Privacy Roundup #0230 • September 2025
September 2025 brought record privacy fines, a string of supply chain breaches, and fresh fights over surveillance and encryption.
1. Google must pay $425 million in privacy lawsuit, jury rules
A San Francisco jury ordered Google to pay 425.7 million dollars for tracking phone activity after users had switched the setting off. The case covered about 98 million devices, and Google said it would appeal.
2. Cookies placed without consent: SHEIN fined 150 million euros by the CNIL
France's data regulator fined Shein's Irish subsidiary 150 million euros for dropping advertising cookies before users could choose. On the same day the CNIL fined Google 325 million euros for similar consent failures.
3. Jaguar Land Rover extends production delay following cyberattack
A cyberattack forced Jaguar Land Rover to shut down its systems and halt production at its main British plants. Attackers leaked internal data, and the firm confirmed customer information had been taken.
4. Stellantis says a third-party vendor spilled customer data
Stellantis confirmed that attackers reached customer data through a third-party platform serving its North American operations. The carmaker said the exposed records were limited to names and email addresses.
5. The Ongoing Fallout from a Breach at AI Chatbot Maker Salesloft
Hackers stole authentication tokens from Salesloft's Drift chatbot and used them to raid hundreds of connected Salesforce accounts. Google's researchers urged firms to revoke every token tied to the integration.
6. Plex urges users to change passwords after data breach
Plex told users to reset their passwords after an intruder reached a database holding emails, usernames, and hashed passwords. The streaming firm forced a reset and advised people to switch on two-factor authentication.
7. Wealthsimple Data Breach Exposes Sensitive Client Information
The Canadian investment platform said a compromised third-party software package exposed data on less than one percent of its clients. The leaked records included contact details, government IDs, account numbers, and social insurance numbers.
8. FTC Launches Inquiry into AI Chatbots Acting as Companions
The Federal Trade Commission ordered seven firms, including OpenAI, Meta, and Google, to explain how their chatbots affect children and teenagers. The agency asked what steps each company takes to limit harm and to warn parents.
9. Mexican Allies Raise Alarms About New Mass Surveillance Laws, Call for International Support
Mexican civil society groups warned that new laws force every person to enrol in a biometric ID system and hand officials wide access to personal data. The digital rights group R3D challenged the measures in court and sought international backing.
10. What WhatsApp's "Advanced Chat Privacy" Really Does
The Electronic Frontier Foundation pushed back on a viral claim that Meta AI reads private chats unless a setting is switched on. It explained that the AI only sees a message when a user invokes it, though WhatsApp still gathers metadata.
11. Tile trackers leak unencrypted Bluetooth data, say boffins
Researchers at Georgia Tech found that Tile trackers broadcast their data without encryption, so anyone with the right gear can follow a tag. The flaw lets both the company and stalkers track a device over time.
12. California Privacy Protection Agency issues record $1.35 million fine against Tractor Supply Company
California's privacy agency reached a 1.35 million dollar settlement with Tractor Supply, its largest penalty so far. Regulators said the retailer failed to honour opt-out requests and lacked proper service provider contracts.
13. California Finalizes Regulations to Strengthen Consumers' Privacy
California finalised rules on automated decision-making, risk assessments, and cybersecurity audits under the state privacy law. The rules take effect in January 2026, with phased deadlines stretching through the decade.
14. ICE to Buy Tool that Tracks Locations of Hundreds of Millions of Phones Every Day
Documents showed that ICE planned to buy a surveillance tool that maps billions of daily location signals from hundreds of millions of phones. An internal legal note said the agency could query the data without a warrant.
15. Volvo NA staff data stolen in third-party ransomware attack
Volvo North America confirmed that a ransomware attack on its software supplier Miljodata exposed staff data, including names and social security numbers. The attack hit much of Sweden's public sector and many large firms.
16. 430k customers affected in Harrods' latest breach
The luxury retailer Harrods said attackers reached around 430,000 customer records through a third-party supplier. The exposed data covered names and contact details, and the firm refused to deal with the attackers.
17. What we know about the cyberattack that hit major European airports
A ransomware attack on Collins Aerospace check-in software disrupted Heathrow, Brussels, and Berlin airports for days. Staff fell back on manual processing, which led to long delays and many cancelled flights.
18. Texas Expands and Modifies Data Broker Registration Law
Amendments to the Texas Data Broker Act took effect on the first of the month, widening the definition of a data broker and changing who must register. The update reflects a broader push by states to track and limit the trade in personal data.
19. Microsoft Patch Tuesday, September 2025 Edition
Microsoft shipped fixes for more than 80 flaws, including several that attackers could use to seize control of a system. Prompt patching matters for privacy, since such bugs often open the door to data theft.
20. Farmers Insurance Data Breach Affects 1.1 Million Customers
Farmers Insurance said attackers reached the records of more than 1.1 million customers through its Salesforce platform rather than its own network. The breach was part of a wider wave of thefts that hit firms using the same cloud service.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: