March 2026 proved to be a challenging month for data privacy and security professionals. The landscape was marked by a diverse array of threats ranging from targeted ransomware attacks on municipal infrastructure to the commercial exploitation of sensitive healthcare information. As organizations grapple with evolving threat vectors, the events of the past month underscore the critical need for robust configuration management and transparent data handling practices.

Infrastructure and Government Security Challenges

Public sector entities faced significant scrutiny and operational disruptions in March. On March 19, Foster City, California, was forced to declare a state of emergency following a ransomware attack that crippled nearly all municipal services. While officials are still determining if citizen data was compromised, the scale of the outage highlights the vulnerability of local government systems. Concurrently, the federal landscape saw its own share of controversy when FBI Director Kash Patel confirmed that the bureau has been purchasing commercially available location data to track individuals’ movements. This revelation has reignited debates regarding the Electronic Communications Privacy Act and the ethical boundaries of data acquisition.

Retail and Platform Vulnerabilities

The commercial sector saw massive data exposures, particularly within retail and digital platforms. Russell Cellular, an authorized Verizon retailer, reportedly suffered a breach affecting over 6.3 million customers, with personal details appearing on hacker forums. Meanwhile, streaming service Crunchyroll reported the exfiltration of 100GB of user data, including credit card details and IP addresses. Salesforce also issued a critical warning on March 7, noting a spike in threat actor activity targeting misconfigured sites. This trend suggests that even robust platform ecosystems remain vulnerable if individual implementations are not properly secured.

Critical Data Exposures Across Diverse Industries

The variety of information exposed this month highlights the broad targets of malicious actors and the risks of poor data hygiene. Key incidents included:

• Healthcare Exploitation: GuardDog Telehealth was found to be requesting patient records under the guise of treatment, only to sell that information to attorneys.
• Biotech Phishing: Intuitive suffered a targeted phishing attack that allowed unauthorized access to internal networks, exposing corporate and customer business data.
• Academic Research Breach: The University of Hawaiʻii Cancer Center’s Epidemiology Division reported the exfiltration of files containing Social Security numbers and voter registration records.
• Unsecured Databases: Over 3.7 million records, including audio recordings and chat transcriptions, were found in three publicly exposed databases.

Conclusion

The data security events of March 2026 serve as a reminder that threats are not limited to traditional hacking. Between the legal purchase of tracking data, the unethical sale of medical records, and the persistent threat of ransomware, the definition of a “data incident” continues to expand. Moving forward, organizations must prioritize not only their technical defenses but also their data governance policies to protect sensitive information from both malicious actors and deceptive internal practices.