Privacy Roundup #0233 • December 2025
December closed the year with fresh fights over message scanning, the first big fine under the EU platform rules, and a run of large breaches and data broker reckonings.
1. EU Chat Control nears its final hurdle
The EU Council pushed again to scan private messages, and public pressure forced the Danish presidency to drop the demand to scan encrypted chats. The plan still allows so called voluntary scanning of messages that are not end to end encrypted, so the danger to privacy has not gone away.
2. European Commission fines X 120 million euros under the Digital Services Act
The Commission issued its first non compliance fine under the Digital Services Act, penalising X for a deceptive blue checkmark, a poor advertising archive, and blocking researcher access to public data. X was given strict deadlines to set out how it will fix each failure.
→ digital-strategy.ec.europa.eu
3. Top EU court makes marketplaces responsible for users' ads
The Court of Justice ruled that online marketplace operators count as data controllers for personal data in user posted adverts, even when they did not write the content. Operators must now verify identities and check consent before publishing adverts that contain sensitive data.
4. FTC acts against Illuminate Education over a breach hitting 10 million students
The FTC required the education technology firm to build a security programme and delete data it no longer needs after a hacker reached the records of more than 10 million students. Regulators said the company stored data in plain text and waited nearly two years to warn some districts.
5. FTC orders Illusory Systems to repay victims of a 186 million dollar hack
The maker of the Nomad crypto bridge marketed itself as security first, yet shipped untested code that let thieves drain 186 million dollars. Under the settlement the firm must return recovered money and run an independent security programme.
6. Prosper breach exposes data on 13.1 million people
The lending marketplace began telling customers in December that attackers had queried its databases and taken names, Social Security numbers, bank details, and more. The firm said account funds were untouched and offered two years of credit monitoring.
7. Aflac says hackers stole personal and health data of 22.6 million people
The insurance giant told state regulators in December that a summer intrusion had reached the records of about 22.65 million people. The haul covered names, dates of birth, addresses, Social Security numbers, government identity numbers, and medical and health insurance details.
8. Flock left its AI cameras open on the internet
Researchers found at least 60 of Flock's Condor cameras live streaming on the open internet with no password and no encryption, letting anyone watch and download weeks of footage. The cameras filmed children at play, shoppers, and drivers before Flock called it a limited misconfiguration.
9. Schneier weighs a new anonymous phone service
A carrier called Phreeli lets people sign up with nothing but a postcode, which is legal in all fifty states yet offered by none of the big players. Schneier warned that the parent network still holds location data, so the promise of true anonymity is thin.
10. Ring rolls out AI facial recognition to its video doorbells
Amazon's Ring switched on a feature called Familiar Faces that lets owners catalogue up to fifty people and get named alerts when the doorbell spots them. EFF and Senator Ed Markey urged the firm to drop the tool, warning that a home camera network could become a way to track people across whole neighbourhoods.
11. To Catch a Predator: leak exposes the inner workings of Intellexa's spyware
Amnesty International verified leaked files showing how the Predator spyware infects phones, including a method that hides the attack inside ordinary mobile adverts. The documents proved the firm kept direct access to live customer systems and tied the tool to fresh abuses against a human rights lawyer in Pakistan.
12. Freedom Mobile discloses a breach exposing customer data
Canada's fourth largest carrier said attackers used a subcontractor's account to reach the personal details of a limited number of customers. The exposed records held names, home addresses, dates of birth, phone numbers, and Freedom Mobile account numbers.
13. Microsoft fixes a zero-day in its December patch round
Microsoft shipped fixes for at least 56 flaws, including one already used in attacks and two that had been disclosed in public. The release closed out a year in which the company patched more than 1,100 vulnerabilities.
14. Federal judge blocks the Texas app store age verification law
A judge granted an injunction against Senate Bill 2420, ruling that forcing age checks to download apps likely breaks the First Amendment. The law had been set to take effect in January 2026.
15. Austria supreme court rules Meta's personalised ads unlawful
Austria's highest court held that Meta cannot lean on contractual necessity to process user data for targeted advertising without consent, since the adverts are a way to make money rather than a core service. The ruling, enforceable across the EU, also barred Meta from handling sensitive data such as health or political views without an explicit opt in.
16. LastPass hammered with £1.2M fine for 2022 breach fiasco
The UK Information Commissioner's Office fined LastPass 1.2 million pounds after a 2022 attack reached a backup database holding the data of up to 1.6 million British users. Regulators said the firm let senior staff use the same master password for personal and business accounts, which let one breach feed the next.
17. Hacker claims to leak WIRED database with 2.3 million records
A thief posted what they said was a Condé Nast database of more than 2.3 million WIRED subscriber records, listing email addresses, names, postal addresses, phone numbers, and birthdays. BleepingComputer checked a sample of the records and confirmed they belonged to genuine subscribers.
18. Court approves Disney's 10 million dollar COPPA settlement
A federal court signed off on an order making Disney pay 10 million dollars to settle FTC claims that it let firms harvest data from children watching its YouTube videos. Disney had set audience labels at the channel level rather than per video, so some child directed clips escaped the made for kids tag and fed targeted advertising.
19. France's CNIL fines Nexpublica 1.7 million euros over a data leak
The French regulator penalised the maker of social care software after a flaw let users open other people's documents through its online portal. The CNIL said the firm had ignored basic security practice and left known weaknesses unfixed for years before the breach came to light.
20. Ofcom fines an adult site under the Online Safety Act
The UK regulator issued a 1 million pound fine against AVS Group over age checks it judged were not highly effective across the firm's 18 adult websites. Ofcom added a further 50,000 pound penalty after the company failed to answer its repeated requests for information.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: