headquartered in Oakland, California, has asked a federal judge in Seattle to certify nationwide classes and California subclasses in a privacy lawsuit against Microsoft and Qualtrics over tracking technologies allegedly embedded in Kaiser’s website and patient portal. The plaintiff, identified as Jane Doe, claims that Microsoft’s Universal Event Tracking tool and Qualtrics’ website technologies secretly collected sensitive information from Kaiser members as they scheduled appointments, reviewed test results, searched health topics, and managed care through Kaiser’s online services.

The proposed classes would cover current and former Kaiser members whose health information or other private data was allegedly collected by Microsoft and Qualtrics without their knowledge or consent. The plaintiff is pursuing claims for invasion of privacy and intrusion upon seclusion, along with California-specific claims under the California Invasion of Privacy Act (CIPA) and Unfair Competition Law. In seeking class certification, she argues that the alleged collection practices were common across Kaiser’s website and treated users’ data in the same way, making the case appropriate for class-wide resolution.

The case is another reminder that litigation over pixels, tags, SDKs, and other website tracking tools in healthcare settings remains very active. Although the court previously narrowed the suit by dismissing certain claims, it allowed core privacy theories to proceed. The next major question is whether the plaintiff can show that the alleged data collection practices are sufficiently uniform across Kaiser users to support class treatment. For healthcare organizations and their vendors, the case underscores the importance of understanding exactly what third-party code collects, where that data goes, and whether the organization has a defensible basis for using those tools in patient-facing digital environments.