The second quarter of 2026 has confirmed a transition that defensive teams have watched build for two years: the dominant extortion model is no longer encryption. It is theft. In May 2026, researchers tracked roughly 95 publicly disclosed ransomware and extortion events across 17 countries, with the United States absorbing the majority at 54 incidents and healthcare the single hardest-hit sector. Qilin led all groups for the month with 11 claimed victims, while ShinyHunters — the most active group in April with 15 attacks — continued an aggressive campaign built almost entirely around stealing data from cloud applications and threatening to leak it.

For compliance teams, the shift from encryption to exfiltration is not a technical footnote. It changes the regulatory calculus of every incident. A pure data-theft event may never trigger an operational outage that forces an organization’s hand, which means the decision to notify regulators and affected individuals rests squarely on legal and compliance judgment rather than on the obvious fact of locked systems. That is a harder decision to make correctly, and a more dangerous one to get wrong.

The Anatomy of the Campaign

The defining characteristic of the 2026 wave is that the initial compromise rarely involves an exotic exploit. It involves a phone call. ShinyHunters’ campaign against Salesforce environments has repeatedly started with voice phishing — a caller impersonating IT support who walks an employee into approving a malicious connected application or surrendering credentials and a multifactor prompt. From there, the attacker pivots into the organization’s SaaS instance and exfiltrates customer records at scale.

This is the same playbook that produced the Charter Communications breach we analyzed earlier this month, in which a voice-phishing attack against an employee’s Microsoft Entra identity opened access to a Salesforce instance and exposed roughly 4.9 million accounts. In Q2 the same method has been claimed against additional large enterprises, including a real-estate services firm where ShinyHunters claimed over 500,000 Salesforce records containing personal and internal corporate data — and where Qilin subsequently added the same victim to its own leak site, a sign of the increasingly overlapping, franchise-like structure of these criminal ecosystems.

Three structural facts make this campaign so effective, and each maps directly to a compliance control that was supposed to prevent it:

  1. The breach happens in someone else’s cloud. The crown-jewel data sits in a SaaS platform, not on infrastructure the victim directly operates. This is third-party and supply-chain risk in its purest form.
  2. Identity is the perimeter, and the perimeter is a human. Multifactor authentication is present but defeated socially, through real-time prompt approval rather than technical bypass.
  3. There is no encryption event to force disclosure. The organization may not feel any operational pain until the extortion demand or the public leak arrives.

The Regulatory Exposure

A data-theft extortion event with no encryption can still be one of the most consequential compliance incidents an organization faces. The obligations layer depending on the data and the sector.

State breach-notification laws. All 50 states require notification when personal information is acquired by an unauthorized party. Exfiltration is acquisition. The “we restored from backup and nothing was encrypted” narrative provides no shelter here — if regulated personal data left the building, the notification clocks are running, several of them on tight statutory deadlines.

HIPAA. With healthcare the hardest-hit sector in May, covered entities and business associates face the Breach Notification Rule’s presumption that an impermissible disclosure of protected health information is a reportable breach unless a documented risk assessment demonstrates a low probability of compromise. A SaaS instance full of patient or member data exfiltrated by a known extortion group is not a close call. The Office for Civil Rights has spent 2026 emphasizing that risk analysis and access controls are the failures it most frequently penalizes, and a socially engineered SaaS compromise implicates both.

SEC cybersecurity disclosure. Public companies must evaluate materiality and, where an incident is material, file an Item 1.05 Form 8-K within four business days of that determination. The absence of an operational outage does not relieve a registrant of the materiality analysis; reputational harm, litigation exposure, and the theft of sensitive customer data can all drive materiality. Boards should expect to document the materiality reasoning either way, because the SEC’s enforcement posture in 2026 has focused on the quality and timeliness of that judgment.

State privacy laws and the FTC. Where the stolen data includes consumer personal information, the same controllers now subject to nineteen-plus comprehensive state privacy laws face reasonable-security obligations, and the FTC continues to treat inadequate security as an unfair practice.

Where the Controls Failed

Because the entry vector is so consistent, the remediation priorities are unusually clear. The 2026 campaign is not defeating defense-in-depth; it is defeating organizations that never built it around their SaaS estate.

  • Phishing-resistant authentication. Push-based and one-time-code MFA are precisely what voice-phishing campaigns are engineered to defeat. FIDO2 and hardware-backed, phishing-resistant authenticators remove the human-approval step the attackers depend on. This is the highest-leverage control available.
  • Connected-app and OAuth governance. The Salesforce campaign repeatedly abuses malicious connected applications and excessive integration permissions. Organizations need an inventory of authorized connected apps, restrictions on who can approve new ones, and monitoring for anomalous data export.
  • SaaS-specific logging and egress monitoring. The exfiltration of hundreds of thousands of records generates a signal — bulk API queries, mass report exports — that is invisible if no one is watching the SaaS platform’s own audit logs. Treat the SaaS estate as in-scope for security monitoring, not as a vendor’s problem.
  • Help-desk identity-proofing. Because the attack often runs through IT support, the reciprocal control is hardening the help desk: verified callback procedures and strict identity-proofing before any credential reset or MFA re-enrollment.
  • Third-party risk that reaches the data, not just the contract. Vendor questionnaires that confirm a SaaS provider’s certifications do nothing about how your own employees and integrations expose data inside that platform. The risk lives in the configuration and the access, not the vendor’s compliance posters.

What To Do Now

The Q2 2026 data should reset two assumptions. First, the absence of an encryption event is not the absence of a reportable breach — it is the presence of a harder reporting decision that compliance, not IT, must own. Second, the organization’s most significant data-loss risk increasingly sits in cloud applications reached through social engineering, not in on-premises systems reached through technical exploits.

Concretely: confirm that phishing-resistant MFA covers every identity with access to a data-rich SaaS platform; inventory and govern connected applications; bring SaaS audit logs into your monitoring program with alerting on bulk exports; harden help-desk verification; and pre-stage your breach-notification decision tree for the specific scenario of exfiltration without encryption, including the HIPAA risk-assessment documentation and the SEC materiality memo. The groups driving this wave are not technically sophisticated in the way the term is usually meant. They are operationally relentless, and they win against organizations that left identity and SaaS governance for later.

Later has arrived.

This article is provided for informational purposes only and does not constitute legal advice.