theguardian.com
Hannah Devlin and Tom Burgis
Sat 14 Mar 2026 07.00 CET
Exclusive: Guardian investigation finds data from flagship medical research leaked dozens of times
Confidential health data has been exposed online on dozens of occasions, a Guardian investigation can reveal, raising questions about the safeguarding of patient records by one of the UK’s flagship medical research projects.
UK Biobank, which holds the medical records of 500,000 British volunteers, is one of the world’s most comprehensive stores of health information and is credited with driving breakthroughs in cancer, dementia and diabetes research. But scientists approved to access Biobank’s sensitive data appear to have sometimes been cavalier about its security.
The files, which seem to have been inadvertently posted online by researchers using the data, do not include names or addresses, but they may still pose privacy concerns. One dataset found by the Guardian contained millions of hospital diagnoses and associated dates for more than 400,000 participants.
With the consent of a Biobank volunteer, the Guardian was able to pinpoint what appeared to be extensive hospital diagnosis records for the volunteer, using only their month and year of birth and details of a major surgery they had undergone.
"The file was very detailed and it felt like a gross invasion of privacy even to glance at
Data expert"
One data expert said the scale and persistence of the problem was “shocking” at a time when AI and social media were making it ever easier to cross-reference information online.
UK Biobank rejected the concerns, saying that no identifying data, such as names and addresses, were provided to researchers.
In a statement, Prof Sir Rory Collins, the chief executive of UK Biobank, said: “We have never seen any evidence of any UK Biobank participant being re-identified by others.”
’They said they would hold our data securely’
Founded in 2003 by the Department of Health and medical research charities, UK Biobank holds genome sequences, scans, blood samples and lifestyle information of 500,000 volunteers. Last month, the government extended Biobank’s access to volunteers’ GP records.
Scientists at universities and private companies across the world apply for access and, until late 2024, were free to download data directly on to their own computer systems.
Before this point, data had been inadvertently published online and Biobank appears to still be grappling with the problem.
The issue emerged because journals and funders increasingly require researchers to publish the code they have used to analyse large datasets. When intending to upload code, some researchers have also accidentally published partial or entire Biobank datasets to GitHub, a popular online code-sharing platform. UK Biobank prohibits researchers from sharing data outside their systems and says it has introduced further training for all researchers.
In the past year, the data leaks appear to have become a more urgent concern to UK Biobank. Between July and December 2025, it issued 80 legal notices to GitHub, which has complied with requests to remove data from the internet. Yet much still remains available.
Some of the data files contain just patient IDs, or test results for small numbers, others are more extensive. One dataset found online by the Guardian in January contained hospital diagnoses and associated diagnosis dates for about 413,000 participants, along with their sex and month and year of birth.
A data expert, who reviewed the file said: “It sent shivers down my spine to even open. I deleted the file immediately. It was very detailed and felt like a gross invasion of privacy even to glance at.”
To test the risk of re-identification, the Guardian approached several Biobank volunteers, two of whom had undergone medical procedures in the timeframe within the data and agreed to share these details with an external data scientist.
One volunteer, who provided treatment dates for a fracture and seizure, could not be located in the dataset. A second volunteer, a woman in her 70s, shared her month and year of birth and the month and year she had a hysterectomy. Only one person in the dataset matched these details. The apparent match was corroborated by five other diagnoses from the records that the volunteer had not initially disclosed.
“Effectively you were rehearsing the main parts of my medical history to me without me having given you any information at all. I didn’t expect that,” the volunteer said.
The woman said she was not too concerned about her own data being exposed and intended to remain a participant, saying that she viewed UK Biobank’s work as “extremely important”. But, she added: “I’m more concerned about whether Biobank has broken its agreement with people. They said they would hold our data securely … I just feel as though that has to come into the equation.”
UK Biobank said the re-identification scenario tested by the Guardian did not highlight a privacy risk because without additional information it would be impossible to identify individuals.
A Biobank spokesperson said: “As we have communicated to our participants, including on our website: ‘If a participant puts information that reveals something about their health and identity, such as genealogy data, on a public website, this could make it possible for their identity to be discovered by cross-referencing UK Biobank research data.’
“You have simply demonstrated why we tell participants not to do this.”
The spokesperson added that Biobank had taken extensive measures to protect participants’ privacy, including proactively searching GitHub, contacting researchers directly and issuing legal takedown notices, actions which they said had led to about 500 repositories being removed. Many of these, it said, contained only patient IDs, not health data.
"The idea they can rely on volunteers never putting any other information out about themselves is entirely unreasonable
Prof Felix Ritchie"
‘There are tensions between driving research with data and protecting privacy’
Privacy experts said UK Biobank’s approach appeared at odds with the reality that many people, reasonably, shared some health information online and that in an age of AI this could readily be identified and cross-referenced.
“Are these people aware that the internet exists?” asked Prof Felix Ritchie, an economist at the University of the West of England. “The idea that they can rely on their volunteers never putting any other information out there about themselves is an entirely unreasonable thing to expect.”
Dr Luc Rocher, associate professor at the Oxford Internet Institute, who reviewed several Biobank datasets found online, said that removing identifiers often did not guarantee anonymity and that simply knowing a person’s birthday and, say, the date they broke a leg might be enough to pinpoint their record with high confidence.
“Once identified, that record could reveal sensitive information such as a psychiatric diagnosis, an HIV test result, or a history of drug abuse,” they said.
Prof Niels Peek, professor of data science and healthcare improvement at the University of Cambridge, said the scale of the problem was “shocking”. “If it had happened once or 10 times I’d probably say: ‘It’s not great that it’s happened but at the same time zero risk is impossible,’” he said. “Hundreds. That’s a little bit too much.”
In Peek’s view, Biobank’s actions show it has taken the issue seriously and “done everything that one can reasonably expect”. But, he added: “The scale and persistence with which this has happened demonstrates that there are huge tensions between the ambition to drive health research with data at scale and the legal and ethical imperative to protect people’s privacy.”
Experts questioned whether Biobank will be able to fully regain control of the data released online. Despite researchers and GitHub having taken down most of the offending repositories in response to Biobank’s requests, many of the relevant files remained available on a code archive website until shortly before publication.
securityweek.com
ByEduard Kovacs| March 16, 2026 (11:44 AM ET)
Several global giants listed as victims of the recent hacking campaign targeting Oracle E-Business Suite (EBS) customers have remained mum on the impact of the cybersecurity incident.
The Cl0p ransomware and extortion group has taken credit for the EBS hacking campaign, which involved exploiting zero-day vulnerabilities to access data stored by organizations in Oracle’s enterprise management software. The compromised data was then leveraged for extortion.
While Cl0p serves as the public-facing extortion brand for the campaign, the cybersecurity community believes the operation may have been driven by a cluster of threat actors, most notably FIN11.
The hackers have listed more than 100 alleged victims of the Oracle EBS campaign on the Cl0p leak website, including organizations in sectors such as technology, telecommunications, software, heavy industry, manufacturing, engineering, retail, consumer goods, energy, utilities, media, finance, and entertainment.
For most of the victims, the cybercriminals published torrent files pointing to information allegedly stolen from their systems. This indicates that these victims have refused to pay a ransom.
A majority of the large organizations targeted in the campaign have issued a public statement confirming a data breach. Many claimed that the impact of the incident is limited, but still notified affected individuals about the potential risks.
However, a handful of very large companies do not appear to have issued any public statements on the matter, neither to confirm nor deny being hit, nor even to say that an investigation is being conducted.
This includes semiconductor and infrastructure software company Broadcom, engineering and construction firm Bechtel, cosmetics group Estée Lauder Companies, and medical devices and healthcare solutions provider Abbott Laboratories.
They were all listed on the Cl0p website on or around November 20, 2025.
It may take several months and even as much as a year for companies to investigate data breaches and determine their full extent. However, major companies typically acknowledge at least that an investigation is ongoing.
Broadcom, Bechtel, Estée Lauder, and Abbott have not responded to repeated requests for comment.
Data leaked by hackers
SecurityWeek has not downloaded any of the leaked data, but has conducted a brief metadata and file-tree analysis of data allegedly obtained from some of the larger companies named on the Cl0p website and found that the files indeed originate from an Oracle EBS environment.
In the case of Broadcom, the cybercriminals made public more than 2TB of archives allegedly storing files stolen from the company. The Estée Lauder torrent file points to 870GB of archive files.
At the time of writing, the torrents pointing to Bechtel and Abbott files are still available, but no data could be retrieved for analysis. However, that does not mean the files are no longer accessible to cybercriminals, as they may also be circulated privately on underground forums.
On the one hand, cybercrime groups like Cl0p frequently exaggerate the scope of their breaches, prompting many companies to quickly issue statements denying or downplaying the allegations to reassure customers and stakeholders that any impact was limited.
Moreover, if no regulated data (such as health information, Social Security numbers, or payment details) was compromised, companies face no legal obligation to disclose the incident publicly. If the breach did not qualify as material, there is also no requirement under SEC rules to report it to investors.
On the other hand, some organizations may deliberately maintain silence for strategic, PR, and legal reasons. Even acknowledging an ongoing investigation could invite lawsuits, short-seller pressure, or additional regulatory scrutiny.
| TechCrunch
Zack Whittaker
8:01 AM PDT · March 20, 2026
A cyberattack on a U.S. car breathalyzer company has left drivers across the United States reportedly stranded and unable to start their vehicles.
The company, Intoxalock, says on its website that it is “currently experiencing downtime” after a cyberattack on March 14. Intoxalock sells breathalyzer devices that fit into vehicle ignition switches, and is used by people who are required to provide a negative alcohol breath sample to start their car.
Intoxalock spokesperson Rachael Larson confirmed to TechCrunch that the company had been hit by a cyberattack. Larson said the company took steps to “temporarily pause some of our systems as a precautionary measure.”
These breathalyzer devices need to be calibrated every few months or so, but the cyberattack has left Intoxalock unable to perform these calibrations. The company said customers whose devices require calibration may experience delays starting their vehicles.
Drivers posting on Reddit say that cars are unable to start if they miss a calibration, effectively locking drivers out of their vehicles.
According to local news reports across Maine, drivers are experiencing lockouts and some have been unable to start their vehicles. One auto shop in Middleboro told WCVB 5 in Boston that it has had cars parked in its lot all week due to the cyberattack.
News reports from across the United States show drivers are affected from New York to Minnesota, and drivers have been unable to drive because their vehicle-based breathalyzers cannot be immediately calibrated.
Intoxalock would not say what kind of cyberattack it was experiencing, such as ransomware or if there was a data breach, or whether it had received any communications from the hackers, including any ransom demands. The company’s technology is used in 46 states, its website says, and it claims to provide services to 150,000 drivers every year.
Intoxalock did not provide an estimated timeline for its recovery.
| CyberScoop cyberscoop.com
By
Tim Starks
March 20, 2026
It echoes earlier alerts from the Netherlands and Germany, and is the latest to warn about targeting of Signal users and others.
Russian intelligence-affiliated hackers have gained access to thousands of users’ messaging apps with a global phishing campaign, the FBI and the Cybersecurity and Infrastructure Security Agency warned in a public service announcement on Friday.
The high-value targets they’re pursuing include current and former U.S. government officials, political figures, military personnel and journalists, the two agencies said in the joint PSA about the hackers’ attempts to infiltrate commercial messaging applications (CMAs).
The U.S. alert comes on the heels of an earlier warning from Dutch authorities, who said last week that Russian hackers were “engaged in a large-scale global attempt” to take over WhatsApp and Signal accounts. The Dutch warning likewise followed a similar warning from Germany in February.
The U.S. agencies emphasized that the hackers had not been able to bypass end-to-end encryption, instead manipulating users into giving up access. The scheme involves hackers posing as Signal help personnel, then inviting them to click a link or provide verification codes or account personal identification number.
“After compromising an account, malicious actors can view the victims’ messages and contact lists, send messages, and conduct additional phishing against other CMA accounts,” the PSA explains. “(Note: reporting shows that the threat actors specifically target Signal accounts but can apply similar methods against other CMAs).”
However, “CMA users who strengthen their personal cybersecurity and defend against social engineering attempts can reduce the risk of account compromise and limit the effectiveness of the threat actors’ current tactics, techniques, and procedures,” the agencies said.
The Russian campaign is just the latest to seek to bypass the protections commercial messaging apps offer. CISA in November warned about spyware targeting of messaging apps.
There sometimes has been a Russian intelligence nexus to the recent targeting. Google Threat Intelligence Group shined a spotlight last year on Russian attempts to target Signal users in Ukraine.
‘We anticipate the tactics and methods used to target Signal will grow in prevalence in the near-term and proliferate to additional threat actors and regions outside the Ukrainian theater of war,” the company said.
