March 2026 marks a turning point in data breach severity, regulatory enforcement, and the growing consequences of ignoring compliance obligations. The month's defining story is Conduent, an obscure but massive government contractor whose systems handle Medicaid, SNAP, and other benefit programs for more than 30 states. After the SafePay ransomware group spent three months inside Conduent's network, they exfiltrated 8.5 terabytes of data affecting over 25 million Americans, including Social Security numbers, medical records, and health insurance details. Oregon (10.5 million) and Texas (15.4 million) alone account for the majority of victims, making this potentially the largest government-related data breach in U.S. history.
On the enforcement front, California delivered the largest CCPA fine ever: a $2.75 million settlement with The Walt Disney Company for systematically failing to honor consumer opt-out requests across its streaming platforms. The case sends a clear message: compliance theater, where companies offer opt-out buttons that don't actually work across devices, will be punished.
Ransomware groups continued their global campaign with Lapsus$ targeting luxury brand Lacoste and the Qilin group claiming Malaysia Airlines passenger and operational data. The VECT ransomware group hit Indian manufacturer USHA International, compromising employee records, CRM data, and SAP databases. The pattern is unmistakable: no industry, no geography, and no size of organization is safe.
⚠️ Important: 🚨 BREACH SEVERITY ALERT: The Conduent breach affects Americans who receive or have received government benefits (Medicaid, SNAP, child support, transit benefits) in over 30 states. If your organization processes government benefit data, handles state agency contracts, or serves as a vendor to government programs, review your security posture immediately. Disney's $2.75M CCPA fine signals that regulators are now testing whether opt-out mechanisms actually function across all platforms and devices. If your website has opt-out toggles or processes Global Privacy Control (GPC) signals, verify they work universally, not just per-device.
Conduent: 25 Million Americans' SSNs Stolen from Government Contractor
• Victim: Conduent Business Services, one of the largest government contractors in the United States
• Breach Duration: October 21, 2024 to January 13, 2025 (approximately 3 months of unauthorized access)
• Records Exposed: Over 25 million individuals across 30+ states
• Threat Actor: SafePay ransomware group
• Data Exfiltrated: 8.5 terabytes
• Notifications: Began October 2025, expected to complete by April 15, 2026
• Social Security numbers
• Names and dates of birth
• Addresses
• Medical records and health insurance details
• Treatment information
• Government benefit enrollment data (Medicaid, SNAP)
• SNAP (food stamp) benefit disbursement across dozens of states
• Child support payment processing
• Public transit fare systems
• Government payroll and HR systems
• Oregon: 10.5 million records exposed (exceeds the state's entire population of 4.2 million, because the data includes anyone who received Oregon-administered benefits)
• Additional states: Conduent operates in 30+ states; full state-by-state disclosures are still being released
• January 2025: Conduent detects and expels attackers (3-month dwell time)
• February 2025: SafePay publicly claims responsibility, threatens to publish 8.5 TB of stolen data
• October 2025: Conduent begins notifying affected individuals (9 months after discovery)
• April 2026: Expected notification completion date (18 months after initial breach)
• State Privacy Laws: Oregon OCPA and Texas TDPSA both apply. Oregon's cure period has expired (no chance to fix before penalties). Texas AG is already investigating.
• FTC Action: Potential Section 5 unfair practices claims for inadequate security of sensitive data
• Class Actions: Multiple lawsuits already filed across affected states
• 3-month dwell times are unacceptable: Modern detection tools should identify ransomware activity within days, not months
• Notification delays compound harm: 9 months from discovery to notification means 9 months of unmonitored identity theft risk for 25 million people
Disney's Record $2.75M CCPA Fine: Why Opt-Out Compliance Matters
• Company: The Walt Disney Company
• Fine: $2.75 million (largest CCPA settlement to date)
• Announced: February 11, 2026, by California Attorney General Rob Bonta
• Violation: Systematic failure to honor consumer opt-out requests across streaming services and digital platforms
• When consumers clicked an opt-out toggle within a Disney streaming app, the opt-out applied only to that specific service and device
• A consumer who opted out on Disney+ on their phone was still being tracked on Hulu on their TV and ESPN on their laptop
• Consumers had to submit opt-out requests up to 10 separate times across different platforms to achieve a full opt-out
• The CCPA requires companies to honor GPC browser signals as valid opt-out requests
• Disney processed GPC signals only at the device level, even when consumers were logged into their Disney account
• A GPC signal on one browser did not carry over to other devices or browsers linked to the same account
• Disney's web-based opt-out forms only applied to Disney advertising platforms
• Third-party tracking pixels embedded in Disney properties continued to collect and share user data despite opt-out requests
• $2.75 million fine
• Disney must update all opt-out mechanisms to work universally across all services linked to a consumer's account
• 60-day compliance check-ins with the California AG until full compliance is verified
• Honor GPC signals at the account level, not just the device level
• Apply to third-party tracking and data sharing, not just first-party advertising
• Actually stop data collection, not just acknowledge the request
• A functioning "Do Not Sell or Share My Personal Information" link
• GPC signal recognition and honoring
• Verification that opt-out requests actually stop data sharing across all systems
• Documentation of your opt-out processing for regulatory review
Lapsus$ Returns: Lacoste Ransomware & Other March 2026 Breaches
• Threat Actor: Lapsus$ ransomware group
• Victim: Lacoste SA (France-based global sportswear and luxury goods company)
• Industry: Consumer Services / Luxury Retail
• Data Compromised: Under investigation; breach scope not yet publicly quantified
• Significance: Lapsus$ was previously known for high-profile attacks on Cisco, Samsung, Nvidia, and Microsoft in 2022-2023. Their reemergence in 2026 signals the group has rebuilt operations after law enforcement disruptions.
• Threat Actor: Qilin ransomware group (same group that hit Romania's Conpet pipeline in February)
• Claimed Data: Passenger booking and contact records, personnel files, vendor contracts, operational documents, internal communications
• Status: Malaysia Airlines has not officially confirmed the breach
• Context: Malaysia Airlines has a history of breaches, including a 9-year breach of its Enrich frequent flyer program discovered in 2021
• Threat Actor: VECT ransomware group
• Victim: USHA International Limited (Indian appliance manufacturer: fans, sewing machines, water coolers)
• Data Compromised: Employee data, CMS databases, CRM records, SAP systems
• Status: Victim reportedly in ransom negotiation phase
• California DELETE Act: Data broker deletion request platform launched January 2026, creating new compliance obligations
• CCPA automated decision-making regulations: Now applicable as of January 2026, requiring new disclosures about algorithmic profiling
• Connecticut LLM disclosure: Businesses have until July 1, 2026 to disclose whether they use personal data to train large language models
Is Your Website Ready for the 2026 Enforcement Wave?
Disney's $2.75M CCPA fine proves that regulators are testing whether privacy controls actually work, not just whether they exist. Our free privacy scanner checks your cookie consent, opt-out mechanisms, tracker exposure, and GDPR/CCPA compliance indicators in under 60 seconds. Our security scanner tests your SSL configuration, security headers, and common vulnerabilities. Don't wait for an enforcement action to discover your gaps.
Run Free Privacy Scan →Protection Strategies: Lessons from March's Breaches
• Require breach notification SLAs: Contractually mandate that vendors notify you within 48 hours of a breach discovery, not 9 months
• Verify vendor security certifications: SOC 2 Type II, HITRUST, or FedRAMP for government data handlers
• Implement data minimization: Vendors should only retain the minimum data needed for their function
• Honor GPC signals at the account level: A browser GPC signal from a logged-in user must apply to their entire account, not just that browser
• Audit third-party pixels: Verify that opt-out requests actually stop data sharing with advertising partners and analytics providers
• Document everything: Maintain logs of opt-out requests received, processed, and verified for regulatory review
• Implement immutable backups: Air-gapped or WORM (Write Once Read Many) backup storage that ransomware cannot encrypt
• Deploy endpoint detection and response (EDR): Catches ransomware execution before encryption completes
• Practice incident response: Tabletop exercises simulating a ransomware attack, including legal, communications, and technical response
• Arkansas and Utah: Privacy law amendments take effect
• California CCPA: Automated decision-making technology regulations now enforceable
• Strict-Transport-Security: Enforce HTTPS connections for all visitors
• X-Frame-Options: Prevent clickjacking attacks on your opt-out and consent forms
• Permissions-Policy: Control browser access to camera, microphone, and geolocation
• Referrer-Policy: Limit information leakage through HTTP referrer headers
March 2026 represents a new chapter in the data breach story: the convergence of massive breaches and meaningful enforcement. The Conduent breach, potentially the largest government data breach in U.S. history, exposes a fundamental vulnerability in how America delivers essential services. When a single contractor processes benefits for 100 million people across 30 states, a single breach can compromise an entire nation's safety net. The 25 million Americans whose Social Security numbers were stolen are disproportionately low-income individuals who depend on Medicaid and SNAP, people with the fewest resources to recover from identity theft.
Disney's $2.75 million CCPA fine sends an equally important message: compliance theater is over. Having a privacy policy and opt-out button is no longer sufficient. California is now testing whether those mechanisms actually function across platforms, devices, and third-party integrations. Every website owner with California users should audit their opt-out mechanisms immediately, because Disney's fine proves that regulators are looking beyond the surface.
The continued ransomware campaigns by Lapsus$ (Lacoste), Qilin (Malaysia Airlines, Conpet), SafePay (Conduent), and VECT (USHA International) confirm that ransomware remains the most pervasive threat to organizations of every size and sector. No industry is immune: luxury retail, aviation, government services, manufacturing, and energy infrastructure were all targeted in a single month.
Regulatory momentum is building. Three new state privacy laws went live January 1 (Indiana, Kentucky, Rhode Island). Connecticut's major privacy expansion takes effect July 1, including the first-ever state requirement to disclose LLM training data practices. California's automated decision-making regulations are now enforceable. The cost of non-compliance is rising: from Disney's $2.75M to potential Conduent penalties in the hundreds of millions.
For website owners and compliance officers: scan your web properties for security vulnerabilities, test your opt-out mechanisms end-to-end, audit your vendor relationships, and prepare for the July 2026 compliance wave. The cost of prevention is a few hours of work. The cost of a breach is measured in millions of dollars, regulatory penalties, class-action lawsuits, and the trust of the people you serve.
Run a free privacy scan at scancomply.com/privacy-scan or security scan at scancomply.com/security-scan to identify compliance gaps and vulnerabilities before regulators or attackers find them first.