Privacy Roundup #0232 • November 2025
November brought a wave of vendor breaches, fresh fights over surveillance and encryption, and large fines that showed regulators are not slowing down.
1. Coupang says 33.7 million customer accounts were breached
The South Korean retailer admitted that a former employee accessed the personal data of 33.7 million users over several months. Names, addresses, phone numbers and order histories were taken, and the chief executive resigned over the failure.
2. Washington Post confirms data breach linked to Oracle hacks
The newspaper said nearly 10,000 staff and contractors were caught up in the wider attack on Oracle E-Business Suite. The Cl0p group exploited a zero-day flaw and stole records that included bank account numbers.
3. DoorDash confirms data breach affecting users' phone numbers and addresses
A social engineering attack on a staff member let intruders reach customer, driver and merchant records. The exposed data included names, email addresses, phone numbers and physical addresses.
4. OpenAI discloses customer data breach through Mixpanel vendor hack
An SMS phishing attack on the analytics firm Mixpanel exposed names, email addresses and location metadata for some OpenAI API users. OpenAI ended its relationship with the vendor and began a wider review of its suppliers.
5. Salesforce says customer data was accessed after Gainsight breach
Stolen access tokens linked to the Gainsight app let attackers reach data belonging to hundreds of Salesforce customers. The ShinyHunters group claimed it pulled records from close to a thousand organisations.
6. SitusAMC confirms breach of client data after cyberattack
The real-estate finance firm said attackers took accounting records and legal agreements tied to its banking clients. JPMorgan Chase, Citi and Morgan Stanley were among the lenders told that customer data might be exposed.
7. Researchers find a shockingly large amount of satellite traffic is unencrypted
Academics using about 800 dollars of kit intercepted phone calls, texts and military feeds sent in the clear over satellites. Half of the links they observed carried no encryption at all.
8. The UK Has It Wrong on Digital ID. Here's Why.
EFF warned that the planned national digital ID scheme would build a centralised database that hands the state new power over access to everyday services. It cautioned that such systems risk shutting out people without a smartphone, a passport or reliable internet.
9. Police searched plate logs with racist terms against Romani people
EFF found more than 80 agencies ran searches of the Flock network using slurs and stereotypes aimed at Romani people. Many of those searches listed no suspected crime at all.
10. Rights Organizations Demand Halt to Mobile Fortify, ICE's Handheld Face Recognition Program
A coalition of civil liberties groups told the Department of Homeland Security to switch off Mobile Fortify, the handheld app that lets agents scan faces in the field. They also asked the agency to release its privacy analyses and explain its policy on face recognition.
11. ICE gains new tools to track and identify people
Immigration agents now use facial recognition, phone location databases and spyware to find and name people. Civil liberties groups warn that much of this tracking happens without a warrant.
12. Meta hit with 479 million euro fine in Spain over privacy violations
A Madrid court ordered Meta to pay damages to 81 Spanish press publishers over its data practices. The ruling showed how privacy law can underpin large claims beyond the usual regulators.
13. Logitech confirms data breach from a third-party zero-day flaw
The hardware maker told regulators that intruders copied data from its internal systems through a flaw in a supplier's software. The records likely held limited information about employees, customers and suppliers.
14. Google AI can access some content from Gmail and chats. Here's how to opt out
A widely shared video claimed Google had quietly opted everyone into using their email to train Gemini. Google denied training the model on Gmail, though its smart features still read message content.
15. Court ends dragnet electricity surveillance programme in Sacramento
A California court ruled that the utility SMUD broke state privacy law by sifting through residents' smart meter data and passing more than 33,000 tips to police without any suspicion. The judgment found that suspicionless searches of whole postcodes worth of energy records are not a lawful investigation.
16. Berkeley debates whether to keep its Flock surveillance cameras
The city weighed its contract with Flock Safety as residents pressed it to cut ties over privacy fears. At least 30 places have switched off or cancelled their Flock cameras during the year.
17. Attorney General Bonta Secures $1.4 Million Settlement with Mobile App Gaming Company for Violating California's Nation-Leading Privacy Law
California's attorney general fined the game maker Jam City for failing to offer opt-out controls across its 21 mobile apps. The company had also shared or sold the data of children aged 13 to 16 without the affirmative consent that state law demands.
18. The Legal Case Against Ring's Face Recognition Feature
EFF argued that Amazon Ring's new Familiar Faces tool scans everyone who approaches a camera, including neighbours and passers-by who never agreed to a face scan. Amazon plans to switch the feature off in Illinois and Texas, a sign that it would not survive the biometric privacy laws there.
19. Princeton University discloses data breach affecting donors, alumni
Princeton said attackers reached a fundraising database through a phishing attack on a staff member, exposing names, email addresses, phone numbers and home and business addresses for alumni, donors, students and staff. The records did not hold passwords, financial details or Social Security numbers.
20. Checkout.com snubs hackers after data breach, to donate ransom instead
The payments firm said the ShinyHunters group reached a legacy cloud store that had sat unused since 2020 and held onboarding records for about a quarter of its merchants. Rather than pay the ransom, Checkout.com pledged the sum to security research at Carnegie Mellon and Oxford.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: