Privacy Roundup #0231 • October 2025
October 2025 brought a wave of supply chain extortion, fresh attacks on encryption, and a hard look at the surveillance camera networks now woven through everyday life.
1. Surveillance Secrets exposes First Wap's global phone tracking
A reporting team traced a hidden archive of more than a million tracking attempts to First Wap, a firm that locates phones worldwide through the ageing SS7 telecom protocol. The records showed journalists, dissidents, and business figures tracked in over 160 countries without their knowledge.
2. SimonMed says 1.2 million patients hit in data breach
The imaging provider told more than 1.2 million people that intruders had reached their records earlier in the year. The Medusa gang claimed it took 212GB of files, including identity scans, payment details, and medical reports.
3. Hackers steal 70,000 ID photos from Discord support system
Attackers broke into a third party support provider and took around 70,000 images of government identity documents that users had handed over for age checks. The theft showed how age verification rules force people to surrender the very data that most needs protecting.
4. Red Hat consulting repositories breached by Crimson Collective
A group calling itself Crimson Collective claimed it took 570GB of data from a Red Hat consulting GitLab server covering around 28,000 repositories. The files reportedly held engagement reports for customers including the US Navy and Congress.
5. Italy orders the Clothoff deepfake app to stop
Italy's data protection authority ordered the deepfake nudity app Clothoff to stop processing the data of Italian users. The regulator opened a wider inquiry into apps that strip people in images without consent.
6. Hacking group claims theft of 1 billion records from Salesforce customer databases
A group calling itself Scattered Lapsus$ Hunters opened a dark web leak site listing dozens of companies whose Salesforce data had been stolen through compromised Salesloft Drift tokens. The attackers threatened to publish around a billion records, and Salesforce told customers it would not pay any ransom.
7. Flock's gunshot microphones will start listening for human voices
Flock revealed that its acoustic sensors would expand from gunfire to detect sounds of human distress such as screaming. EFF warned that always listening microphones over public streets raise serious questions under state eavesdropping laws.
8. SonicWall says every cloud backup was exposed
SonicWall admitted that an attacker reached the firewall configuration backups of all customers who used its cloud backup service. Those files reveal network layouts, access rules, and credentials that help attackers plan further intrusions.
9. California signs the Defending Californians' Data Act
Governor Newsom signed SB 361, which forces data brokers to disclose whether they sell information to foreign actors, government bodies, or AI developers. The law also doubles the daily fine for brokers that ignore deletion requests.
10. Virginia police tap surveillance cameras for immigration cases
Reporting found that Virginia's Flock camera network was searched nearly 3,000 times for immigration enforcement over a year. Local cameras sold to fight car theft were feeding a federal deportation effort.
11. EU pulls the Chat Control vote after Germany objects
The EU Council shelved its planned vote on the message scanning rule once Germany joined the opposition and formed a blocking minority. The proposal that would have forced scanning of private messages was held back yet again.
12. California requires device level age signals
Governor Newsom signed AB 1043, which makes operating system makers pass an age bracket signal to apps at account setup. Supporters say it avoids identity uploads, while critics warn it pushes age checks onto every device and platform.
13. Capita fined £14m over its 2023 ransomware breach
The UK Information Commissioner fined the outsourcing firm Capita £14m after a breach exposed data on more than six million people. Investigators found the company took 58 hours to isolate an infected device despite an early alert.
14. F5 says nation state hackers stole BIG-IP source code
F5 disclosed that attackers held long term access to its development systems and took source code and details of undisclosed flaws in its BIG-IP products. US authorities ordered federal agencies to patch at once given how widely the products are deployed.
15. Ring agrees to share doorbell footage with Flock
Amazon's Ring announced a deal letting police using Flock request video from home doorbells. On the same day reporting showed that immigration agents, the Secret Service, and the Navy could already search Flock's network.
16. Qantas data appears on the dark web
Hackers published the records of more than five million Qantas customers after the airline declined to pay a ransom. The leaked files held names, email addresses, phone numbers, and dates of birth.
17. EC finds Meta and TikTok breached transparency rules under DSA
The European Commission found that Meta and TikTok had failed to give researchers adequate access to public data as the Digital Services Act requires. It also said Meta did not offer users on Instagram and Facebook a simple way to report illegal content, with possible fines of up to six per cent of global revenue.
18. Judge bars NSO from targeting WhatsApp users with spyware, reduces damages in landmark case
A US federal judge ordered the spyware maker NSO Group to stop targeting WhatsApp with its Pegasus tool, ruling that the conduct caused irreparable harm. The court let the injunction stand but cut the earlier jury award from 168 million dollars to 4 million dollars.
19. Conduent data breach impacts over 10.5 million individuals
The business services firm Conduent told regulators that a ransomware attack exposed the data of more than 10.5 million people across the United States. The stolen files held names, Social Security numbers, dates of birth, and medical and health insurance details.
→ www.infosecurity-magazine.com
20. DraftKings warns of account takeovers from reused passwords
DraftKings told customers that attackers had broken into accounts using passwords stolen from other sites. The exposed details included names, addresses, phone numbers, and the last digits of payment cards.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: