Carnival Corporation & plc disclosed on May 27-28, 2026 that a cybersecurity incident detected on April 14, 2026 compromised an employee (or third‑party) account via social engineering, allowing an unauthorized actor to access and copy customer files. In a breach notice filed with Maine authorities the company said 5,995,277 people were impacted; outside researchers and the ShinyHunters hacking group have claimed larger exfiltrations (up to 8.7 million records). Exposed data may include names, contact details, dates of birth, loyalty programme information and government‑issued ID numbers such as passports and driver’s licences; some reports say Social Security numbers may be involved in individualized notifications. Carnival said it blocked the unauthorized activity, engaged third‑party forensic experts, began notifying affected individuals from May 27 and is offering eligible U.S. customers two years of free credit monitoring through TransUnion. The company said it has strengthened monitoring and security controls and urged those notified to watch accounts and report suspected identity theft.

California Attorney General Rob Bonta sued Chrome Holding Co. (formerly 23andMe) on May 28, 2026 in San Francisco Superior Court, alleging the company failed to protect sensitive customer genetic and personal data in a prolonged 2023 breach. Prosecutors say the attack began in April 2023, lasted about five months and ultimately exposed information tied to roughly 6.9–7 million U.S. customers, including about 856,000 Californians. The complaint accuses the company of ignoring warning signs, downplaying the severity of the incident and failing to guard against a credential-stuffing attack that initially accessed about 14,000 accounts and then exploited a vulnerability to harvest wider datasets—raw genetic data, health reports, DNA-relatives information, ancestry and birth-year/location details. Bonta is seeking civil penalties under California’s Genetic Information Privacy Act and consumer protection laws. The lawsuit adds to litigation and regulatory fallout following 23andMe’s March 2025 Chapter 11 filing, a federal settlement fund of $30–50 million for U.S. claimants, a £2.31 million UK ICO fine, and last year’s asset purchase by a nonprofit tied to co-founder Anne Wojcicki for $305 million.

Researchers from Graz University of Technology have demonstrated a new browser-based side-channel attack, dubbed FROST (Fingerprinting Remotely using OPFS-based SSD Timing), that can infer which websites and desktop apps are active by observing tiny timing fluctuations on a machine's SSD. The method runs as JavaScript on a webpage and leverages the Origin Private File System (OPFS) to create and repeatedly read a large local file; contention on the SSD produces measurable latency shifts that a trained convolutional neural network can map to specific sites or apps. In lab tests—including a full demonstration on an Apple M2 system—the team reported classification performance near 89% for visited websites and about 96% for certain macOS apps (F1 scores ~88.95% and ~95.83%). The attack works across different browsers and does not require downloads, permissions or elevated privileges, though it needs the malicious tab to remain open and a large OPFS file that may be noticeable. The researchers disclosed findings to Google, Apple and Mozilla; vendors have not committed to immediate fixes. The study is scheduled for presentation at DIMVA in July 2026. No evidence of FROST in the wild has been reported so far.

IBM and its Red Hat unit on May 28 unveiled Project Lightwell, a $5 billion initiative that combines AI tools and a global force of roughly 20,000 engineers to identify, validate and deploy fixes for vulnerabilities in open-source software used by enterprises. Described as an “enterprise clearinghouse,” the service will let firms confidentially report security flaws, receive tested patches backported to exact dependency versions and integrate those fixes into existing software supply chains. IBM said it piloted the model with major financial institutions including Bank of America, JPMorgan Chase, Goldman Sachs, Visa and Mastercard and expects to launch Project Lightwell as a commercial subscription within about 30 days. Initial technical focus will include Java/Maven with plans to expand to PyPI, npm and Go. IBM positions the effort as a response to acceleration in AI-driven vulnerability discovery — citing recent projects that surfaced thousands of high‑severity flaws — and says the clearinghouse will also coordinate upstream disclosure so fixes reach open-source communities.

The UK’s signals intelligence agency, GCHQ, announced plans to build an AI-powered national cyber shield designed to detect and respond to threats across critical national infrastructure, airlines, telecoms and major companies. Director Anne Keast-Butler said the agency has developed a blueprint to hardwire agentic AI into machine-speed cyber defence and aims to have the capability operational within five years. The system would use autonomous AI agents to identify and repair vulnerabilities in energy, water, healthcare, transport and financial services, and to speed foreign-language translation and data analysis. Keast-Butler framed the programme as a response to intensified hybrid operations from Russia and China’s emergence as a tech superpower, warning that frontier AI can both reveal thousands of software vulnerabilities and be used offensively. The Cabinet Office has invited leading AI firms to collaborate and GCHQ stresses responsible, ethical integration and sovereign IT management. Officials cited recent high-cost incidents such as the Jaguar Land Rover outage and urged businesses to adopt quantum-resistant encryption as quantum computing looms.