June 2026 saw a new surge in data breaches that are still developing at the time of this writing, along with a plethora of other cybersecurity news headlines. Between yet another massive campaign by the infamous ShinyHunters hacker collective and significant regulatory movement in the U.S. government, on top of many other cyber incidents, this month provided a whirlwind of emerging developments. SWK Technologies has collected five of the top stories here to help you with the latest security news:
ShinyHunters Hacked Hundreds Leveraging Oracle Bug
The ShinyHunters cybercrime group claimed to have compromised the Oracle PeopleSoft servers of more than 100 organizations, with the bulk of victims identified as colleges and universities. A ShinyHunters member shared a message the group sent to one of the affected schools, in which they claimed to have stolen hundreds of thousands of student records containing names, home addresses, phone numbers, emails, dates of birth, ethnicity, enrollment status, GPAs, majors and student IDs.
Google Threat Intelligence Group and Mandiant attributed the activity to UNC6240, the cluster they associate with ShinyHunters, and dated the campaign between May 27 and June 9, 2026. Researchers notified more than 100 global organizations whose internet-facing endpoints appeared exposed, with 68 percent of them in higher education, and confirmed that data from compromised victims was being published on the ShinyHunters data leak site. The exploitation activity aligned with CVE-2026-35273, a critical remote code execution flaw in the Environment Management component of PeopleSoft Enterprise PeopleTools 8.61 and 8.62 that can be triggered over the internet without authentication.
Oracle published a security advisory on June 10, 2026, the day attacks were publicly reported, urging immediate mitigations and noting that supported versions of PeopleTools were the only ones tested for the flaw – though earlier, unsupported versions were also assumed to be vulnerable. This campaign adds onto a year-long pattern observed from ShinyHunters, in which they have hunted for shared vulnerabilities in widely deployed enterprise software, including previous attacks against customers of Salesforce, Salesloft Drift and Snowflake, as well as the Instructure Canvas breach in May.
US SECURE Data Act Stalled in Congress
A proposed federal data privacy bill is at a standstill in the U.S. House of Representatives after a contentious legislative hearing this month. The Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act, abbreviated as the SECURE Data Act and tracked as H.R. 8413, was introduced by Rep. John Joyce, R-Pa., on April 22, 2026, as the product of the House Energy and Commerce Committee’s Privacy Working Group. The bill was the subject of a June 3 hearing before the Subcommittee on Commerce, Manufacturing, and Trade, where members split along party lines over its provisions.
If passed, the SECURE Data Act would establish the first comprehensive federal consumer data privacy framework in the U.S., placing it on rough par with regional regulations such as the EU’s GDPR and creating obligations that overlap with several existing federal sectoral laws. Its core provisions cover several areas of business activity:
- Preemption – The bill would preempt state laws that “relate to” its provisions, including all 21 existing state consumer privacy laws, while preserving COPPA, GLBA, HIPAA and FERPA.
- Enforcement – The Federal Trade Commission and state attorneys general would share enforcement authority, and the bill includes no private right of action for consumers.
- Data broker registry – Data brokers earning more than 50 percent of revenue from selling personal data would be required to register annually with a new FTC public database.
- Teen data – Personal data of teens ages 13 through 16 would be classified as sensitive data requiring verifiable parental consent, expanding beyond the current COPPA threshold of under 13.
Critics including the Electronic Privacy Information Center (EPIC) have argued that the bill is weaker than most existing state privacy laws and that its preemption language is unusually broad, while industry groups including the U.S. Chamber of Commerce have voiced support for a single national standard. Bipartisan attempts at federal privacy legislation have stalled repeatedly over the past decade – including the American Privacy Rights Act in 2024 and the American Data Privacy and Protection Act the year prior – and experts say that the SECURE Data Act faces the same fault lines around preemption and private rights of action that derailed those efforts.
ShinyHunters June 2026 Victims Include Kodak, Amazon and MSG
Beyond the PeopleSoft campaign, ShinyHunters claimed several additional high-profile victims in June 2026, with the gang running multiple parallel extortion tracks rather than working sequentially. Eastman Kodak confirmed an unauthorized third party briefly accessed a limited amount of company data after the group listed the company on its leak site on June 15 and threatened to publish more than 2.2 million records of customer personally identifiable information and internal corporate files by a June 18 deadline. The same week, ShinyHunters posted a 45 GB archive of data tied to Madison Square Garden Sports after the company reportedly declined to pay, with the release dropping just days after the Knicks captured the NBA Finals.
The MSG dump included customer correspondence, ticketing data and internal “talent” files that classified high-profile individuals with fields such as address, claim to fame, cost of talent and risk rating, prompting at least one negligence lawsuit in the U.S. District Court for the Southern District of New York. ShinyHunters separately claimed to have stolen 8.8 terabytes of data from Amazon’s One Medical and more than 429,000 documents from the Council of Europe, including payroll, HR and medical files. One Medical acknowledged that an unauthorized person accessed a third-party file-storage system used to retain archived records for One Medical Seniors, the legacy Iora Health business it acquired in 2021.
ShinyHunters has remained one of the most disruptive cybercrime brands of the past two years, surviving arrests, the BreachForums takedown in January 2026 and the conviction of its alleged founder Sébastien Raoult in 2023. The group has been linked to or has claimed responsibility for breaches at AT&T, Banco Santander, Ticketmaster, PowerSchool, Jaguar Land Rover and the University of Nottingham, with researchers describing it as part of a broader cybercrime supergroup whose members overlap with Scattered Spider and LAPSUS$. The FBI also issued a public service announcement on May 15, 2026 warning of follow-on extortion tied to the same actors and reiterating its standing guidance that affected businesses should not pay ransoms.
Trump Releases Executive Order on AI Security
President Donald Trump signed an Executive Order on June 2, 2026, titled “Promoting Advanced Artificial Intelligence Innovation and Security,” directing federal agencies to coordinate on a new framework for evaluating frontier artificial intelligence (AI) models for cybersecurity risk. The EO instructs the Secretary of the Treasury, the Director of the National Security Agency through the Secretary of War, and the Director of CISA through the Secretary of Homeland Security to design a voluntary framework within 60 days through which AI developers can submit advanced models to the federal government up to 30 days before release. It also calls for an AI cybersecurity clearinghouse within 30 days to coordinate vulnerability scanning, validation and patch distribution across the private sector and critical infrastructure operators.
The EO specifically bars its language from being read as a mandatory pre-clearance requirement for AI developers, and David Sacks – former White House advisor and current venture capitalist – posted on X that the voluntary framework would apply only to models representing a meaningful step-change in cyber capabilities rather than incremental version updates. Federal News Network reported that the executive action came in response to advancements in newer AI models, particularly Anthropic’s Claude Mythos preview, which demonstrated the ability to outpace human researchers at identifying and exploiting cyber vulnerabilities. The shift represents a notable departure from the Trump administration’s earlier hands-off posture on AI development, established in January 2025 with EO 14179 and continued through the AI Action Plan released in July 2025.
The relationship between the White House and Anthropic has been a constant background factor in the LLM federal regulation conversation after the administration used export-control authorities to pull a finished commercial model offline earlier in June, ahead of any formal regulatory framework being in place. Politico reported on June 18 that the two sides have since begun drafting a joint risk framework that would guide future intervention, with security researchers and analysts warning that traditional cybersecurity frameworks were built for predictable systems and that AI changes the operational rules.
Nintendo Employee Data Exposed via Third-Party Breach
Nintendo of America confirmed that internal employee survey data was stolen in a cyberattack targeting TinyPulse, a third-party employee engagement platform owned by WebMD Health Services. The company stated that its own systems were not compromised and that no customer or financial data was accessed, characterizing the incident as limited to internal survey content for a small subset of employees, with most of the records dating back several years. The breach was claimed by an extortion-as-a-service group calling itself Shadowbyt3$, which has been active since October 2025 and has a comparatively limited public victim list.
Shadowbyt3$ initially demanded a $2 million ransom from Nintendo on June 12, then shifted its demand directly to TinyPulse on June 14 after Nintendo declined to engage. When the secondary June 16 deadline passed without payment, the group began posting sample files. The claimed dataset reportedly includes employee names, email addresses, analytics and survey records, bank statement PDFs and W-9 tax forms with employee IDs spanning 2016 through early 2026 – categories that, if authentic, carry meaningful identity theft and tax fraud exposure for the named individuals. Nintendo previously disclosed unrelated breaches in 2020 affecting roughly 160,000 player accounts, and was also peripherally exposed in a 2024 leak of internal materials from The Pokémon Company.
The Nintendo incident reflects a growing pattern across many high-profile breaches in recent years – attackers will target many businesses and non-profit organizations through their vendors, particularly through privileged external access or remote connections through the software supply chain. Federal regulators have long flagged third-party access as one of the most consistently exploited paths into otherwise hardened environments, with FINRA highlighting third-party provider risk in its standing cybersecurity advisories and Verizon’s 2026 Data Breach Investigations Report continuing to identify vendor-mediated intrusions as a leading attack pattern. Building vendor management and third-party oversight into your security and compliance program is no longer optional for businesses handling regulated data.
Discover More Cybersecurity News from 2026 with SWK Technologies
These stories represent only a fraction of the cyber incidents and other security developments emerging in June 2026, with multiple events occurring simultaneously and the aftermath of many are still being revealed at the time of this writing. Tracking the steady stream of attacks, vulnerabilities and regulatory shifts is challenging for any internal IT department, but SWK Technologies will help your team stay on top of the latest threats and improve your security posture accordingly.
Contact SWK here to discuss what these developments could mean for your business and your approach to cyber risk in the second half of 2026.