On June 12, 2026, the U.S. Departments of Justice and Homeland Security announced that deepfake domains CFAKE.com and SOCFAKE.com were seized and taken down using the TAKE IT DOWN Act. The seized domains “were being used to publish thousands of digitally forged images and videos depicting famous women as nude and sometimes engaged in sexual activity, without their consent.” The deepfakes included royalty, journalists, television personalities, athletes, entertainers, and others. According to the press release, “The website allowed people to browse by tags that included topics like ‘rape,’ ‘forced,’ and ‘degradation.’”

U.S. authorities were alerted to the website by Italy’s Polizia di Stato Postal and Cybersecurity Policy. After a U.S. investigation, evidence was shared with French authorities, who also investigated and made an arrest in Nice on June 10, 2026. This is a great example of how important international law enforcement cooperation is in prosecuting individuals outside of the U.S. and taking down harmful and illegal domains. This is a big win for law enforcement in the U.S., Italy, and France in combatting deepfakes.

For years, companies have treated anonymization as a legal comfort zone. Remove names, emails, phone numbers, and other identifiers, and the remaining dataset was often viewed as safer to share, analyze, monetize, and retain. That assumption is getting harder to defend. Artificial intelligence (AI) has changed the practical re-identification analysis by making it easier to connect patterns across datasets, infer identity from indirect signals, and combine “anonymous” information with public, breached, scraped, or commercially available data. Location trails, purchase histories, voiceprints, facial geometry, writing style, device signals, and other data points may not identify someone on their own, but AI can make those fragments far more revealing when viewed together.

The legal and business takeaway is important: anonymization should no longer be treated as a permanent status. It is better understood as a technical condition that can degrade over time. Regulators are beginning to reflect that reality, including through frameworks that do not automatically exclude anonymized, de-identified, or pseudonymized data when re-identification remains realistic. The question is shifting from “Did we remove direct identifiers?” to “Could a reasonably capable actor re-identify individuals using current tools and available data?” That shift matters for consent strategies, disclosure obligations, litigation exposure, vendor contracting, AI training rights, audit provisions, and liability allocation.

De-identification still matters, but it needs to sit inside a more modern governance model. Companies should evaluate re-identification risk on a recurring basis, account for external data sources, restrict downstream use, prohibit re-identification attempts, and apply technical controls such as differential privacy, synthetic data, aggregation, and formal risk testing where appropriate. The organizations best positioned for this next phase will treat identifiability as a spectrum, not a binary switch. In an AI-driven data ecosystem, “anonymous” is not the end of the privacy analysis. It is the beginning of a continuing risk management obligation.

June 15, 2026, was designated World Elder Abuse Awareness Day. One of the ways seniors are victimized is through financial scams. According to the Federal Trade Commission (FTC), “in 2025, [elderly] people reported losing about $16 billion to scams, compared to $12.8 billion the previous year. And because not everyone who experiences a scam reports it, this likely represents only a fraction of the actual amount lost.”

Imposter scams are one of the most common ways seniors become financial fraud victims. An imposter pretends to be someone else, such as a government, bank, or law enforcement, friend or family member and contacts the victim through phone, text, email, or other messaging to obtain information to further financial fraud. Threat actors commonly pose as an Internal Revenue Service agents and call the victim to let them know they are behind on their taxes and if they don’t pay up immediately, something dreadful will happen. They use scare tactics to quickly obtain credit card information, cash, or personal information from the victim.

Awareness of imposter scams can prevent you from becoming a victim. Here are some tips to help you avoid them.

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the Department of Energy (DOE), the Environmental Protection Agency (EPA), the Transportation Security Administration (TSA), the Department of Transportation (DOT), and the U.S. Department of Agriculture (USDA) recently issued an alert warning of

malicious cyber activity targeting U.S.-based automatic tank gauge (ATG) systems. ATG systems are widelyused throughout the Energy, Chemical, Food and Agriculture, and Transportation Systems Sectors forautomated and remote monitoring of storage tank parameters, including fuel and liquid levels,temperature, and possible leak detection. The authoring organizations urge ATG owners and operators todefend against this malicious activity by securing their ATG systems with strong passwords and byremoving them from the internet to reduce public exposure.

According to the alert, the recent malicious cyber activity “involves cyber threat actors compromising internet-exposed ATG systems and subsequently modifying them through command execution.”

This means that cyber actors could “disrupt or manipulate the below critical functions by interfacing directly with the tank management as though they possessed legitimate physical access to the system console.”

This would enable the threat actors to:

  • Alter system(s) attributes, such as network settings, product identifiers, tank volumes, and pump controls;
  • Compound operational malfunctions; components operating incorrectly could create a denial of view condition of tank fill levels, which could cause permanent damage to the tank system’s critical function;
  • Disable system alerts, reducing an operator’s ability to detect and mitigate system issues increases the risk of environmental or physical hazards from incidents such as leaks or relay failures.

The alert provides mitigation steps which should be implemented immediately.

On May 5, 2026, the parties in In re Doxim, Inc. Data Security Incident Litigation (E.D. Mich. June 13, 2024), filed a proposed $5.5 million class action settlement arising from a cyber incident involving Doxim, a software provider serving credit unions, wealth management service providers, and banking sectors in the United States and Canada.

Doxim detected suspicious activity on December 30, 2023, in the part of its network supporting credit union services. It later determined that files had been removed from its network and that those files included names, mailing addresses, account numbers, and/or Social Security numbers. Doxim began notifying affected individuals on approximately May 31, 2024.

In the litigation that followed, Plaintiffs alleged that Doxim failed to implement and maintain reasonable safeguards, failed to comply with industry-standard data security practices, failed to properly train employees, failed to timely detect the unauthorized access, and failed to timely notify impacted individuals. The proposed settlement class includes 1,100,911 individuals identified by Doxim’s records.

The case illustrates how a vendor incident can become a customer-data incident. If a service provider processes, stores, or transmits sensitive customer information, a breach at the service provider can still affect the organization’s customers and create risk around whether reasonable safeguards were in place, whether the vendor followed industry-standard security practices, whether employees were properly trained, and whether unauthorized access was timely detected and disclosed. For organizations using vendors to handle sensitive customer data, the diligence question is not only whether the vendor can perform the service, but whether it has appropriate safeguards for the data it receives.

A member of Kaiser Permanente, an integrated managed care consortium headquartered in Oakland, California, has asked a federal judge in Seattle to certify nationwide classes and California subclasses in a privacy lawsuit against Microsoft and Qualtrics over tracking technologies allegedly embedded in Kaiser’s website and patient portal. The plaintiff, identified as Jane Doe, claims that Microsoft’s Universal Event Tracking tool and Qualtrics’ website technologies secretly collected sensitive information from Kaiser members as they scheduled appointments, reviewed test results, searched health topics, and managed care through Kaiser’s online services.

The proposed classes would cover current and former Kaiser members whose health information or other private data was allegedly collected by Microsoft and Qualtrics without their knowledge or consent. The plaintiff is pursuing claims for invasion of privacy and intrusion upon seclusion, along with California-specific claims under the California Invasion of Privacy Act (CIPA) and Unfair Competition Law. In seeking class certification, she argues that the alleged collection practices were common across Kaiser’s website and treated users’ data in the same way, making the case appropriate for class-wide resolution.

The case is another reminder that litigation over pixels, tags, SDKs, and other website tracking tools in healthcare settings remains very active. Although the court previously narrowed the suit by dismissing certain claims, it allowed core privacy theories to proceed. The next major question is whether the plaintiff can show that the alleged data collection practices are sufficiently uniform across Kaiser users to support class treatment. For healthcare organizations and their vendors, the case underscores the importance of understanding exactly what third-party code collects, where that data goes, and whether the organization has a defensible basis for using those tools in patient-facing digital environments.

AI giant Anthropic has suggested that the world temporarily “pause” on AI development because of AI tools’ ability for “‘recursive self-improvement’– that is, being able to make better and more powerful versions of itself. Recursive self-improvement is a bugbear of AI safety researchers, viewed as the key step for AI to become superintelligent and therefore unleash widespread consequences on humanity.”

Anthropic’s post cautioned of a “trend” of increasing capability in its product Claude which, “taken far enough and given enough compute … points to an AI system capable of fully autonomously designing and developing its own successor.” As a result, there is a risk of “humans losing control over AI systems.”

Anthropic is proposing that “policymakers, researchers, civil society and other AI companies” collaborate and meet to “help answer some of the questions this piece raises..

This warning follows on the heels of Anthropic’s previous warning about the capabilities of Mythos, causing it to pull its public release.

When an AI company warns the world that it needs to pay attention to the risk of technology, it is probably worth consideration.

AI governance is often discussed through the lens of policies, frameworks, and responsible AI principles. Those tools matter, but they are not where many of the most important AI decisions are actually being made. In practice, AI governance is increasingly happening in contracts. Vendor agreements now decide who can use data, whether customer inputs may be used for training, what rights exist around outputs, what evidence a vendor must provide, and when a customer can suspend or terminate use. Those are not just legal terms. They are operational controls.

This shift matters because AI contracts are moving from broad, aspirational language to more specific governance mechanisms. The most important example is training rights. Using data to provide a service is very different from using data to improve a model, and both are different from using that data to improve a model offered to other customers. When agreements blur those distinctions, they quietly allocate risk and value in ways that may not be obvious. Clear definitions of inputs, outputs, training, fine-tuning, and permitted use are now central to responsible AI contracting.

The practical takeaway is simple: if you want to understand an organization’s AI governance posture, read its contracts. Strong agreements do more than prohibit risky conduct. They create verifiable controls, event-based audit rights, traceability, escalation paths, and clear permissions. In many cases, better contracts can move deals faster because they give legal, security, procurement, and business teams concrete terms to evaluate. AI governance has not disappeared. It has moved into the agreement, and that is where organizations need to focus their attention.

For organizations of all types and sizes, the next step is to treat AI contract review as a core part of AI governance, not a back-end procurement exercise. Before adopting or renewing an AI tool, make sure the agreement clearly answers the key governance questions: what data can be used, for what purpose, with what limits, and with what accountability if something goes wrong.

I apologize that this post is not light reading. It’s critically important to know what the threats are so you can avoid becoming a victim.

Although disconcerting, it is crucial to know what has happened in the first half of this year. TechCrunch recently issued a report outlining the worst breaches of 2026—so far:

  • DOGE’s massive swipe of Social Security data (I’ve discussed this  in numerous posts)
  • Hackers increased targeting of water systems and energy grids (discussed here)
  • Iranian government hackers attacking Stryker with a destructive device hack (ditto)
  • ShinyHunters’ disruptive hacking campaign against Instructure, among other targets (ShinyHunters has been a frequent subject of our posts)
  • The supply chain under attack, targeting open-source projects and big tech companies
  • FBI’s surveillance system breach, sparking a “major cyber incident“
  • Hasbro’s hack leading to weeks of downtime
  • Exposure of millions of passports and driver licenses

What can we learn from these trends?

According to TechCrunch, “the attacks are getting bolder, more destructive, and harder to contain.” The trends confirm that as technology advances, so must defenses equally. Cybersecurity measures must be sophisticated enough to block attackers so they will move on to the next victim. A mature cybersecurity posture, both personally and professionally, must be a priority to prevent becoming victimized. In a world of geopolitical discontent, cyber attackers serve as warriors for nation states, and at the same time, our own government is failing to protect our data and our warriors’ data. Unfortunately, the Cybersecurity and Infrastructure Security Agency’s funding has been decimated, so we are left to our own devices (pardon the pun).

We need to take greater responsibility for protecting our own information while demanding stronger safeguards from our government, especially for the sensitive data of current and veteran military personnel. Additionally, private companies must also do more to prevent exposure. Robust cybersecurity programs across individuals, government, and the private sector are essential. This is no longer a future concern; it is reality. Without collective action, the second half of 2026 will bring more of the same.

A new report by Wired states that customer data from “more than 350 hotels around the world may have been accessed as part of realistic reservation-hijacking scams.” According to the report, travelers’ information and booking data may have been stolen from the hotels and are being used by threat actors to launch social engineered phishing schemes.

These scams are effective because they exploit trusted brands and impersonate legitimate guest relations professionals. Victims are contacted about travel they have booked—or plan to book—through messages that appear to come from a hotel, reservation platform or guest services team. These messages often include accurate booking details to build credibility and redirect the victim to a fake guest portal or payment verification page. The victim is told there is an issue with payment and that the booking will be cancelled in the next 24-48 hours if it is not resolved. Once redirected to the fake guest portal or payment verification page, the victim is prompted to enter their credit card information which is transmitted directly to the threat actor. In many cases, victims do not realize they have been targeted until weeks or months later.

Here is a great summary of how the scam works if you want more information.

Tips to prevent becoming a victim include:

  • Do not respond directly to unsolicited emails, phone calls, texts, or instant messages. If you’ve received a request for additional payment or payment information, reach out to the company you booked through directly via information on their website or in your booking confirmation.
  • Watch out for pressure tactics. Legitimate businesses do not call or send text messages pressuring you to act immediately. They also will not demand payment with a different payment method from the one you used to book your reservation.
  • Secure your accounts after a breach. If you receive a notice that you were impacted by a data breach, take the time to change your passwords and check for suspicious activity, like unauthorized payments or logins. Setting up two-factor authentication can also help to better protect your accounts.