Published
June 19, 2026
Updated
June 20, 2026
Some Numbers Are Hacker Claims · Not All Confirmed
Several figures below come from the attackers' own extortion posts and have not been confirmed by the affected company. Where that is the case, we say so and lead with the company-confirmed count instead. Counts can also mean records, accounts, or households rather than unique people. This page is informational and is not legal advice.
June 2026 was one of the worst months for data security in recent memory — a single threat actor, ShinyHunters, sat behind a string of the largest disclosures, while a missing hard drive in Japan rounded out one of the busiest breach months on record.
Why June 2026 Was Such a Heavy Breach Month
Barely a week went by in June 2026 without a major company confirming that customer or employee data had been stolen. This roundup covers the biggest data breaches newly reported or updated between June 1 and June 19, 2026, ranked by the largest credible victim or record count.A word on the numbers. Several of the headline figures this month come from the attackers' own extortion posts, and a hacker's claim is not the same as a confirmed count — so throughout this roundup we lead with the company-confirmed figure and clearly label anything that is still just an allegation. We also note when a count actually means records, accounts, or households rather than unique individuals, because those are very different things. For the breaches that have already reached a settlement you can act on, see our running list of open data breach class action settlements.
Reporting Window
June 1–19, 2026
Newly reported or newly updated incidents
Dominant Threat Actor
ShinyHunters
Tied to Charter, Carnival, DentaQuest, Kodak, Nottingham & Infinite Campus
Can I Claim?
Usually not yet
Most cases are brand-new; see our open data breach settlements for claimable ones
The Largest June 2026 Data Breaches, Ranked
The incidents below are ordered by the largest credible victim or record count reported through June 19, 2026. Where a case has already reached a payout, we track it on our data breach settlements hub.1. Charter Communications / Spectrum
~4.9M accounts confirmed · up to 42M records (hacker claim)ShinyHunters claimed it stole 40–42 million customer and business records, but that figure exceeds Charter's entire U.S. customer base, so it should be read as an allegation. The company-confirmed and notified figure is roughly 4.9 million accounts. Charter confirmed a cybersecurity incident but disputes that highly sensitive customer data was taken. The attack traces to the voice-phishing of an employee account that enabled a Salesforce data export — the same playbook seen in the Salesforce-customer breach wave. The first proposed class action was filed June 1, 2026, with more pending.
2. Kyushu Electric Power Transmission and Distribution
Up to 10.9M customer records · records, not unique peopleAn unencrypted storage drive holding customer data went missing from a server room — a lost-media incident rather than a hack. The exposed information reportedly included names, service addresses, phone numbers, and electricity-usage data; no bank-account or payment-card data was stored on the drive. Disclosed around June 8, 2026, it may be one of the largest personal-data losses in Japanese history.
3. Carnival Corporation
5,995,277 people confirmedAn employee account was compromised through social engineering, in an attack attributed to ShinyHunters. Exposed data may include names, contact details, dates of birth and, for some passengers, passport or driver's-license information. At nearly 6 million people, this is the largest clearly confirmed U.S. consumer breach announced in the window; the attacker's separate 8.7-million-record claim is unverified.
4. Texas Parks and Wildlife (license-system vendor)
3M+ customers (TPWD figure)Texas Parks and Wildlife (TPWD) said Texas Cyber Command detected a breach at the third-party vendor that runs its hunting and fishing license system, and that an unauthorized person may have obtained data on more than 3 million license customers — driver license information, passport numbers when provided, email addresses, phone numbers, and home addresses. TPWD says Social Security numbers, dates of birth, and financial or credit-card data were not taken, and it has not named the vendor. Affected customers are offered one year of free Kroll credit monitoring, with enrollment open through September 14, 2026. See our full Texas Parks and Wildlife data breach report.
5. DentaQuest
2.6M membersThe dental-benefits administrator, part of Sun Life, confirmed unauthorized network access in early June 2026. The leaked dataset reportedly contains names, addresses, dates of birth, phone numbers, government-issued IDs, and health-insurance information. About 234 GB of data was reportedly published by ShinyHunters after extortion negotiations failed.
6. Kodak
2.2M+ records (hacker claim — unconfirmed)Kodak confirmed that an unauthorized party accessed a limited amount of company data. ShinyHunters claims it stole more than 2.2 million customer records and corporate files, but it has not released proof, and Kodak has not confirmed the count or exactly what personal information was affected. The 2.2-million figure should be treated as an allegation, not a confirmed victim count.
7. UN World Food Programme
~600,000 Gaza households · households, not individualsThe UN agency confirmed exposure of sensitive beneficiary information, including names, ID numbers, mobile numbers and household or location details. The roughly 600,000 figure is largely a researcher and press estimate, and it counts households — so the number of individuals affected could be considerably higher. It may be one of the largest known compromises of humanitarian-aid recipient data.
8. IMA Diligence Services
525,306 people confirmedFiles were reportedly stolen from a legacy server managed by a third party. The exposed data reportedly includes names, addresses, Social Security numbers, government IDs, financial-account information, and some health and insurance data. The incident occurred in December 2025, but notifications went out in the late-May and June 2026 window. The Genesis ransomware group claimed responsibility.
9. University of Nottingham
~454,600 student/alumni records · dataset countThe university confirmed unauthorized access to its student-record system. Reported data includes names, addresses, phone numbers, dates of birth, passport numbers, disability information, and fee-payment details. The breach is tied to the June 2026 wave of attacks exploiting Oracle PeopleSoft environments, again linked to ShinyHunters. The 454,600 figure comes from the attacker-published dataset, in which current and former students may overlap.
10. Lansing Community College
174,307 people confirmedThe college is notifying former and current students and employees. Attackers reportedly entered through compromised credentials in February 2025, and the exposed data can include names, addresses, dates of birth, driver's-license numbers and Social Security numbers. The breach was disclosed publicly on June 5, 2026 — roughly a 16-month gap.
11. Infinite Campus
~137,000 staff email accounts · unique emailsPersonal information belonging mainly to school staff, rather than students, was taken through a Salesforce-related attack — part of the same ShinyHunters extortion campaign. The data centers on email addresses, names, phone numbers, addresses and support-ticket content, and Infinite Campus characterized much of it as directory information. The attack occurred in March 2026, but the roughly 137,000 unique-email count became public in mid-June.
Major June Incidents Without a Reliable Victim Count
Some of the month's most serious incidents have no confirmed headcount yet — either because the company is still investigating or because the only large number on offer is the attacker's.Novo Nordisk
~11,500 trial participants confirmed (pseudonymized) · 1.3TB (hacker claim)An extortion group calling itself "FulcrumSec" claims it took about 1.3 TB across more than 700,000 files, including drug research, employee and physician data, source code, and clinical-trial information. Novo Nordisk confirmed unauthorized access and that data on roughly 11,500 clinical-trial participants was involved — but that data is pseudonymized (trial IDs rather than names), and the company has not verified the attackers' broader claims. It was disclosed June 11, 2026, and a $25 million ransom demand was rejected. A second, unverified claimant should be treated skeptically.
ServiceNow
Count not disclosed · per-customer-instance impactAttackers exploited an unauthenticated API issue to query data from customer instances, potentially exposing IT tickets, employee records, asset inventories, and embedded credentials. The malicious activity occurred June 2–3, 2026, with a fix applied to hosted instances by June 5. The total number of affected organizations or individuals has not been disclosed.
iRhythm
Count not announced · patient health informationThe cardiac-monitoring company confirmed, via an SEC filing, that patient personal and health information was taken from third-party-hosted business applications. No payment-card data was involved, and clinical and medical-device systems and patient safety were reportedly unaffected. It was discovered June 8, 2026, and no total victim count has been announced.
The Through-Line: ShinyHunters
The single biggest factor in June 2026 was the cybercrime group ShinyHunters, which sat behind the Charter, Carnival, DentaQuest, Kodak, University of Nottingham, and Infinite Campus disclosures. The group's two favorite techniques this year have been voice-phishing employees to export Salesforce data and exploiting Oracle PeopleSoft environments. If you received a breach notice this month, there is a good chance the same actor was involved — which is also why so many of these cases share the same exposed-data profile (names, contact details, government IDs, and in several cases Social Security numbers).What Was Exposed — and Why It Matters
Across these incidents, the most commonly exposed data points were names, contact information, dates of birth, government-issued ID numbers, and — in the IMA, Lansing, and several other cases — Social Security numbers. That combination is exactly what enables identity theft, fraudulent account opening, and targeted phishing. For a plain-English breakdown of what counts as sensitive data, see our explainer on personally identifiable information (PII), and browse the data breach class actions where that same kind of data was exposed.What Consumers Can Do Now
If you received a data breach notification letter from any company named above, consider taking the following steps:• Monitor your credit reports: Check all three bureaus (Equifax, Experian, and TransUnion) for unauthorized accounts or inquiries.
• Place a fraud alert or credit freeze: A fraud alert makes lenders verify your identity; a freeze blocks new accounts from being opened.
• Enroll in any free monitoring offered: Several affected companies are providing free credit monitoring and identity protection.
• Watch for phishing: Scammers use stolen details to craft convincing emails, texts, and calls. Be cautious with unsolicited messages asking for personal information.
• Check whether a claim exists: Most June 2026 breaches are in brand-new litigation with nothing to file yet. For the cases where a claim window is actually open, see our list of open data breach settlements.
Stay Updated
Data breaches are being disclosed almost weekly. To keep up with new breaches and the class action settlements you may be eligible for, sign up for the OpenClassActions.com newsletter below.Free settlement alerts
Get notified when new class actions open to claims
Join thousands of readers who get the latest class action settlements you may qualify for — delivered straight to your inbox.
For more class actions keep scrolling below.
