The Cybersecurity and Infrastructure Security Agency (CISA), which is part of the Department of Homeland Security, is responsible for cybersecurity and infrastructure security throughout the federal government, to improve cybersecurity protection against private and nation-state hackers.

CISA has been without a director since the beginning of President Trump’s second term, when the then-director resigned. In addition, the Trump administration cut funding to the agency and, through the budget cuts, furloughs, and layoffs, the agency lost about one-third of its workforce. On top of that, in March 2025, Defense Secretary Pete Hegseth ordered U.S. Cyber Command to “halt cyber-offense operations against Russia” and “ordered the unit to stand down panning against Russian cybersecurity threats.”

Russia has always been one of our top cyber adversaries and there is no indication that offensive planning has taken place in the past year.

With the layoffs, budget cuts, furloughs, and resignations, CISA has been embattled in fulfilling its mission. The strain became abundantly clear recently when GitGuardian security researcher Guillaume Valadon found “reams of exposed plaintext credentials listed in spreadsheets, which had been made publicly accessible in a GitHub repository by an employee working for a CISA contractor.”

The researcher contacted security reporter Brian Krebs on May 15, 2026, who reported that the CISA contractor “maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems” which “included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history.”

The repository was named “Private-CISA” and included “a vast number of internal CISA/DHS credentials and files, including cloud keys, tokens, plaintext passwords, logs and other sensitive CISA assets.”

The GitHub account has been taken offline. It was created in September 2018, and the Private-CISA repository was created in November 2025.

It is unknown whether anyone, including a foreign adversary such as Russia, found, accessed or used the credentials. CISA has confirmed that it is aware of the reported exposure and is continuing to investigate the situation. The question is what other lapses will occur as a result of the agency’s decimation.

The Texas Attorney General has filed a new consumer-protection lawsuit against Netflix, alleging that the company misled Texans by marketing itself as an ad-free, kid-friendly alternative to Big Tech while allegedly building a large-scale system for collecting and monetizing user data. The complaint claims that Netflix repeatedly assured consumers that its paid subscription model separated it from advertising-driven platforms, including statements that Netflix did not sell ads, did not sell data, and operated as a “safe respite” from companies that exploit users through advertising. According to the complaint, Netflix later reversed course by launching and expanding an advertising business that allegedly relies on behavioral data, identity matching, third-party data partners, and ad-tech platforms. 

The lawsuit also focuses heavily on children’s use of Netflix, alleging that the company encouraged parents to create kids’ profiles by describing them as kid-friendly spaces while failing to clearly disclose the extent to which Netflix allegedly collects and analyzes children’s behavioral interactions. Texas claims Netflix’s assurances that kids’ profiles are not used for behavioral advertising created a misleading impression because, according to the complaint, Netflix still collects granular data about what children watch, rewatch, abandon, search, and how they interact with the platform. The complaint further alleges that Netflix uses design features such as autoplay to extend viewing sessions, including on kids’ profiles, thereby increasing both screen time and the amount of behavioral data generated. 

Texas brings the action under the state’s Deceptive Trade Practices Act and seeks civil penalties, attorneys’ fees, disgorgement, and temporary and permanent injunctive relief. Among other remedies, the complaint seeks to require Netflix to purge what is alleged to be deceptively- collected Texans’ data; obtain express and informed consent before using Texans’ data for targeted advertising; stop collecting children’s behavioral data without parental consent; turn autoplay off by default for kids profiles; and restrict clean-room data collaboration involving Texas consumers without adequate disclosure. To read the full petition click here.

Many insurers, and the businesses they cover, are still treating artificial intelligence (AI) risk as if it were cyber risk cloaked in a costume. That instinct is understandable since AI systems process data, rely on vendors, create operational dependencies, and sit inside digital infrastructures. However, early litigation is showing why that framing is likely incomplete. The claims are not only arising from security hacks, ransomware, or data exfiltration, but from ordinary business activity: a customer call, a chatbot exchange, a healthcare consultation, a meeting transcript, or a vendor system setting that was enabled by default long before anyone examined its legal effect.

The real exposure sits in the gap between what the business thinks it is doing with AI and what its AI-enabled systems are actually doing. A notice saying “this call may be recorded” may not answer whether the call is being transcribed in real time, analyzed for content, retained by a third party, or used to improve a vendor’s model. A procurement approval may not show whether customer content was opted into training. A vendor contract may not explain whether the vendor is merely supplying a tool or independently receiving, enriching, and using the data flowing through it. That distinction can affect consent, privacy obligations, regulatory exposure, and even which insurance coverage applies.

The companies that get ahead of these issues will be the ones that stop asking whether AI is secure and start asking how AI changes the legal scope of their relationships with customers, patients, employees, vendors, and regulators. They will document what users were told, what settings were active, what vendor terms applied, and what data was used for which purpose. AI risk is not just a cyber control problem, it’s a governance, consent, procurement, evidence, and business conduct problem. The market correction will favor organizations that understand that difference before the claims start arriving.

On May 19, 2026, the Federal Trade Commission (FTC) announced that it will begin enforcing the Take It Down Act (TIDA) immediately. TIDA was made law in May 2025 and requires platforms to remove non-consensual intimate imagery within 48 hours of being notified. It provides criminal penalties for the publication of non-consensual intimate imagery and deepfakes, particularly of minors.

TIDA gave covered platforms until May 2026 “to give people a way to request the removal of intimate photos or videos shared online without their consent and to remove those intimate images, and known identical copies, within 48 hours of a valid request.”

The FTC has provided a clear message that it intends to enforce the law, by:

monitoring compliance, investigating violations, and holding platforms accountable when they fail to protect people—especially children—from this harmful abuse. To assist in investigations and enforcement actions, the agency launched TakeItDown.ftc.gov, where people can tell the FTC about platforms that fail to swiftly take down intimate photos and videos shared without their consent or platforms without a process for requesting removal of these images.

According to the FTC, “Know this: Platforms violating the law may face FTC law enforcement action, including potential civil penalties of $53,088 per violation.” This is a very clear message that enforcement of the TIDA is an FTC top priority.

The FTC has provided guidance for businesses that are subject to TIDA to assist with compliance.

In addition to the TakeItDown.ftc.gov website, the FTC has also published guidance to help consumers who are victims of nonconsensual intimate images posted online, and how consumers can report a platform that does not take down a nonconsensual intimate image within 48 hours of the request. The FTC is urging victims to report incidents, as well as to report “the perpetrator to local criminal law enforcement, as well as the FBI.”

If you are a victim of the posting of nonconsensual intimate images (or a deepfake), take control: request the platform take the images down, report it to law enforcement, the Federal Bureau of Investigation, and the FTC.

Another recent victim of ShinyHunters is Instructure, the supplier of the Canvas learning management system, which disrupted the login portals of 330 colleges and universities during the critical college exam schedule.

According to Dataminr, ShinyHunters “claimed to have stolen 3.654TB of data affecting about 275 million individuals and 9,000 institutions worldwide.” The stolen data included names, email addresses, student ID numbers and messages, but not passwords, government IDs, birth dates, or financial data. The company admitted that the threat actors obtained access on April 29, 2026. After remediation and revoking the threat actors’ access, it identified additional unauthorized activity on May 7, 2026. The incident caused Instructure to take Canvas offline, affecting its 8,800 customers during exam season.

This is a repeated attack by ShinyHunters against Instructure. Not only did it maintain persistence in April and May, but ShinyHunters also attacked Instructure by  in September 2025, in a social engineering attack that provided the threat actors with access to its Salesforce instance.

Instructure confirmed on May 11, 2026, that it has “reached an agreement with the unauthorized actor involved in this incident” and had “received digital confirmation of data destruction (shred logs)” and that “no Instructure customers will be extorted as a result of this incident, publicly or otherwise.” The Cybersecurity & Infrastructure Security Agency issued an alert on the incident, and Congress started an inquiry. In addition, the Federal Trade Commission (FTC) warns consumers to be cautious about texts or emails pretending to be from Canvas “to trick you into giving them your information,” and providing tips about responding to any messages related to the Canvas hack. Importantly, the FTC advises to alert children to be cautious about texts and emails. It’s a good reminder to discuss with your children how threat actors launch social engineering campaigns using the data stolen from an incident such as this one.

The spread of AI generated intimate imagery has turned what was already a serious online safety issue into a fast- moving platform governance problem. The Federal Trade Commission’s (FTC) latest stakeholder letter makes clear that covered platforms will be expected to have systems in place before enforcement begins. This week, the FTC sent a stakeholder letter to covered platforms signaling that the agency expects them to be ready by May 19, 2026, when Section 3 of the TAKE IT DOWN Act (TIDA) becomes enforceable. The letter emphasizes that platforms receiving a valid removal request must remove the reported intimate image or video, along with known identical copies, within 48 hours. The FTC also urges platforms to make requests easy to submit, including for people without platform accounts, and suggests request-level tracking so users, platforms, and law enforcement can identify the same takedown matter. The enforcement message is direct: TIDA violations will be treated as FTC rule violations and may carry civil penalties of up to $53,088 per violation.

TIDA applies to certain websites, online services, apps, and mobile applications that serve the public and primarily provide a forum for user-generated content, or that regularly publish, curate, host, or make available nonconsensual intimate depictions. It covers both authentic intimate visual depictions and “digital forgeries,” including AI-generated or technologically altered intimate images that appear indistinguishable from authentic depictions. Covered platforms must maintain a clear, conspicuous, plain-language notice-and-removal process that allows an identifiable individual, or an authorized representative, to request removal of nonconsensual intimate content.

Once a valid request is received, the platform must act as soon as possible and no later than 48 hours remove the content and make reasonable efforts to remove known identical copies. Forty-eight hours is not much time to verify a request, locate reported content, identify known identical copies, coordinate internal teams, and document the response. This means that covered platforms should act now, including mapping where covered content can appear, making reporting channels easy to find and use, assigning clear internal ownership, testing duplicate-detection tools, and deciding how request tracking, records, vendor support, and hashing will work in practice. Before the first 48-hour clock starts, the process should already be built, tested, and ready to run.

TIDA is another example of privacy, safety, and AI governance converging into concrete operational obligations. Companies should not treat this as a narrow content-moderation issue. Compliance may require intake workflows, identity and authorization checks, escalation paths, duplicate-detection capabilities, documentation, and defensible timing controls. Platforms should also assess whether hashing or similar tools can help prevent re-uploads, while accounting for the privacy, security, and retention risks that come with handling highly sensitive images. More broadly, regulators are signaling that user-safety obligations need to be built into product design, not handled only after complaints arrive. For companies in scope, the work now is to understand where this content can surface, align reporting channels, moderation tools, records, and vendor support, and make sure the response process works before the clock is running.

California regulators have announced a major privacy settlement with General Motors (GM) over allegations that the company unlawfully sold the location and driving data of hundreds of thousands of Californians to two data brokers: Verisk Analytics and LexisNexis Risk Solutions. The settlement, subject to court approval, requires GM to pay $12.75 million in civil penalties and imposes significant restrictions on how the company may use, retain, and share consumer driving data. According to the complaint, GM collected the data through OnStar and allegedly failed to provide adequate notice to consumers, despite statements suggesting that driving and location data would not be sold or would only be disclosed for insurance purposes at the consumer’s direction.

The settlement highlights the growing privacy risks associated with connected vehicles. As San Francisco District Attorney Brooke Jenkins stated, “Modern cars are rolling data collection machines.” Location data can reveal highly sensitive details about a person’s daily life, including where they live, work, worship, receive medical care, or take their children to school. California officials alleged that GM retained driving and location data longer than necessary and then sold it to data brokers that intended to use it for driver-rating products marketed to auto insurers. Although investigators determined that California drivers were likely not subject to increased premiums because California law restricts the use of driving data for insurance rates, the alleged conduct still raised serious concerns under the California Consumer Privacy Act (CCPA) and California’s Unfair Competition Law.

The settlement is especially notable because it is the California Department of Justice’s first enforcement action focused on the CCPA’s data minimization principle. Under the settlement terms, GM must stop selling driving data to consumer reporting agencies for five years, delete retained driving data within 180 days except for limited internal uses or where consumers provide affirmative, express consent, request deletion from LexisNexis and Verisk, and maintain a robust privacy compliance program. For companies collecting connected device data, the message is clear: collect only what is needed, explain data practices clearly, honor consumer rights, and do not repurpose sensitive data without proper notice and consent. To read the full settlement click here.

Pennsylvania’s lawsuit against Character Technologies, Inc., is a notable early test of how professional licensing laws may apply to consumer-facing AI chatbots. The Commonwealth, acting through the Department of State and State Board of Medicine, filed a Petition for Review in the Commonwealth Court of Pennsylvania seeking to restrain what it alleges is the unlawful practice of medicine under the state’s Medical Practice Act. The case centers on Character.AI, a website and mobile application that allows users to interact with customizable AI characters powered by a large language model (LLM).

According to the complaint, Character.AI is widely available, has more than 20 million monthly active users worldwide, and hosts more than 18 million unique chatbot characters created by users. The Commonwealth alleges that some of those characters purport to be health care professionals, including a chatbot named “Emilie,” described on the platform as “Doctor of psychiatry. You are her patient.” As of April 17, 2026, “Emilie” allegedly had approximately 45,500 user interactions on the Character.AI platform.

According to the investigation description in the complaint, a Pennsylvania professional conduct investigator created a free Character.AI account while located in Harrisburg, searched the platform for “psychiatry,” and selected “Emilie.” When the investigator said he felt sad, empty, tired, and unmotivated, “Emilie” mentioned depression and asked whether he wanted to book an assessment. The chatbot allegedly said an assessment was within her remit “as a Doctor,” claimed medical training and psychiatric licensure in the United Kingdom, represented that she was licensed in Pennsylvania, and provided a Pennsylvania license number that the complaint says was not valid.

The broader issue is not simply whether a chatbot gave bad advice, but whether an AI character can cross the line from roleplay into conduct regulated as medicine. Pennsylvania argues that Character Technologies engaged in unauthorized practice because the AI system held itself out as a licensed medical doctor and used the title of psychiatrist without a valid Pennsylvania license. If the court accepts that theory, the case could become an important warning to AI platforms: disclaimers may not be enough where a product allows bots to claim professional credentials, offer assessments, or present fake license numbers to users seeking health-related guidance. To read the complaint click here.

According to HaveIBeenPwned, ShinyHunters targeted fashion brand Zara in a cyber-attack  and claimed that it had stolen 197,000 unique email addresses, product SKUs, order IDs, and the originating market. The incident involved a former technology provider (AI analytics platform Anodot) for Zara’s parent company, Inditex, which resulted in the exposure of the personal information. ShinyHunters claimed to have leaked 140GB of data, which is reported to have included compromised authentication tokens for Anodot users.

Inditex has confirmed that no customer names, passwords, phone numbers, addresses, or payment information (bank cards) were compromised in the incident. Inditex has also confirmed that its core operations and systems were not impacted.

ShinyHunters continues to wreak havoc in all industries, and its techniques of compromising authentication tokens is a warning to organizations to prioritize prevention of authentication token incidents. Obsidian has provided a basic summary of how token-based attacks work, and tips on how to prevent them.