Halfway through 2026, cybersecurity has stopped functioning as a technology beat and started functioning as a geopolitics beat. The same infrastructure that runs power grids, schools, hospitals and identity verification has become the primary theatre where state conflict, ransomware economics and government restructuring now converge.
The Social Security database and the DOGE question
The most consequential breach of the year may be one whose scope is still contested. In a whistleblower complaint, Chuck Borges, then the Social Security Administration’s chief data officer, alleged that operatives from the Department of Government Efficiency uploaded a live copy of the agency’s NUMIDENT database — the identifying records of every American who has ever held a Social Security number — to a cloud server without independent oversight. The agency has said it is not aware of any compromise and that the data remains walled off from the internet.
The framing is what makes it unusual: such an exposure would not be the product of an external adversary but of an internal restructuring effort empowered to move fast across agency firewalls. The risk here is structural, not intrusive — the data was allegedly moved into a weaker environment by people who were authorised to touch it.
Nation-state attacks move from espionage to destruction
The second structural shift is the normalisation of destructive attacks on civilian targets. In March, an Iran-linked group calling itself Handala wiped roughly 80,000 employee devices at the U.S. medical technology firm Stryker, exploiting the company’s own Microsoft Intune management console rather than deploying malware. Security researchers including Palo Alto Networks and Sophos have tied Handala to an arm of Iranian intelligence, and U.S. prosecutors later moved against the actors and seized domains used to leak stolen data.
The operation signalled a tactical shift: an Iran-aligned actor moving from hack-and-leak espionage toward openly destructive retaliation against a healthcare supplier, in the wake of the U.S. and Israeli military campaign against Iran. It also underlined how exposed the water and healthcare sectors remain — among the least defended layers of the critical infrastructure stack.
Canvas, ShinyHunters, and the return of finals-week extortion
The third story unfolded not in a power plant but in a classroom. In May, students logging into the Canvas learning platform were met instead with a ransom message from the extortion crew ShinyHunters, which had defaced hundreds of school login portals after breaching Canvas’s parent company, Instructure. The timing was deliberate: the outage landed during final exams at universities across North America, locking students out mid-assessment and forcing some schools to reschedule or cancel finals.
ShinyHunters claimed to have stolen data tied to hundreds of millions of students and staff across roughly 9,000 institutions, making it one of the largest education-sector breaches on record. Instructure later said it reached an agreement with the actor and that the data had been destroyed — a claim security researchers treat with caution. The pattern is consistent: extortion groups target data-rich platforms, apply maximum public pressure at the worst possible moment, and escalate when victims hesitate.

The supply chain remains the softest layer
Underneath these headline events is the same recurring weakness: the supply chain. A single dormant credential from a years-old integration can cascade through the corporate world, and English-speaking threat actors using voice phishing to impersonate IT support have driven several of the year’s largest record-count breaches across internet providers, cruise lines and educational platforms.
Open-source components have fared no better. Security tooling itself has become a preferred vector, with compromised packages propagating malware into the downstream users who trusted them. The attackers are rarely breaking in through the front door; they are logging in through a partner’s.
The identity-verification paradox
Sitting underneath all of it is a policy contradiction worth naming, and it is the connective tissue the headlines miss. Governments across the U.S., U.K. and Europe are expanding age-verification and know-your-customer mandates that require citizens to hand over passports and driver licences to access more of the internet. In the same six-month window, hotel systems, remittance apps, prison service providers and visa services have exposed identity documents through basic misconfigurations.
The structural incentive is clear: regulators demand more identity data be collected, corporations comply because non-compliance carries fines, and the resulting honeypots become the next breach. Personal data moves through a global supply chain that no single regulator controls. The 2026 breach ledger — a wiped medical firm, a hijacked exam platform, a nation’s Social Security file on a weak server — is what that architecture looks like when it fails at scale.
















