A class action filed in Washington, D.C. alleged Wiley Rein failed to protect sensitive Microsoft 365 email data after a China-linked intrusion affecting personal, medical, financial and identity records in the United States [AMER]. The pleadings and breach notices give investigators useful chronology, affected account scope, notification timing and control-failure allegations around MFA, staff training and evidential preservation. (Source: Reuters, 26-05-2026)

The FBI warned that Silent Ransom Group operators are impersonating IT support and sending people in person to insert USB drives at law firms in the United States [AMER]. The alert matters because it blends physical access, social engineering and removable-media artefacts, requiring investigators to correlate visitor logs, helpdesk records, endpoint telemetry, USB serial data and mailbox activity. (Source: SecurityWeek, 27-05-2026)

TechCrunch reported that Iranian hackers were blamed for a breach of the Los Angeles County Metropolitan Transportation Authority that disrupted parts of the transit environment in California [AMER]. The investigation reportedly involved exposed internal data, operational disruption, actor claims and recovery evidence, making network logs, leaked archives and intrusion-path reconstruction central to attribution confidence. (Source: TechCrunch, 27-05-2026)

Security researchers linked the Los Angeles transit intrusion to Iran-aligned Ababil activity, with reporting describing stolen emails, backups and a video showing access inside the target network [AMER]. The case highlights how investigators must compare claimed proofs, data-leak metadata, timeline evidence and infrastructure overlaps before treating geopolitical attribution as more than an adversary-controlled narrative. (Source: Times of India, 27-05-2026)

7-Eleven data tied to roughly 185,000 people was reported exposed after material allegedly stolen by ShinyHunters appeared online, including names, addresses, email addresses and dates of birth [AMER]. For investigators, the leak creates identity-fraud risk and requires validation of source systems, duplicate records, Salesforce or franchise-platform exposure, and notification evidence. (Source: SecurityWeek, 27-05-2026)

TechCrunch reported the 7-Eleven breach as a current consumer-data exposure, with affected individuals’ personal information appearing in breach-monitoring and public reporting channels [AMER]. The operational concern is whether leaked identity attributes are sufficient for phishing, account recovery abuse or employment-record fraud, making provenance checks and affected-dataset hashing important before downstream alerts. (Source: TechCrunch, 27-05-2026)

CISA urged immediate patching of an exploited LiteSpeed cPanel plugin zero-day after reports that the flaw had been used to execute scripts with root privileges [AMER]. The finding gives threat hunters a narrow evidence window around web-hosting control panels, privilege escalation traces, modified scripts, access logs and persistence created before administrators applied the fix. (Source: SecurityWeek, 27-05-2026)

JPCERT/CC’s weekly report for Japan listed fresh vulnerability intelligence across Twig, PowerDNS, ISC BIND, Splunk, Cisco, Drupal, FreePBX, Mozilla, Atlassian, Chrome, PAN-OS and Trend Micro products [APAC]. The advisory set is useful for evidence-led prioritisation because investigators can map observed exploit attempts to vendor fixes, asset exposure and logs around externally reachable management interfaces. (Source: JPCERT/CC, 27-05-2026)

Dutch police arrested a 35-year-old man in Buren suspected of repeatedly hacking professional football club AFC Ajax in the Netherlands [EMEA]. The case gives digital investigators a sports-sector intrusion model involving repeated unauthorised access, likely account or application abuse, and evidential links between suspect devices, access logs and compromised club systems. (Source: BleepingComputer, 27-05-2026)

Authorities in the Netherlands arrested administrators of alleged bulletproof-hosting companies accused of supporting Russian-aligned hacking activity through infrastructure used by threat actors [EMEA]. The law-enforcement action matters because hosting-provider seizures can produce subscriber data, server images, payment trails and routing evidence that help connect malware operations to real-world facilitators. (Source: SecurityWeek, 26-05-2026)

CERT-In listed multiple Trend Micro Apex One vulnerabilities affecting management-console, scan-engine and macOS-agent components, warning that exploitation could lead from remote code execution to local privilege escalation [APAC]. The advisory supports governance decisions by connecting patch urgency to endpoint evidence collection, administrator console exposure and audit trails needed when security tooling itself becomes an attack surface. (Source: CERT-In, 27-05-2026)

The CyberWire highlighted an FTC settlement requiring Cox Media Group and two other firms to pay nearly $1 million over allegedly deceptive “active listening” AI-powered marketing claims in the United States [AMER]. The enforcement angle matters for digital investigations because audio, consent, advertising-technology logs and model-governance records may become discoverable evidence in privacy and consumer-protection cases. (Source: The CyberWire, 27-05-2026)