Privacy Roundup #0226 • May 2025
May 2025 brought record fines, insider breaches and government surveillance contracts that showed how data brokers, Big Tech and encryption sit at the centre of the privacy fight.
1. Ireland fines TikTok 530 million euro for sending EU data to China
The Irish Data Protection Commission imposed a 530 million euro penalty on TikTok for unlawfully transferring European user data to servers in China and for failing to tell users where their data went. The regulator also ordered the company to bring its processing into line within six months.
2. TeleMessage, a modified Signal clone used by US officials, is hacked
A hacker breached TeleMessage, the modified Signal app used by former national security adviser Mike Waltz, and extracted archived messages, contact details and login credentials. The breach showed that the archived chats were not end-to-end encrypted, contradicting the company's marketing.
3. Google agrees to pay Texas 1.375 billion dollars over tracking claims
Google settled two lawsuits brought by the Texas attorney general for 1.375 billion dollars, the largest such state settlement to date. The suits accused the company of tracking users' location, incognito searches and biometric data without consent.
4. Coinbase refuses 20 million dollar ransom after insider breach
Coinbase disclosed that bribed overseas support contractors copied the data of nearly 70,000 customers, including names, contact details and partial identity documents. The company refused a 20 million dollar extortion demand and offered the same sum as a reward for information on the attackers.
5. Marks and Spencer confirms customer data stolen in cyber-attack
Marks and Spencer confirmed that attackers, linked to the Scattered Spider group, had stolen customer data during an attack that crippled its online operations. The exposed records included names, addresses, dates of birth and order histories, though the retailer said no usable payment details were held on its systems.
→ www.infosecurity-magazine.com
6. Trump signs the TAKE IT DOWN Act into law
President Trump signed the TAKE IT DOWN Act, which criminalises nonconsensual intimate imagery and forces platforms to remove flagged content within 48 hours. Digital rights groups warned that the vague language and tight deadline could pressure providers to over-remove content and weaken end-to-end encryption.
7. Regeneron wins bid to buy 23andMe and its DNA trove
Drugmaker Regeneron agreed to buy bankrupt 23andMe for 256 million dollars, gaining access to the genetic data of more than 15 million customers. The sale raised fresh concern about what happens to deeply sensitive DNA records when a company collapses.
8. LexisNexis says breach exposed data of 364,000 people
Data broker LexisNexis Risk Solutions disclosed that an attacker had accessed a GitHub account and exposed the records of more than 364,000 individuals. The stolen data included names, dates of birth, addresses, Social Security numbers and driver licence numbers.
9. Signal blocks Microsoft Recall from screenshotting chats
Signal added a screen security setting to its Windows desktop app that uses digital rights management flags to stop Microsoft Recall from capturing conversations. The company said Recall still placed content from privacy apps at risk despite a year of Microsoft adjustments.
10. Meta begins training AI on public posts from EU users
Meta started using public posts and comments from adult European users to train its AI systems after the Irish regulator allowed the plan to proceed. Privacy advocates in several countries criticised the move and the opt-out mechanism offered to users.
11. UK Legal Aid Agency breach exposes years of applicant data
The UK Legal Aid Agency revealed that attackers had downloaded a large volume of data on people who applied for legal aid between 2007 and May 2025. The exposed records may have included contact details, criminal history, national identity numbers and financial information.
12. Ascension notifies 437,000 patients of a third-party breach
Ascension told more than 437,000 patients that their data had likely been stolen through a hacked former business partner. The exposed information included names, Social Security numbers, health insurance details and clinical records.
13. Adidas discloses breach through a customer service provider
Adidas disclosed that an unauthorised party had obtained consumer data through a third-party customer service provider. The affected records included names, email addresses, phone numbers, postal addresses and dates of birth, though no payment data was involved.
14. Dior discloses cyberattack and warns customers of data breach
Fashion house Dior disclosed that attackers had accessed a database holding customer contact details, postal addresses and purchase histories. The company said no passwords or payment information were exposed and began notifying affected customers in China and South Korea.
15. KrebsOnSecurity hit with near-record 6.3 terabit DDoS
Security writer Brian Krebs reported that his site had been struck by a 6.3 terabit per second denial-of-service attack, the largest Google had ever handled. The traffic came from the Aisuru botnet, which assembles compromised home and Internet of Things devices.
16. xAI developer leaks API key for private SpaceX and Tesla models
An xAI developer exposed a private API key on GitHub that granted access to dozens of fine-tuned models trained on internal data from SpaceX, Tesla and X. The key stayed live for about two months despite an early warning, raising fresh concerns about how Musk's companies handle sensitive data.
17. FTC finalises order against GoDaddy over data security failures
The Federal Trade Commission finalised a consent order requiring GoDaddy to build a proper information security programme after years of weak protections led to several breaches. The order also bars the company from misrepresenting its security to customers.
18. Montana becomes first state to close the data broker loophole
Montana enacted a law that bars law enforcement from buying sensitive personal data, including location and communications records, from data brokers. Police must now obtain a warrant, consent or a subpoena to access the kinds of data they could previously simply purchase.
19. German court refuses to halt Meta AI training on user data
The Higher Regional Court of Cologne dismissed a consumer group's request for an injunction against Meta over the use of public posts to train its AI models. The court found that Meta's interest in processing the data outweighed the interests of the users affected.
20. Jury orders NSO Group to pay 168 million dollars over WhatsApp hacks
A California jury ordered spyware maker NSO Group to pay Meta about 168 million dollars for enabling Pegasus attacks on roughly 1,400 WhatsApp users. The verdict was a rare courtroom defeat for the commercial spyware industry, which has long shielded itself from accountability.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: