2026 Week 15 Privacy Threat Report

Report Period: April 6-12, 2026
Published: April 16, 2026

Executive Summary

Week 15 of 2026 was dominated by supply chain vulnerabilities, active zero-day exploitation, and major financial losses from DeFi hacks. Microsoft released its largest Patch Tuesday of the year addressing 168 vulnerabilities including two zero-days being actively exploited. Chrome faced its fourth zero-day of 2026 in the WebGPU implementation. A compromised Aqua Security Trivy build led to a 340GB breach at the European Commission affecting 71 organizations. Meanwhile, the Drift Protocol lost $285 million in a governance-layer attack attributed to North Korean threat actors.

Key Statistics:

168 vulnerabilities patched by Microsoft (8 critical)
2 zero-day vulnerabilities actively exploited in the wild
340 GB of data exfiltrated from European Commission
$285M stolen from Drift Protocol DeFi platform
337,000 files leaked from LAPD
71 organizations affected by Trivy supply chain compromise

Critical Vulnerabilities

Microsoft Patch Tuesday (April 2026)

Microsoft's April 2026 Patch Tuesday addressed 168 vulnerabilities, the highest monthly count this year. Of particular concern are two zero-day vulnerabilities that were being actively exploited:

CVE-2026-32201 - Microsoft SharePoint Server Spoofing Vulnerability

Severity: Important
Status: Actively Exploited
Impact: An improper input validation flaw allows unauthenticated network spoofing attacks
CISA Action: Added to Known Exploited Vulnerabilities Catalog, patches required by April 28, 2026

CVE-2026-33825 - Microsoft Defender Elevation of Privilege

Severity: Important
Status: Publicly Disclosed
Impact: Insufficient access control granularity allows authenticated attackers to elevate local privileges

Additionally, seven critical Remote Code Execution (RCE) vulnerabilities were patched, affecting:

Remote Desktop Client (CVE-2026-32157)
Windows Active Directory (CVE-2026-33826)
Microsoft Office/Word (CVE-2026-32190, CVE-2026-33114, CVE-2026-33115)
Windows TCP/IP (CVE-2026-33827)
Windows IKE Service (CVE-2026-33824)

Chrome WebGPU Zero-Day (CVE-2026-5281)

Google patched CVE-2026-5281, the fourth actively exploited Chrome zero-day of 2026. This use-after-free vulnerability exists in Dawn, Chromium's WebGPU implementation, allowing remote attackers to execute arbitrary code.

Impact: The vulnerability enables renderer sandbox escape—the same technique commercial spyware vendors use to compromise devices. All Chrome users should update immediately to the latest version.

Disclosure Timeline:

Vulnerability discovered and actively exploited
Google released emergency patch
CISA added to catalog following active exploitation in the wild

Major Data Breaches

European Commission Cloud Breach (Trivy Supply Chain)

Attackers leveraged a compromised build of Aqua Security's Trivy scanner to breach the European Commission's Europa.eu AWS environment. The attack resulted in:

340 GB of data exfiltrated (91.7 GB compressed)
71 organizations affected, including:
- 42 European Commission clients
- 29 other EU entities
Data types: Personal information, email content and metadata, internal documents

The threat actor (associated with TeamPCP campaign) captured an AWS API key with significant permissions, used it to create new access keys, conduct cloud reconnaissance, and exfiltrate data. ShinyHunters later published the archive on its leak site, converting a tooling compromise into a multi-institution breach.

Affected Organizations Should:

Review cloud access logs for unusual API activity
Rotate any credentials that may have been exposed
Monitor for data exposure on leak sites

LAPD Data Breach (World Leaks)

Hackers breached a digital storage system belonging to the City Attorney's Office and leaked 337,000 files totaling 7.7 TB of sensitive LAPD data, including:

Police officer personnel files
Internal affairs investigations
Discovery documents containing unredacted criminal complaints
Witness names and medical data

The World Leaks extortion group was reported behind the attack. Distributed Denial of Secrets (DDoSecrets) reviewed the data before it was taken down from the original leak site.

Ransomware Attacks

Die Linke (German Political Party) - Qilin Ransomware

The Qilin ransomware group claimed responsibility for a cyberattack against Die Linke, a German democratic socialist political party with 123,000 registered members and 64 Bundestag seats.

Incident Details:

Party IT infrastructure forced offline
Membership database reportedly not accessed
Qilin claims to have stolen employee and party information
Threatens to publish sensitive data if ransom unpaid

This attack highlights the increasing targeting of political organizations by ransomware groups.

Other Ransomware Activity

The week saw continued ransomware activity including ongoing extortion tied to Nissan dealership data and attacks on healthcare IT vendors. Qilin and DragonForce were identified as the most active ransomware families for April 2026.

DeFi/Cryptocurrency Incidents

Drift Protocol - $285M Governance Hack

Solana-based derivatives exchange Drift Protocol suffered an estimated $280-285 million loss in one of 2026's largest DeFi hacks. Unlike typical smart contract exploits, attackers abused governance-layer weaknesses and pre-signed durable nonce transactions to seize Security Council privileges and rapidly drain funds.

Attribution: Attacks attributed with medium-to-high confidence to North Korean cluster UNC4736 (AppleJeus/Citrine Sleet), following approximately six months of social engineering, conference networking, and "partner" outreach.

Impact:

Protocol paused key functions
Token price and TVL sharply reduced
Law enforcement engaged
Options for fund recovery being explored

Privacy Regulation Updates

EU Digital Omnibus Regulation 2026

The European Union's proposed Digital Omnibus Regulation continues to progress through the legislative process. This sweeping regulation aims to:

Simplify the digital regulatory landscape
Reduce administrative burdens
Amend GDPR to address abusive Data Subject Access Requests (DSARs)
Modify AI Act, NIS2, and other digital regulations

The timing is notable as the regulation would take effect in late 2026, potentially changing how organizations handle data subject rights requests.

Key GDPR Amendment Proposal: Organizations could refuse DSARs that abuse GDPR rights for purposes other than protecting personal data.

Recommendations

Immediate Patching: Prioritize Microsoft SharePoint CVE-2026-32201 and Chrome CVE-2026-5281 patches
Supply Chain Security: Review third-party tooling security, especially security scanners with cloud access
DeFi Vigilance: Exercise extreme caution with DeFi platforms; governance mechanisms present unique risks
Cloud Hardening: Implement AWS API key rotation policies and monitor for unusual access patterns
Political Organization Security: Enhance security posture given increasing targeting by ransomware groups

Conclusion

Week 15 demonstrated the continued evolution of cyber threats, with supply chain compromises leading to massive data breaches, nation-state actors targeting DeFi platforms for financial gain, and ransomware groups increasingly focusing on high-value targets. Organizations must maintain robust patch management, supply chain security, and incident response capabilities.

Next Week's Outlook: Expect continued exploitation of recently patched vulnerabilities, ongoing fallout from the European Commission breach, and potential follow-on attacks from the Drift Protocol incident.

Report generated: April 16, 2026
Coverage: April 6-12, 2026