Skip to main content
Emerging ThreatsData Breaches

Multiple Breaches Expose Millions in June

Empty seats and scattered devices in a large public venue's ticketing area.

More than 26 million records were at stake when a threat actor group said it would publish Madison Square Garden data unless a ransom demand was met.

Madison Square Garden and the ShinyHunters ultimatum

According to reporting, the threat actor group ShinyHunters claimed it had hacked data tied to Madison Square Garden and asserted it would expose more than 26 million records if the ransom was unpaid. When the company and the group failed to reach an agreement, the data was exposed. The episode is notable not only for the size of the dataset cited but for the negotiation dynamic described: an explicit demand, a public claim of impending disclosure, and a subsequent release after the parties did not come to terms.

Kodak confirms breach after ShinyHunters claim of 2.2 million records

ShinyHunters also said it had stolen 2.2 million records from Kodak. Kodak confirmed it had been breached. The pair of incidents tied to the same threat actor group — one affecting an entertainment venue operator and the other a manufacturing firm — underscores the breadth of targets the group has identified in recent reports.

Oxford University: career support platform breach

Oxford University experienced a breach of its career support platform that may have exposed certain users' names, emails and encrypted passwords. A third-party provider notified the university of the incident, and on June 1 the university released a statement. The details released by the university, as reported, focus on contact information and encrypted credentials rather than on academic records or financial data.

Novo Nordisk: internal IT systems compromise and deidentified patient data

Danish pharmaceutical organization Novo Nordisk experienced a breach of internal IT systems that compromised patient and healthcare provider (HCP) data. The reporting notes that the patient data was deidentified, but observers cautioned that deidentification is not an absolute safeguard; experts warned that the incident is still “not without risk,” emphasizing the possibility of targeted attacks despite removal of direct identifiers.

Rochester Regional Health: notification letters and the problem of trust

Rochester Regional Health notified 18,600 patients about a breach of data. However, many of those patients reportedly discarded the notification letters because they looked like a scam. That reaction introduces a secondary harm: efforts to alert affected individuals can fail if the notices cannot be distinguished from malicious communications, leaving people uninformed about potential exposures to their personal information.

Texas Parks and Wildlife Department: licenses may be impacted

The Texas Parks and Wildlife Department revealed that hunting and fishing licenses of Texas customers may have been impacted by a data breach. Reports indicate more than 3 million may be impacted. The agency’s disclosure highlights the reach of breaches into state services and routine consumer records that many Americans assume are low-risk.

Across these six incidents, a handful of consistent threads run through the facts as reported: third-party notifications (Oxford), large-scale claims and disclosures by a named threat actor (ShinyHunters), deidentified but potentially vulnerable patient data (Novo Nordisk), and challenges in effective notification when alert letters are dismissed as scams (Rochester Regional Health). Each episode, taken on its own, raises operational and reputational questions; taken together, they sketch a month in which both private and public-sector datasets were contested in public.

The record supplied here leaves several concrete questions in plain view: how many records were actually exposed in each case versus the numbers claimed; what follow-up steps were taken to harden systems after the intrusions; and whether affected organizations changed their notification methods after letters were discarded by recipients. Those are the immediate next facts to watch, because they determine whether an incident remains an abstract number or becomes a continuing harm to the people whose data was entrusted to these organizations.

Original reporting: https://www.securitymagazine.com/articles/102357-6-data-breaches-to-know-about-june-2026