Privacy Roundup #0225 • April 2025
April 2025 saw Europe land its first Digital Markets Act fines on Apple and Meta, a run of large health and corporate breaches, and fresh fights over encryption, location tracking and government access to data.
1. European Commission fines Apple 500 million euros under the Digital Markets Act
On 23 April the Commission found that Apple breached its anti-steering obligation by stopping developers from telling users about cheaper offers outside the App Store. It was the first fine ever issued under the Digital Markets Act and gave Apple sixty days to comply.
→ digital-markets-act.ec.europa.eu
2. Meta fined 200 million euros over its pay-or-consent advertising model
The same day, the Commission ruled that Meta's "consent or pay" choice did not give users a genuine option to refuse the combination of their personal data across services. Meta was ordered to change the model or face further penalties of up to five per cent of daily turnover.
3. UK tribunal blocks government attempt to keep the Apple encryption case secret
On 7 April the Investigatory Powers Tribunal refused the Home Office request to hold its case against Apple entirely behind closed doors. The judges called the secrecy bid a fundamental interference with the principle of open justice.
4. Blue Shield of California shared the health data of 4.7 million members with Google
The insurer disclosed that a Google Analytics misconfiguration had leaked member information to Google Ads from April 2021 until January 2024. The exposed details included plan types, doctor searches, postal codes and account identifiers.
5. DaVita confirms a ransomware attack on its dialysis network
The kidney care provider detected and contained the intrusion on 12 April after attackers encrypted part of its systems and stole data. The breach later turned out to affect about 2.7 million people, including names, Social Security numbers and clinical records.
6. Hertz discloses a breach tied to flaws in Cleo file transfer software
On 14 April Hertz began notifying customers across its Hertz, Dollar and Thrifty brands that their data had been taken through vulnerabilities in a vendor platform. Exposed records included names, contact details, driving licences and, for some, Social Security and passport numbers.
7. 4chan taken offline after a major hack leaks source code and moderator emails
On 15 April the imageboard went dark after attackers from a rival forum claimed to have lived inside its systems for over a year. The leak exposed the site's PHP source code, internal admin panels and the email addresses of roughly 218 moderators and staff.
8. Whistleblower says DOGE siphoned sensitive case data from the labour board
A security architect told Congress that he watched gigabytes of data leave the National Labor Relations Board after DOGE staff demanded top-level access. The records can hold confidential information about union organisers and proprietary business data, and the outflows coincided with login attempts from a Russian address.
9. Florida advances a social media bill demanding an encryption backdoor
Florida's SB 868 would force platforms to decrypt minors' messages on receipt of a subpoena, saying the quiet part out loud about breaking end-to-end encryption. The EFF warned that there is no way to build such access without leaving everyone less safe.
10. Google abandons its plan to phase out third-party cookies in Chrome
On 22 April Google said it would not even show users a choice prompt and would keep third-party cookies working as they do now. The reversal ended a five-year effort that had already slipped past several deadlines.
11. EFF tells Congress what a strong federal privacy law should contain
Responding to a House working group, the EFF set out priorities including data minimisation, opt-in consent and a ban on behavioural advertising. It put a private right of action at the top of the list, arguing that people must be able to sue companies that abuse their data.
12. States move to shield location data from surveillance
The EFF mapped how California, Massachusetts, Illinois and other states are passing laws to limit tracking of people's movements. The piece highlighted tools such as Locate X that can follow a phone as its owner travels to seek reproductive healthcare.
13. CISA warns of credential risk after a legacy Oracle cloud breach
On 16 April the US cyber agency issued guidance after a hacker stole old login credentials from a legacy Oracle environment. Oracle had publicly played down the incident even as it privately told customers their data was taken.
14. Texas court dismisses the state privacy case against Allstate and Arity
On 10 April a judge ruled that Texas lacked jurisdiction over Allstate and its analytics subsidiary Arity. The state had accused them of turning ordinary phone apps into covert trackers that logged the driving routes of millions of people.
15. Marks & Spencer confirms a ransomware attack that stole customer data
The retailer admitted that attackers had used social engineering against a contractor before launching ransomware that crippled its systems. Stolen information included names, addresses and order histories, and the firm warned the disruption would cost it hundreds of millions of pounds.
16. Eight state regulators form a bipartisan privacy enforcement consortium
On 16 April California's privacy agency and seven state attorneys general announced a memorandum to coordinate investigations and share resources. The Consortium of Privacy Regulators marks a shift towards joined-up enforcement of state privacy laws.
17. Photo shows a senior official using a modified Signal clone that archives messages
A Reuters photograph from a 30 April cabinet meeting appeared to show national security adviser Mike Waltz using TeleMessage, an app that clones Signal but stores copies of chats. Security researchers warned that such archiving undermines the very end-to-end encryption Signal provides.
18. US rule restricting bulk transfers of sensitive personal data takes effect
On 8 April the Justice Department's rule under Executive Order 14117 came into force, curbing sales of bulk sensitive American data to countries of concern. The named states include China, Russia, Iran and North Korea.
19. Ofcom consults on widening its online safety enforcement codes
On 24 April the UK regulator opened a consultation on expanding measures such as account blocking and disabling comments. The move came as platforms faced new duties to assess and reduce risks to children.
20. Yale New Haven Health notifies 5.5 million patients of a data breach
The Connecticut system disclosed that an intruder had accessed its network in March and exfiltrated files holding patient information. The records could include names, Social Security numbers, dates of birth and medical record numbers, making it the year's largest healthcare breach so far.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: