[DigitalToday reporter Jinju Hong] From U.S. Social Security number data to Europe’s power grid, open-source software and large corporate systems. As cyberattacks in 2026 spread across national infrastructure, public data and global companies, warnings are emerging that security threats are entering a new phase.

On June 7 local time, IT outlet TechCrunch analysed major security incidents this year and said personal data leaks, supply-chain hacks and attacks on critical infrastructure are rising at the same time.

One of the biggest controversies is the U.S. Social Security Administration’s (SSA) data handling. After the Department of Government Efficiency (DOGE) accessed SSA systems, it has not been clearly confirmed how Americans’ sensitive personal information was managed.

A whistleblower claimed DOGE stored a real-time copy of the Social Security database on an unsecured external server. This has raised the possibility that it included Social Security numbers and other personal information of living Americans. Democratic members of the U.S. House of Representatives warned that this "could become the largest data leak in U.S. history."

In Europe, critical infrastructure such as power grids and water treatment facilities has been targeted. Malware aimed at destroying systems infiltrated Poland’s power grid late last year, and a Swedish thermal power plant and a Norwegian dam were also hit. Poland’s water treatment facilities were also reported to have been attacked early this year. With military tensions recently rising among the United States, Israel and Iran, concerns have also been raised that private infrastructure in the United States, such as water supply facilities, could become new targets.

Attacks targeting companies are also becoming more aggressive. U.S. medical technology company Stryker suffered operational disruptions for several days in March after a large-scale cyberattack remotely wiped tens of thousands of employee devices. The U.S. government pointed to a hacking group linked to Iranian intelligence agencies as being behind the attack.

Ransomware groups remain active. English-language hacking group ShinyHunters stole internal access credentials through voice phishing and then caused a large-scale leak of personal information. More than 30 million people’s personal information was leaked from the learning management system (LMS) Canvas at education technology company Instructure, which they attacked. When the company refused to pay a ransom, the hackers broke in again and caused system disruptions, and the company was reported to have paid even after advice from the FBI.

Supply-chain attacks targeting the open-source ecosystem are also increasing. Attackers inserted malicious code into software update processes or planted backdoors to steal users’ passwords and authentication tokens. Major technology companies such as OpenAI and Vercel were also reported to have been affected in a chain reaction. The security industry analyses that as open-source projects have become core infrastructure for the modern software industry, the ripple effects of supply-chain attacks are growing.

Even the FBI was not an exception. The FBI classified it as a "significant cyber incident" after part of its own monitoring system was breached in April. Some reports raised the possibility that Chinese hackers may have penetrated an unclassified network.

Large companies’ lack of response capability has also emerged as an issue. Toy company Hasbro remained effectively offline for weeks after discovering a hacker intrusion in its systems in late March. Its website was inaccessible for an extended period and customer service was disrupted. Hasbro said as of mid-May the hackers were no longer inside its systems and recovery was under way, but the fallout was large enough to delay financial disclosures.

In recent months, exposure of identity document data such as scans of passports and driver’s licences has also increased. More than 2 million people’s personal documents were exposed on the web through hotel check-in systems, remittance apps, a prison payphone service provider and a British visa service. Many of the incidents could have been prevented by following basic security practices.

This trend coincides with a time when online services are expanding requirements for identity verification. Closed community apps and websites are strengthening user verification procedures, and some governments are pushing laws requiring age verification even for adult users. But as leaks increase, the effectiveness of ID-based verification systems is bound to weaken. Stolen or leaked passports and driver’s licences can be easily abused. As a result, warnings are also growing that expanding the collection of identity information could lead to more breaches.