Privacy Roundup #0224 • March 2025
March 2025 was dominated by encryption fights, a wave of breach disclosures and a sharp rise in government and corporate data grabs.
1. Mozilla rewrites Firefox's terms of use after a user backlash
Mozilla revised the new Firefox Terms of Use within days of publishing them, after the original wording appeared to grant the company a broad licence over anything users typed or uploaded. It also quietly dropped its longstanding promise never to sell personal data, citing the shifting legal definition of a sale.
2. Apple takes the UK government to a secret surveillance tribunal
Apple lodged a complaint with the Investigatory Powers Tribunal over a Technical Capability Notice that orders it to break the encryption protecting iCloud data. The case is the first of its kind brought before the tribunal, and followed Apple withdrawing Advanced Data Protection from British users.
3. Age verification bills spread from pornography to skin cream
The Electronic Frontier Foundation warned that age verification mandates have spread far beyond adult websites to cover skincare products, dating apps and diet pills. It argued that no method of age checking is both accurate and private, and that each one forces everyone to hand over sensitive data.
4. Lawsuit details how DOGE pushed into Social Security systems
A lawsuit brought by unions and advocacy groups set out how the Department of Government Efficiency pressed Social Security officials to grant sweeping access to sensitive systems. A sworn declaration described staff being told to admit DOGE personnel before background checks were complete, in apparent breach of the Privacy Act.
5. X suffers a major outage and disputes who was behind it
X was knocked offline by a distributed denial of service attack, with a group calling itself Dark Storm claiming responsibility. Elon Musk blamed addresses linked to Ukraine, but security researchers could not verify the claim and said most traffic came from elsewhere.
6. Western Alliance Bank discloses breach linked to Cleo hack
Western Alliance Bank told nearly 22,000 customers that their data had been stolen through a vulnerability in the Cleo file transfer tool. The exposed records included names, Social Security numbers, dates of birth, passport details and financial account numbers.
7. Amazon ends local voice processing on Echo devices
Amazon told Echo owners that its "Do Not Send Voice Recordings" option would stop working, sending all recordings to its cloud for processing. The company said its new generative features required the change, removing the only setting that had kept some voice data off its servers.
8. SpyX stalkerware breach exposes nearly two million people
A breach at the stalkerware operation SpyX exposed records on close to two million people, including thousands of Apple users. Among the leaked data were around 17,000 iCloud usernames and passwords stored in plain text, alongside victims' device and location details.
9. HellCat hackers run a worldwide Jira hacking spree
The HellCat group worked through a string of large companies, including Jaguar Land Rover, by abusing Jira credentials harvested by infostealer malware. Stolen development logs, source code and employee data were leaked, with many credentials still valid years after they were taken.
10. Clearview AI settles biometric case with an equity stake
A judge approved Clearview AI's settlement of an Illinois biometric privacy class action, valued at roughly 51 million dollars. Rather than cash, members of the class were granted a stake in the facial recognition company, an arrangement that twenty-two state attorneys general opposed.
11. US Treasury lifts sanctions on Tornado Cash
The Treasury removed the cryptocurrency mixer Tornado Cash from its sanctions list, reversing a designation it had imposed in 2022. The move followed a federal appeals court ruling that immutable smart contracts were not property that the government could sanction.
12. Hacker defaces NYU website and exposes admissions data
A hacker took over New York University's website and posted data drawn from decades of admissions records. More than a million people had information exposed, including names, addresses, test scores and grade point averages, and the attacker framed the breach around the university's admissions practices.
13. 23andMe files for bankruptcy and its DNA data hangs in the balance
The genetic testing firm 23andMe filed for bankruptcy protection and its chief executive resigned, raising alarm about the fate of DNA data held on roughly fifteen million customers. Privacy advocates and state attorneys general warned that the sensitive genetic archive could be sold through the court process.
14. Virginia governor vetoes high-risk AI bill
Governor Glenn Youngkin vetoed House Bill 2094, which would have regulated high-risk artificial intelligence systems used in decisions about jobs, credit and healthcare. The veto stopped Virginia from becoming the second state, after Colorado, to adopt a broad AI governance law.
→ iapp.org
15. Security expert Troy Hunt is caught by a Mailchimp phish
Troy Hunt, who runs the Have I Been Pwned breach service, fell for a phishing email that captured his Mailchimp credentials. Attackers exported his newsletter list of around 16,000 subscribers, along with the IP addresses and approximate locations Mailchimp had collected.
16. The Atlantic publishes the full Signal war plans thread
After officials insisted no classified material had been shared, The Atlantic published the full Signal exchange in which Pentagon leaders discussed strikes on Yemen. The messages, sent to a group that had accidentally included the magazine's editor, contained aircraft types, weapons and attack timings.
17. StreamElements discloses a third-party data breach
The streaming services firm StreamElements confirmed a breach at a former third-party provider after a hacker began leaking customer records. The stolen data covered roughly 210,000 customers and included names, addresses, phone numbers and email addresses.
18. Utah makes app stores responsible for age verification
Utah became the first state to enact an App Store Accountability Act, shifting the duty to verify ages onto Apple and Google rather than individual apps. The law requires parental consent before minors can download apps, drawing fresh privacy concerns about centralised identity checks.
19. EFF argues online tracking is out of control
The Electronic Frontier Foundation set out how invisible tracking code on most websites lets companies, including data brokers, collect and sell information about people's browsing. It pointed to an updated version of its Privacy Badger tool that strips tracking added to links across Google and Facebook services.
20. Oracle faces criticism over its handling of two breaches
Oracle came under fire for its response to two separate security incidents, one involving Oracle Health patient records and another involving claims of stolen Oracle Cloud credentials. The company flatly denied any cloud breach even as customers said leaked samples appeared genuine, and researchers accused it of careful wordsmithing.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: