Privacy Roundup #0222 • January 2025
January 2025 opened the year with a flood of location data scandals, hard regulatory action against connected cars and data brokers, and a Supreme Court ruling that sealed the fate of TikTok.
1. Apple agrees to pay 95 million dollars to settle Siri privacy lawsuit
Apple agreed to a 95 million dollar settlement over claims that Siri recorded private conversations after unintended activations and passed them to third parties. The plaintiffs said mentions of Air Jordan trainers and Olive Garden triggered matching advertisements, and Apple denied any wrongdoing.
2. Telegram reports a sharp rise in handing user data to law enforcement
Telegram's transparency figures showed it gave phone numbers and IP addresses to United States authorities on 900 occasions in 2024, affecting 2,253 users. The surge followed the arrest of chief executive Pavel Durov in France and a quiet rewrite of the platform's data sharing policy.
3. Justice Department issues final rule curbing bulk data flows to countries of concern
On 8 January the Justice Department published its final rule restricting transfers of bulk sensitive personal data to China, Russia, Iran, North Korea, Cuba and Venezuela. The measure implements an executive order and covers genomic, biometric, geolocation, financial and health information.
4. Texas sues Allstate and Arity over secret driver tracking
Texas Attorney General Ken Paxton sued Allstate and its subsidiary Arity for collecting and selling the location data of more than 45 million drivers. The state alleged the firms paid app developers to embed a tracking kit in everyday apps, building what they called the world's largest driving behaviour database.
→ www.texasattorneygeneral.gov
5. A breach of Gravy Analytics threatens the location privacy of millions
Data broker Gravy Analytics confirmed that a hacker had taken files from its cloud environment using a misappropriated key, exposing vast quantities of precise smartphone location data. A threat actor posted samples showing tracked devices across the United States, Russia and Europe and threatened to release more.
6. FTC finalises order banning Mobilewalla from selling sensitive location data
The Federal Trade Commission finalised an order barring data broker Mobilewalla from selling location data that could reveal visits to clinics and places of worship. The agency said the firm sold the information without taking reasonable steps to confirm that consumers had consented.
7. FTC takes action against General Motors over secret driver data sales
The Federal Trade Commission alleged that General Motors and OnStar collected precise location and driving behaviour data and sold it to third parties without clear consent. The proposed order imposes a five year ban on disclosing such data to consumer reporting agencies that had used it to set insurance rates.
8. FTC finalises new children's privacy rule limiting data monetisation
On 16 January the Federal Trade Commission finalised its first major overhaul of the Children's Online Privacy Protection Rule since 2013. The amendments require parents to opt in to targeted advertising, expand the definition of personal information to include biometric identifiers, and limit how long operators may retain children's data.
9. Biden issues an eleventh hour cybersecurity executive order
President Biden signed Executive Order 14144 to strengthen the security of federal software supply chains and promote privacy preserving digital identity. The order also directs agencies towards quantum resistant cryptography and expands sanctions powers against malicious cyber actors.
10. Treasury sanctions a China based hacker over the OFAC breach
On 17 January the Treasury sanctioned Yin Kecheng over the compromise of its own network, including the Office of Foreign Assets Control. The attackers reached unclassified but sensitive documents by exploiting a stolen key from the third party software provider BeyondTrust.
11. Supreme Court upholds the TikTok sale or ban law
The Supreme Court unanimously upheld the law requiring ByteDance to divest TikTok or face a nationwide ban, rejecting the company's free speech arguments. The government cited the risk of Chinese collection of data from 170 million American users and the potential to manipulate the platform's content.
12. Hewlett Packard Enterprise probes a hacker's data theft claim
Hewlett Packard Enterprise launched an investigation after the threat actor IntelBroker advertised files it said were stolen from the company's systems. The listing claimed to include source code, private repositories, digital certificates and some personal information, though the firm said it saw no evidence of operational impact.
13. Trump fires three members of the federal surveillance watchdog
President Trump dismissed three Democratic members of the Privacy and Civil Liberties Oversight Board by a one sentence email. The removals left the board without a quorum, stripping it of the ability to begin new oversight of government surveillance programmes.
14. Otelier breach exposes reservations for Marriott, Hilton and Hyatt guests
Hotel management platform Otelier suffered a breach after attackers reached its cloud storage using stolen employee credentials. The stolen records covered millions of guest reservations and personal details across major hotel brands, with credentials taken by information stealing malware.
15. Community Health Center breach affects more than a million patients
The Connecticut nonprofit Community Health Center said it detected unauthorised activity on 2 January and that a hacker had exfiltrated data from its network. The exposed records of more than a million people included diagnoses, test results, insurance details and Social Security numbers.
16. FTC takes action against GoDaddy over lax data security
The Federal Trade Commission alleged that GoDaddy failed to use basic protections such as multi factor authentication despite advertising award winning security. The agency said the lapses led to several breaches that let attackers reach customers' websites and data.
17. PowerSchool begins notifying students and teachers after a mass breach
Education software vendor PowerSchool began notifying individuals affected by a breach of its support portal that was carried out with a single compromised credential. The exposed records relating to families and educators included names, grades, birth dates and Social Security numbers.
18. Researchers find an exposed DeepSeek database leaking chat logs
Security firm Wiz reported that the Chinese AI company DeepSeek had left a database open to the internet without authentication. The exposed records included more than a million log lines, user chat histories and secret keys that could have granted control of its systems.
19. AT&T and Verizon say they evicted the Salt Typhoon hackers
AT&T and Verizon stated in early January that they had removed the China linked Salt Typhoon group from their networks. The intrusions had reached systems used for court ordered wiretaps and exposed the call metadata of large numbers of users.
20. Conduent cyberattack disrupts government services across several states
Outsourcing provider Conduent discovered a cyber incident on 13 January after attackers had lurked in its systems since October. The intrusion disrupted benefits and payment services for state agencies in Wisconsin, Oklahoma and elsewhere, and the company later confirmed that personal data had been taken.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: