Peter's Path - Privacy

Privacy Roundup #0238 • May 2026

hello@peterspath.net (Peter) — Thu, 04 Jun 2026 15:00:00 +0000

May 2026 brought a wave of mass data breaches, fresh fights over encryption backdoors and age checks, and a landmark order against a location data broker.</p>

1. FTC bans Kochava from selling sensitive location data</h3>
The Federal Trade Commission ordered the data broker Kochava to stop selling location data that can trace people to clinics, places of worship and shelters. The firm must also delete the records it gathered without clear consent.</p>
→ www.ftc.gov</a></p>

2. NYC Health and Hospitals breach exposes 1.8 million patients</h3>
A third party vendor was breached, exposing medical records and biometric scans, including fingerprints, for at least 1.8 million people. It is one of the largest health breaches of the year so far.</p>
→ techcrunch.com</a></p>

3. Hotel check-in system left a million passports open to anyone</h3>
An unsecured cloud storage bucket run by the Japanese hotel system Tabiq exposed around a million passports and driving licences. Anyone who found the link could read the documents without any password.</p>
→ techcrunch.com</a></p>

4. Charter confirms breach after ShinyHunters extortion threat</h3>
The cable provider Charter Communications confirmed a breach after the ShinyHunters gang claimed to hold more than 40 million records. The stolen data included customer names, addresses, phone numbers and account details.</p>
→ www.bleepingcomputer.com</a></p>

5. Carnival Cruise breach affects nearly 6 million people</h3>
Carnival Cruise confirmed a breach that exposed the names, birthdays and email addresses of almost 6 million customers. Loyalty programme details were also taken in the incident.</p>
→ www.bleepingcomputer.com</a></p>

6. Instructure confirms Canvas breach claimed by ShinyHunters</h3>
Instructure confirmed a breach of its Canvas learning platform after ShinyHunters claimed to have stolen vast numbers of records. The data spanned thousands of schools and other education providers.</p>
→ www.bleepingcomputer.com</a></p>

7. Age verification is a privacy nightmare, EFF warns</h3>
The Electronic Frontier Foundation argued that online age checks force everyone to hand sensitive identity data to third parties. Storing that data in one place creates a tempting target for thieves and a tool for surveillance.</p>
→ www.eff.org</a></p>

8. Canada's Bill C-22 revives the encryption backdoor fight</h3>
Canada brought back a surveillance bill that would let the government demand backdoors into encrypted services and a year of retained metadata. Both Apple and Meta have come out against the plan.</p>
→ www.eff.org</a></p>

9. The SECURE Data Act is not serious privacy law, says EFF</h3>
The EFF criticised the SECURE Data Act for wiping out stronger state privacy laws while offering little in return. The bill has no private right of action and no real curb on behavioural advertising.</p>
→ www.eff.org</a></p>

10. UK visa portal spilled applicants' passports and selfies online</h3>
A UK visa portal exposed at least 100,000 documents, including passports and applicant photos. The leak remained open when the report was published.</p>
→ techcrunch.com</a></p>

11. Pay Tel prison phone service exposed 300,000 callers' licences</h3>
A misconfigured cloud server at the prison phone firm Pay Tel exposed more than 300,000 driving licences. The same lapse also laid bare recordings of inmate communications.</p>
→ techcrunch.com</a></p>

12. Trump Mobile confirms it exposed customer data</h3>
Trump Mobile admitted it had exposed customer details, including phone numbers and home addresses, through a third party platform. The company had stayed quiet about earlier reports of the leak.</p>
→ techcrunch.com</a></p>

13. 7-Eleven breach exposes data on 185,000 people</h3>
7-Eleven confirmed that the ShinyHunters gang stole personal data on about 185,000 customers. The records included names, birthdays and contact details.</p>
→ www.bleepingcomputer.com</a></p>

14. Vimeo breach exposes data on 119,000 users</h3>
Vimeo disclosed that ShinyHunters had taken personal information belonging to more than 119,000 people. The company said login credentials and financial details were not affected.</p>
→ www.bleepingcomputer.com</a></p>

15. Trellix discloses breach after source code repository hack</h3>
The security firm Trellix said attackers reached part of its source code repository. The company could not yet confirm whether customer data had been taken.</p>
→ www.bleepingcomputer.com</a></p>

16. Hundreds of hotels caught up in booking scams</h3>
WIRED reported that guest data from more than 350 hotels around the world may have been accessed. Criminals used the stolen details to run convincing booking scams against travellers.</p>
→ www.wired.com</a></p>

18. Your privacy should not be a corporate decision, argues EFF</h3>
The EFF warned that firms such as Meta, Google and Palantir keep treating user privacy as a business choice rather than a right. It pointed to face recognition plans and broken promises about disclosing government requests.</p>
→ www.eff.org</a></p>

19. London police deploy live facial recognition at a protest for the first time</h3>
The Metropolitan Police scanned the faces of people near a large central London march against a watch list, the first such use at a protest. The Biometrics and Surveillance Camera Commissioner warned that forces could face court action over the practice.</p>
→ www.biometricupdate.com</a></p>

20. We must not normalise digital surveillance abuses, says EFF</h3>
The EFF published a guide on concrete steps people can take to resist creeping digital surveillance. It urged the public not to accept invasive tools as a normal part of daily life.</p>
→ www.eff.org</a></p>

Privacy Roundup #0237 • April 2026

hello@peterspath.net (Peter) — Thu, 07 May 2026 15:00:00 +0000

April brought a hacked FBI wiretap system, fresh fights over government location buying, and a wave of breaches and fines across Europe and the United States.</p>

1. Suspected Chinese breach of FBI system exposed surveillance targets' phone numbers</h3>
The FBI told Congress that intruders reached an unclassified system holding pen register and wiretap data. The bureau called it a major incident and pointed to a China linked group.</p>
→ www.nextgov.com</a></p>

2. France confirms data breach at government agency that manages citizens' IDs</h3>
France confirmed that hackers broke into ANTS, the agency that issues passports, ID cards and driving licences. A criminal offered millions of records, including names, dates of birth and contact details, for sale.</p>
→ techcrunch.com</a></p>

3. Mercor, a $10 billion AI startup, confirms it was the victim of a major cybersecurity breach</h3>
The AI data firm Mercor said attackers stole information after they poisoned the open source LiteLLM library. Criminals claimed terabytes of source code and internal records, and some contractors later sued over their exposed data.</p>
→ fortune.com</a></p>

4. Hackers steal and leak sensitive LAPD police documents</h3>
A group broke into a file sharing tool at the Los Angeles City Attorney's Office and took hundreds of thousands of files. The leak held witness names, medical details and unredacted complaints tied to police cases.</p>
→ techcrunch.com</a></p>

5. New Mexico's Meta Ruling and Encryption</h3>
Bruce Schneier warned that a New Mexico ruling against Meta treated end to end encryption as a liability. He argued the case could push platforms toward more monitoring and weaker protection for everyone.</p>
→ www.schneier.com</a></p>

6. FISA Section 702: Congress passes short-term surveillance program extension just before deadline</h3>
With the spying power about to lapse, Congress passed short patches to keep Section 702 alive. Lawmakers extended the authority without adding a warrant rule for searches of Americans' data.</p>
→ www.cnbc.com</a></p>

7. Congress Must Reject New Insufficient 702 Reauthorization Bill</h3>
The Electronic Frontier Foundation urged Congress to reject a reauthorisation bill that lacked a real warrant requirement. It said the measure left the FBI free to search Americans' messages without a judge.</p>
→ www.eff.org</a></p>

8. DHS is buying access to real-time location data, the latest expansion of its surveillance technology</h3>
The Department of Homeland Security signed a fresh contract with Penlink for a tool that tracks phones in real time. Civil liberties groups said the deal let agents follow people without a warrant.</p>
→ prismreports.org</a></p>

9. Open Records Laws Reveal ALPRs' Sprawling Surveillance. Now States Want to Block What the Public Sees</h3>
Several states moved to exempt licence plate reader data from public records laws. The EFF warned that the change would hide how police use and share this mass surveillance.</p>
→ www.eff.org</a></p>

10. How Push Notifications Can Betray Your Privacy (and What to Do About It)</h3>
The EFF explained how push notifications leak data to Apple, Google and, through them, to police. It set out practical steps people can take to limit what their phones reveal.</p>
→ www.eff.org</a></p>

11. Apple rolls out iOS 26.4.2 to fix a flaw that allowed the FBI to access push notifications</h3>
Apple shipped an update after reports that deleted notifications stayed in a database police could read. The fix stops the phone from keeping notifications that the user has cleared.</p>
→ www.engadget.com</a></p>

12. Mexican Surveillance Company</h3>
Schneier flagged the spread of Grupo Seguritech, a Mexican surveillance firm now moving into the United States. He used the case to warn that each gain in monitoring power costs civil liberties.</p>
→ www.schneier.com</a></p>

13. Sen. Sanders Talks to Claude About AI and Privacy</h3>
Schneier highlighted a video of Senator Bernie Sanders questioning an AI assistant about privacy and big tech. Readers debated whether the model gave honest answers or simply told the senator what he wanted to hear.</p>
→ www.schneier.com</a></p>

14. Supreme Court finds for TikTok in dispute with Data Protection Commission</h3>
Ireland's Supreme Court backed TikTok in a procedural fight with the data regulator. A stay on the 530 million euro fine and the order to halt China transfers stays in place while the case continues.</p>
→ www.irishtimes.com</a></p>

15. Italy's data protection regulator fined Intesa Sanpaolo €31.8 million over insider data breach</h3>
Italy's Garante fined the bank Intesa Sanpaolo after one worker snooped on thousands of customer accounts. The regulator said weak controls let the abuse run for two years before anyone noticed.</p>
→ databreaches.net</a></p>

16. Russia Hacked Routers to Steal Microsoft Office Tokens</h3>
Krebs reported a Russian campaign that compromised home and office routers to grab Microsoft sign in tokens. The stolen tokens let attackers read email and files without a password.</p>
→ krebsonsecurity.com</a></p>

17. Germany Doxes "UNKN," Head of RU Ransomware Gangs REvil, GandCrab</h3>
German investigators named the alleged leader of the REvil and GandCrab ransomware crews. The gangs stole and leaked vast amounts of personal data during years of attacks.</p>
→ krebsonsecurity.com</a></p>

18. 'Scattered Spider' Member 'Tylerb' Pleads Guilty</h3>
A member of the Scattered Spider crew pleaded guilty over a string of intrusions and extortion plots. The group used phone scams and SIM swaps to break into firms and steal sensitive records.</p>
→ krebsonsecurity.com</a></p>

19. Committees Introduce Pair of Privacy Bills to Establish Comprehensive Data Protections for All Americans</h3>
House Republicans introduced the SECURE Data Act to set a single national privacy standard. The bill would give people rights to access and delete data and to opt out of targeted advertising.</p>
→ energycommerce.house.gov</a></p>

20. Why America's biggest companies gave up the fight against Utah's app store law protecting kids</h3>
A trade group for Apple, Google, Meta and Amazon dropped its lawsuit against Utah's age verification law for app stores. The measure forces stores to check ages and seek parental consent before minors can download apps, and privacy groups warn that such checks push everyone towards handing over identity data.</p>
→ www.deseret.com</a></p>

Privacy Roundup #0236 • March 2026

hello@peterspath.net (Peter) — Thu, 02 Apr 2026 15:00:00 +0000

March brought huge healthcare and supply-chain breaches, a wave of GDPR court rulings, and fresh proof that the government buys location data from the advertising industry.</p>

1. French health software firm Cegedim leaks 15.8 million patient records</h3>
Attackers stole personal details on up to 15.8 million French patients from Cegedim Santé, one of the largest healthcare leaks in European history. The data included names, contact details and sensitive medical notes for some patients, and the regulator CNIL was notified.</p>
→ www.theregister.com</a></p>

2. FBI confirms it buys Americans' location data to track citizens</h3>
Under questioning from Senator Ron Wyden, FBI Director Kash Patel told the Senate that the bureau purchases commercially available location data. It was the first time since 2023 that the FBI admitted buying data that brokers harvest from ordinary phone apps.</p>
→ techcrunch.com</a></p>

3. UK Companies House confirms flaw exposed five million firms' data</h3>
A bug in the WebFiling service let any logged-in user view the dashboard of any of the five million registered companies, exposing directors' home addresses and dates of birth. The flaw had been live since an October 2025 update, and the service was taken offline until a fix was confirmed.</p>
→ www.bleepingcomputer.com</a></p>

6. CBP bought phone location data from the online advertising system</h3>
An internal document obtained by 404 Media shows Customs and Border Protection tracked phones using location data drawn from real-time advertising bids. It is the first time the agency has admitted that the data it buys comes from the same system that serves ordinary online adverts.</p>
→ www.404media.co</a></p>

7. Proton Mail payment data helped the FBI unmask a protester</h3>
Court records show Proton Mail handed Swiss authorities payment data tied to a Stop Cop City email account, which was then shared with the FBI. The email itself stayed encrypted, but the credit card identifier was enough to trace the account holder.</p>
→ www.404media.co</a></p>

9. EFF weighs the SAFE Act as Section 702 nears its deadline</h3>
With the warrantless surveillance power Section 702 due to expire, the EFF examined the bipartisan SAFE Act and called it an imperfect vehicle for real reform. The bill would require a warrant before the FBI reads Americans' messages, but the group warned it still leaves gaps.</p>
→ www.eff.org</a></p>

10. Anthropic and the Pentagon clash over surveillance use</h3>
The military ended a contract after Anthropic refused to let its technology be used for mass surveillance of people in the United States. The EFF welcomed the stance but argued that privacy should rest on law, not on the goodwill of a few company bosses.</p>
→ www.eff.org</a></p>

11. Ameriprise Financial breach exposes data on 48,000 customers</h3>
The wealth manager disclosed a breach that exposed names, addresses, account numbers, dates of birth and Social Security numbers for about 48,000 customers. The firm detected the intrusion in March and offered affected people credit and identity monitoring.</p>
→ cyberguy.com</a></p>

12. Hackers expose millions of anonymous crime and school tips</h3>
A hacker claims to have taken more than eight million records from P3 Global Intel, the platform behind many Crime Stoppers programmes and thousands of US schools. The leaked files held names, addresses and other details, and the data was reportedly stored in plain text despite claims of encryption.</p>
→ www.malwarebytes.com</a></p>

13. Foster City declares emergency after ransomware attack</h3>
Ransomware knocked out nearly all municipal services in Foster City, California, and the council declared a local state of emergency. Emergency lines stayed open, but the attack showed how small towns holding resident data lack the budgets to defend it.</p>
→ www.cbsnews.com</a></p>

14. Judge rules Flock camera images are public records</h3>
A Washington court held that images from Flock automatic licence plate readers are public records that anyone can request. The ruling found the cameras serve a government purpose and are paid for with public money, prompting some cities to pause their systems.</p>
→ www.404media.co</a></p>

15. Marquis ransomware breach hits more than 672,000 people</h3>
The Texas fintech firm Marquis told regulators that a 2025 ransomware attack stole personal and financial data on over 672,000 people. The stolen files included bank account numbers, card details and Social Security numbers, and the attack disrupted dozens of banks.</p>
→ techcrunch.com</a></p>

16. Telus Digital confirms breach after claim of one petabyte theft</h3>
The outsourcing giant Telus Digital confirmed a breach after the ShinyHunters group claimed to have taken close to one petabyte of data. The stolen material reportedly spans customer records, voice recordings and call data across many of the firm's clients.</p>
→ www.bleepingcomputer.com</a></p>

17. European Commission confirms data breach after Europa.eu hack</h3>
The European Commission confirmed that data had been taken from its Europa.eu platform after the ShinyHunters group claimed to have stolen more than 350 gigabytes from a cloud account. The Commission said it was notifying the Union entities that might be affected, while insisting its internal systems stayed intact.</p>
→ www.bleepingcomputer.com</a></p>

18. Jury finds Meta and Google negligent over app design</h3>
A California jury found Meta and Google negligent in the design of their apps and awarded a young plaintiff six million dollars in damages. The verdict was the first to hold the companies to account for the structure of their products rather than for hosted content.</p>
→ www.npr.org</a></p>

19. Meta ordered to pay $375 million in New Mexico child-safety case</h3>
A separate jury found Meta liable for failing to protect children and for misleading users about safety, ordering it to pay 375 million dollars. The two verdicts together may shape thousands of pending lawsuits against social media firms.</p>
→ www.nbcnews.com</a></p>

20. UK regulators promise action on weak age checks</h3>
The ICO and Ofcom said together that they would act against online services that fail to enforce minimum ages with proper age assurance. Critics warned that the checks, which can demand ID or biometric data, raise their own privacy risks if the data is exposed.</p>
→ www.twobirds.com</a></p>

Privacy Roundup #0235 • February 2026

hello@peterspath.net (Peter) — Thu, 05 Mar 2026 15:00:00 +0000

February brought a wave of vishing-driven breaches, fresh fights over police cameras and ICE surveillance, and regulators leaning on data brokers.</p>

1. Hackers publish data stolen from Harvard and UPenn breaches</h3>
The ShinyHunters group leaked about 2.2 million records taken from Harvard and the University of Pennsylvania after both refused to pay a ransom. The files held alumni names, addresses, phone numbers and donation details drawn from fundraising systems.</p>
→ techcrunch.com</a></p>

2. Breach at French bank registry exposes 1.2 million accounts</h3>
An attacker used a civil servant's stolen credentials to reach FICOBA, the national registry of every bank account opened in France. The exposed data included account numbers, holder names, addresses and, in some cases, tax identifiers.</p>
→ www.bleepingcomputer.com</a></p>

3. Odido breach exposes 6.2 million Dutch customers</h3>
The Dutch telecommunications firm Odido confirmed one of the largest European telecom breaches of early 2026. Attackers reached personal details of about 6.2 million customers after the firm detected the intrusion in early February.</p>
→ www.bleepingcomputer.com</a></p>

4. Fintech firm Figure breach affects nearly 1 million accounts</h3>
Blockchain lender Figure Technology Solutions said an employee fell for a social engineering attack that exposed roughly 967,000 user records. The stolen files held names, dates of birth, email addresses, postal addresses and phone numbers.</p>
→ www.bleepingcomputer.com</a></p>

5. Ad tech firm Optimizely confirms breach after vishing attack</h3>
Optimizely said attackers reached internal business systems through a voice phishing call on 11 February. The firm reported no evidence that customer or personal data was taken, but it warned the roughly 10,000 companies that use its tools.</p>
→ www.bleepingcomputer.com</a></p>

6. Coinbase confirms insider breach linked to leaked support tool screenshots</h3>
Coinbase said a contractor had improperly reached the records of about 30 customers after screenshots of an internal support tool surfaced online. The exposed details included names, dates of birth, phone numbers, identity verification data, wallet balances and transaction histories.</p>
→ www.bleepingcomputer.com</a></p>

7. ICO fines Reddit 14.47 million pounds for children's privacy failures</h3>
The Information Commissioner's Office fined Reddit 14.47 million pounds for processing the data of children under 13 without any effective age checks. The regulator warned that relying on users to declare their own age is not enough to protect young people.</p>
→ ico.org.uk</a></p>

8. FTC reminds data brokers of their duties under PADFAA</h3>
The Federal Trade Commission sent letters to 13 data brokers on 9 February warning them not to sell sensitive American data to foreign adversaries. The agency flagged firms that had offered information tied to members of the armed forces.</p>
→ www.alstonprivacy.com</a></p>

9. Data broker Kochava reaches privacy deal with the FTC</h3>
Kochava agreed to settle long-running FTC claims that it sold precise location data revealing visits to clinics and places of worship. The deal would force the firm to block raw location data linked to sensitive sites for at least two years.</p>
→ www.mediapost.com</a></p>

10. Tenth Circuit limits sweeping searches of a protester's devices</h3>
The appeals court ruled that the Fourth Amendment does not support broad warrants to comb through a protester's phone, photos and messages. The judges held that the particularity requirement applies with special force to digital devices.</p>
→ www.eff.org</a></p>

11. California reaches record 2.75 million dollar privacy settlement with Disney</h3>
California Attorney General Rob Bonta announced a 2.75 million dollar settlement with Disney over its failure to honour opt-out requests under the state privacy law. The company let users switch off data sharing on single devices only, while continuing to share information with third-party advertising firms across the rest of an account.</p>
→ oag.ca.gov</a></p>

12. EFF and ACLU tell Big Tech to resist lawless DHS subpoenas</h3>
The two groups urged Amazon, Apple, Google, Meta and others to demand court review before handing over user identities to the Department of Homeland Security. They warned that the agency had used subpoenas to unmask people who documented or criticised ICE.</p>
→ www.eff.org</a></p>

13. DHS watchdog opens inquiry into ICE surveillance tools</h3>
The Inspector General began an audit of whether ICE's surveillance and biometric programmes follow privacy law. Senators Mark Warner and Tim Kaine pushed for the review over contracts with firms such as Palantir, Clearview AI and Flock.</p>
→ www.404media.co</a></p>

14. EFF warns that "free" surveillance tech carries a high cost</h3>
The group described how vendors, federal agencies and wealthy donors give police free surveillance gear that bypasses local oversight. It argued that the hidden price is paid in lost privacy and weaker public control.</p>
→ www.eff.org</a></p>

15. EFF op-ed urges San Jose to drop its Flock system</h3>
The piece argued that automated licence plate readers can be turned against immigrants, dissidents and other targets. It called on local leaders to end the city's contract and protect their communities.</p>
→ www.eff.org</a></p>

16. With Ring, consumers built a surveillance dragnet</h3>
A Ring Super Bowl advert for an AI feature that scans neighbourhood cameras to find a lost dog drew sharp privacy criticism. Reporters and lawmakers warned the same tool could be turned on people deemed suspicious.</p>
→ www.404media.co</a></p>

17. Why some cities are cancelling Flock camera contracts</h3>
NPR reported that a growing number of cities are dropping Flock licence plate readers over fears the data could feed immigration enforcement. Local officials cited the lack of control over who can search the footage.</p>
→ www.npr.org</a></p>

18. WhatsApp encryption, a lawsuit, and a lot of noise</h3>
Cryptographer Matthew Green examined claims that Meta could read end-to-end encrypted WhatsApp messages. He explained that the real risks sit around the protocol, in cloud backups, business messaging and internal access systems.</p>
→ blog.cryptographyengineering.com</a></p>

19. Age verification laws face mixed prospects in 2026</h3>
Experts told Route Fifty that the spread of age verification rules raises real privacy and anonymity concerns. Courts have blocked some measures while others move ahead, leaving a patchwork across the states.</p>
→ www.route-fifty.com</a></p>

20. Ten Dutch municipalities fined over secret probes into Muslim residents</h3>
The Dutch data protection authority fined ten councils a total of 250,000 euros for collecting sensitive files on Muslim residents without their knowledge. The councils logged people's religion and political views and shared the reports with national bodies.</p>
→ nltimes.nl</a></p>

Privacy Roundup #0234 • January 2026

hello@peterspath.net (Peter) — Thu, 05 Feb 2026 15:00:00 +0000

January brought a wave of government surveillance deals, fresh data broker fines, large corporate breaches and a renewed fight over encryption.</p>

1. ICE Is Going on a Surveillance Shopping Spree</h3>
The EFF set out how ICE signed new contracts for phone tracking, social media monitoring, face surveillance and spyware. The agency now spends ten times its old budget on these tools, building one of the largest domestic surveillance systems in history.</p>
→ www.eff.org</a></p>

2. Inside ICE's Tool to Monitor Phones in Entire Neighbourhoods</h3>
404 Media revealed Webloc, a tool that lets ICE watch a city block for phones and trace each device home and to work. The data comes from hundreds of millions of phones and can be queried without a warrant.</p>
→ www.404media.co</a></p>

3. EFF Calls on Tech Companies to Encrypt It Already</h3>
The EFF asked Meta, Apple, Google, Bluesky, Telegram and Amazon Ring to keep their promises on end to end encryption. The campaign wants default encryption for group chats, backups and home cameras.</p>
→ www.eff.org</a></p>

4. CalPrivacy Brings New Enforcement Actions Against Data Brokers</h3>
California fined Datamasters, run by Rickenbacher Data LLC, and S&P Global for failing to register under the Delete Act. Datamasters had resold lists of people grouped by health condition, age and perceived race.</p>
→ privacy.ca.gov</a></p>

5. Worried About Surveillance, States Enact Privacy Laws and Restrict Licence Plate Readers</h3>
States across the political spectrum moved to curb licence plate readers, and several blocked ICE from reaching their driver record databases. Democratic led cities also dropped contracts with Flock Safety, the largest supplier of the cameras, over fears the scans fed federal surveillance.</p>
→ stateline.org</a></p>

6. Crunchbase Confirms Data Breach After Hacking Claims</h3>
Crunchbase confirmed a breach after the group ShinyHunters published stolen records. The attackers used voice phishing to steal an employee single sign on credential and claimed to take more than two million records.</p>
→ www.securityweek.com</a></p>

7. Target's Dev Server Offline After Hackers Claim to Steal Source Code</h3>
Around 860 gigabytes of Target source code and developer documents appeared online, and staff confirmed the files were real. The theft began with an infostealer on an employee workstation that held wide internal access.</p>
→ www.bleepingcomputer.com</a></p>

8. Data Thieves Borrow Nike's 'Just Do It' Mantra, Claim They Ran Off With 1.4TB</h3>
A group calling itself WorldLeaks published what it said was 1.4 terabytes of internal Nike data. The files covered product design, factory training and manufacturing processes, though they did not appear to hold customer records.</p>
→ www.theregister.com</a></p>

9. Blue Shield of California Notifies Members of Potential Privacy Breach</h3>
A record merge fault let some Blue Shield members view another member's details in the portal. The exposed data included names, diagnoses, medications and claims information.</p>
→ news.blueshieldca.com</a></p>

10. Who Operates the Badbox 2.0 Botnet?</h3>
Krebs traced how a disclosed vulnerability was used to build a vast botnet running on cheap Android television boxes. The person in control launched denial of service attacks, doxing and a swatting raid against the researcher and reporter.</p>
→ krebsonsecurity.com</a></p>

11. Patch Tuesday, January 2026 Edition</h3>
Microsoft fixed at least 113 flaws, with eight rated critical and one already under attack. Two Office bugs could run code just from viewing a message in the preview pane.</p>
→ krebsonsecurity.com</a></p>

12. CNIL Fines Free Mobile and Free 42 Million Euros</h3>
The French regulator fined the two telecoms firms over weak security after an attacker reached data on 24 million subscriber contracts. The breach exposed bank account numbers for customers of both companies.</p>
→ www.cnil.fr</a></p>

13. Illinois State Agency Exposed Personal Data of 700,000 People</h3>
The Illinois Department of Human Services revealed that it had posted the records of more than 700,000 residents on public mapping platforms. The data, which included addresses and benefits status, stayed open to view for years before staff took it down.</p>
→ therecord.media</a></p>

14. ICE Takes Aim at Data Held by Advertising and Tech Firms</h3>
ICE published a request for information to learn how ad tech and big data providers could feed its investigations. Privacy experts warned the move could let the agency buy its way around warrant rules.</p>
→ www.theregister.com</a></p>

15. AI and the Rise of Bulk Spying</h3>
Bruce Schneier argued that artificial intelligence lets governments and firms move from targeted watching to mass surveillance. He warned that cheap analysis removes the old limits that once protected privacy.</p>
→ www.schneier.com</a></p>

16. Instagram Denies Breach Amid Claims of 17 Million Account Data Leak</h3>
A dataset said to hold records on more than 17 million Instagram accounts appeared on a hacking forum, listing names, emails, phone numbers and addresses. Meta denied any breach of its systems and said it had fixed a bug that let attackers mass request password reset emails.</p>
→ www.bleepingcomputer.com</a></p>

17. Coalition Urges Congress to Block Funding for ICE Surveillance</h3>
Forty four groups asked lawmakers to cut funding for what they called an ICE surveillance panopticon. They warned that the spending threatened the rights of citizens and immigrants alike.</p>
→ www.commondreams.org</a></p>

18. ICE and Activists Clash Over Doxing and Privacy</h3>
The Washington Post reported on court and street fights as ICE used surveillance tools against protesters. Civil rights groups said the agency was infringing the privacy and speech rights of citizens.</p>
→ www.washingtonpost.com</a></p>

19. France Travail Fined 5 Million Euros Over Job Seeker Data</h3>
The CNIL fined the French employment agency for failing to secure the data of job seekers. The penalty added to a busy month of European enforcement against poor data protection.</p>
→ www.cnil.fr</a></p>

20. Match Group Breach Exposes Data From Hinge, Tinder, OkCupid, and Match</h3>
The group ShinyHunters leaked about 1.7 gigabytes of files said to hold roughly ten million records from the dating apps run by Match Group. The attackers reached the data through a social engineering attack that captured company single sign on credentials.</p>
→ www.bleepingcomputer.com</a></p>

Privacy Roundup #0233 • December 2025

hello@peterspath.net (Peter) — Thu, 01 Jan 2026 15:00:00 +0000

December closed the year with fresh fights over message scanning, the first big fine under the EU platform rules, and a run of large breaches and data broker reckonings.</p>

1. EU Chat Control nears its final hurdle</h3>
The EU Council pushed again to scan private messages, and public pressure forced the Danish presidency to drop the demand to scan encrypted chats. The plan still allows so called voluntary scanning of messages that are not end to end encrypted, so the danger to privacy has not gone away.</p>
→ www.eff.org</a></p>

2. European Commission fines X 120 million euros under the Digital Services Act</h3>
The Commission issued its first non compliance fine under the Digital Services Act, penalising X for a deceptive blue checkmark, a poor advertising archive, and blocking researcher access to public data. X was given strict deadlines to set out how it will fix each failure.</p>
→ digital-strategy.ec.europa.eu</a></p>

3. Top EU court makes marketplaces responsible for users' ads</h3>
The Court of Justice ruled that online marketplace operators count as data controllers for personal data in user posted adverts, even when they did not write the content. Operators must now verify identities and check consent before publishing adverts that contain sensitive data.</p>
→ www.insideprivacy.com</a></p>

4. FTC acts against Illuminate Education over a breach hitting 10 million students</h3>
The FTC required the education technology firm to build a security programme and delete data it no longer needs after a hacker reached the records of more than 10 million students. Regulators said the company stored data in plain text and waited nearly two years to warn some districts.</p>
→ www.ftc.gov</a></p>

5. FTC orders Illusory Systems to repay victims of a 186 million dollar hack</h3>
The maker of the Nomad crypto bridge marketed itself as security first, yet shipped untested code that let thieves drain 186 million dollars. Under the settlement the firm must return recovered money and run an independent security programme.</p>
→ www.ftc.gov</a></p>

6. Prosper breach exposes data on 13.1 million people</h3>
The lending marketplace began telling customers in December that attackers had queried its databases and taken names, Social Security numbers, bank details, and more. The firm said account funds were untouched and offered two years of credit monitoring.</p>
→ therecord.media</a></p>

7. Aflac says hackers stole personal and health data of 22.6 million people</h3>
The insurance giant told state regulators in December that a summer intrusion had reached the records of about 22.65 million people. The haul covered names, dates of birth, addresses, Social Security numbers, government identity numbers, and medical and health insurance details.</p>
→ techcrunch.com</a></p>

8. Flock left its AI cameras open on the internet</h3>
Researchers found at least 60 of Flock's Condor cameras live streaming on the open internet with no password and no encryption, letting anyone watch and download weeks of footage. The cameras filmed children at play, shoppers, and drivers before Flock called it a limited misconfiguration.</p>
→ www.404media.co</a></p>

9. Schneier weighs a new anonymous phone service</h3>
A carrier called Phreeli lets people sign up with nothing but a postcode, which is legal in all fifty states yet offered by none of the big players. Schneier warned that the parent network still holds location data, so the promise of true anonymity is thin.</p>
→ www.schneier.com</a></p>

10. Ring rolls out AI facial recognition to its video doorbells</h3>
Amazon's Ring switched on a feature called Familiar Faces that lets owners catalogue up to fifty people and get named alerts when the doorbell spots them. EFF and Senator Ed Markey urged the firm to drop the tool, warning that a home camera network could become a way to track people across whole neighbourhoods.</p>
→ techcrunch.com</a></p>

11. To Catch a Predator: leak exposes the inner workings of Intellexa's spyware</h3>
Amnesty International verified leaked files showing how the Predator spyware infects phones, including a method that hides the attack inside ordinary mobile adverts. The documents proved the firm kept direct access to live customer systems and tied the tool to fresh abuses against a human rights lawyer in Pakistan.</p>
→ securitylab.amnesty.org</a></p>

12. Freedom Mobile discloses a breach exposing customer data</h3>
Canada's fourth largest carrier said attackers used a subcontractor's account to reach the personal details of a limited number of customers. The exposed records held names, home addresses, dates of birth, phone numbers, and Freedom Mobile account numbers.</p>
→ www.bleepingcomputer.com</a></p>

13. Microsoft fixes a zero-day in its December patch round</h3>
Microsoft shipped fixes for at least 56 flaws, including one already used in attacks and two that had been disclosed in public. The release closed out a year in which the company patched more than 1,100 vulnerabilities.</p>
→ krebsonsecurity.com</a></p>

14. Federal judge blocks the Texas app store age verification law</h3>
A judge granted an injunction against Senate Bill 2420, ruling that forcing age checks to download apps likely breaks the First Amendment. The law had been set to take effect in January 2026.</p>
→ www.jurist.org</a></p>

15. Austria supreme court rules Meta's personalised ads unlawful</h3>
Austria's highest court held that Meta cannot lean on contractual necessity to process user data for targeted advertising without consent, since the adverts are a way to make money rather than a core service. The ruling, enforceable across the EU, also barred Meta from handling sensitive data such as health or political views without an explicit opt in.</p>
→ www.jurist.org</a></p>

16. LastPass hammered with £1.2M fine for 2022 breach fiasco</h3>
The UK Information Commissioner's Office fined LastPass 1.2 million pounds after a 2022 attack reached a backup database holding the data of up to 1.6 million British users. Regulators said the firm let senior staff use the same master password for personal and business accounts, which let one breach feed the next.</p>
→ www.theregister.com</a></p>

17. Hacker claims to leak WIRED database with 2.3 million records</h3>
A thief posted what they said was a Condé Nast database of more than 2.3 million WIRED subscriber records, listing email addresses, names, postal addresses, phone numbers, and birthdays. BleepingComputer checked a sample of the records and confirmed they belonged to genuine subscribers.</p>
→ www.bleepingcomputer.com</a></p>

18. Court approves Disney's 10 million dollar COPPA settlement</h3>
A federal court signed off on an order making Disney pay 10 million dollars to settle FTC claims that it let firms harvest data from children watching its YouTube videos. Disney had set audience labels at the channel level rather than per video, so some child directed clips escaped the made for kids tag and fed targeted advertising.</p>
→ www.ftc.gov</a></p>

19. France's CNIL fines Nexpublica 1.7 million euros over a data leak</h3>
The French regulator penalised the maker of social care software after a flaw let users open other people's documents through its online portal. The CNIL said the firm had ignored basic security practice and left known weaknesses unfixed for years before the breach came to light.</p>
→ thecyberexpress.com</a></p>

20. Ofcom fines an adult site under the Online Safety Act</h3>
The UK regulator issued a 1 million pound fine against AVS Group over age checks it judged were not highly effective across the firm's 18 adult websites. Ofcom added a further 50,000 pound penalty after the company failed to answer its repeated requests for information.</p>
→ www.ofcom.org.uk</a></p>

Privacy Roundup #0232 • November 2025

hello@peterspath.net (Peter) — Thu, 04 Dec 2025 15:00:00 +0000

November brought a wave of vendor breaches, fresh fights over surveillance and encryption, and large fines that showed regulators are not slowing down.</p>

1. Coupang says 33.7 million customer accounts were breached</h3>
The South Korean retailer admitted that a former employee accessed the personal data of 33.7 million users over several months. Names, addresses, phone numbers and order histories were taken, and the chief executive resigned over the failure.</p>
→ www.cnbc.com</a></p>

2. Washington Post confirms data breach linked to Oracle hacks</h3>
The newspaper said nearly 10,000 staff and contractors were caught up in the wider attack on Oracle E-Business Suite. The Cl0p group exploited a zero-day flaw and stole records that included bank account numbers.</p>
→ techcrunch.com</a></p>

3. DoorDash confirms data breach affecting users' phone numbers and addresses</h3>
A social engineering attack on a staff member let intruders reach customer, driver and merchant records. The exposed data included names, email addresses, phone numbers and physical addresses.</p>
→ techcrunch.com</a></p>

4. OpenAI discloses customer data breach through Mixpanel vendor hack</h3>
An SMS phishing attack on the analytics firm Mixpanel exposed names, email addresses and location metadata for some OpenAI API users. OpenAI ended its relationship with the vendor and began a wider review of its suppliers.</p>
→ www.bleepingcomputer.com</a></p>

5. Salesforce says customer data was accessed after Gainsight breach</h3>
Stolen access tokens linked to the Gainsight app let attackers reach data belonging to hundreds of Salesforce customers. The ShinyHunters group claimed it pulled records from close to a thousand organisations.</p>
→ techcrunch.com</a></p>

6. SitusAMC confirms breach of client data after cyberattack</h3>
The real-estate finance firm said attackers took accounting records and legal agreements tied to its banking clients. JPMorgan Chase, Citi and Morgan Stanley were among the lenders told that customer data might be exposed.</p>
→ www.theregister.com</a></p>

7. Researchers find a shockingly large amount of satellite traffic is unencrypted</h3>
Academics using about 800 dollars of kit intercepted phone calls, texts and military feeds sent in the clear over satellites. Half of the links they observed carried no encryption at all.</p>
→ www.npr.org</a></p>

8. The UK Has It Wrong on Digital ID. Here's Why.</h3>
EFF warned that the planned national digital ID scheme would build a centralised database that hands the state new power over access to everyday services. It cautioned that such systems risk shutting out people without a smartphone, a passport or reliable internet.</p>
→ www.eff.org</a></p>

9. Police searched plate logs with racist terms against Romani people</h3>
EFF found more than 80 agencies ran searches of the Flock network using slurs and stereotypes aimed at Romani people. Many of those searches listed no suspected crime at all.</p>
→ www.eff.org</a></p>

10. Rights Organizations Demand Halt to Mobile Fortify, ICE's Handheld Face Recognition Program</h3>
A coalition of civil liberties groups told the Department of Homeland Security to switch off Mobile Fortify, the handheld app that lets agents scan faces in the field. They also asked the agency to release its privacy analyses and explain its policy on face recognition.</p>
→ www.eff.org</a></p>

11. ICE gains new tools to track and identify people</h3>
Immigration agents now use facial recognition, phone location databases and spyware to find and name people. Civil liberties groups warn that much of this tracking happens without a warrant.</p>
→ www.npr.org</a></p>

12. Meta hit with 479 million euro fine in Spain over privacy violations</h3>
A Madrid court ordered Meta to pay damages to 81 Spanish press publishers over its data practices. The ruling showed how privacy law can underpin large claims beyond the usual regulators.</p>
→ euroweeklynews.com</a></p>

13. Logitech confirms data breach from a third-party zero-day flaw</h3>
The hardware maker told regulators that intruders copied data from its internal systems through a flaw in a supplier's software. The records likely held limited information about employees, customers and suppliers.</p>
→ www.sec.gov</a></p>

14. Google AI can access some content from Gmail and chats. Here's how to opt out</h3>
A widely shared video claimed Google had quietly opted everyone into using their email to train Gemini. Google denied training the model on Gmail, though its smart features still read message content.</p>
→ www.snopes.com</a></p>

15. Court ends dragnet electricity surveillance programme in Sacramento</h3>
A California court ruled that the utility SMUD broke state privacy law by sifting through residents' smart meter data and passing more than 33,000 tips to police without any suspicion. The judgment found that suspicionless searches of whole postcodes worth of energy records are not a lawful investigation.</p>
→ www.eff.org</a></p>

16. Berkeley debates whether to keep its Flock surveillance cameras</h3>
The city weighed its contract with Flock Safety as residents pressed it to cut ties over privacy fears. At least 30 places have switched off or cancelled their Flock cameras during the year.</p>
→ www.berkeleyside.org</a></p>

17. Attorney General Bonta Secures $1.4 Million Settlement with Mobile App Gaming Company for Violating California's Nation-Leading Privacy Law</h3>
California's attorney general fined the game maker Jam City for failing to offer opt-out controls across its 21 mobile apps. The company had also shared or sold the data of children aged 13 to 16 without the affirmative consent that state law demands.</p>
→ oag.ca.gov</a></p>

18. The Legal Case Against Ring's Face Recognition Feature</h3>
EFF argued that Amazon Ring's new Familiar Faces tool scans everyone who approaches a camera, including neighbours and passers-by who never agreed to a face scan. Amazon plans to switch the feature off in Illinois and Texas, a sign that it would not survive the biometric privacy laws there.</p>
→ www.eff.org</a></p>

19. Princeton University discloses data breach affecting donors, alumni</h3>
Princeton said attackers reached a fundraising database through a phishing attack on a staff member, exposing names, email addresses, phone numbers and home and business addresses for alumni, donors, students and staff. The records did not hold passwords, financial details or Social Security numbers.</p>
→ www.bleepingcomputer.com</a></p>

20. Checkout.com snubs hackers after data breach, to donate ransom instead</h3>
The payments firm said the ShinyHunters group reached a legacy cloud store that had sat unused since 2020 and held onboarding records for about a quarter of its merchants. Rather than pay the ransom, Checkout.com pledged the sum to security research at Carnegie Mellon and Oxford.</p>
→ www.bleepingcomputer.com</a></p>

Privacy Roundup #0231 • October 2025

hello@peterspath.net (Peter) — Thu, 06 Nov 2025 15:00:00 +0000

October 2025 brought a wave of supply chain extortion, fresh attacks on encryption, and a hard look at the surveillance camera networks now woven through everyday life.</p>

1. Surveillance Secrets exposes First Wap's global phone tracking</h3>
A reporting team traced a hidden archive of more than a million tracking attempts to First Wap, a firm that locates phones worldwide through the ageing SS7 telecom protocol. The records showed journalists, dissidents, and business figures tracked in over 160 countries without their knowledge.</p>
→ www.lighthousereports.com</a></p>

2. SimonMed says 1.2 million patients hit in data breach</h3>
The imaging provider told more than 1.2 million people that intruders had reached their records earlier in the year. The Medusa gang claimed it took 212GB of files, including identity scans, payment details, and medical reports.</p>
→ www.bleepingcomputer.com</a></p>

3. Hackers steal 70,000 ID photos from Discord support system</h3>
Attackers broke into a third party support provider and took around 70,000 images of government identity documents that users had handed over for age checks. The theft showed how age verification rules force people to surrender the very data that most needs protecting.</p>
→ www.nbcnews.com</a></p>

4. Red Hat consulting repositories breached by Crimson Collective</h3>
A group calling itself Crimson Collective claimed it took 570GB of data from a Red Hat consulting GitLab server covering around 28,000 repositories. The files reportedly held engagement reports for customers including the US Navy and Congress.</p>
→ www.404media.co</a></p>

5. Italy orders the Clothoff deepfake app to stop</h3>
Italy's data protection authority ordered the deepfake nudity app Clothoff to stop processing the data of Italian users. The regulator opened a wider inquiry into apps that strip people in images without consent.</p>
→ www.ansa.it</a></p>

6. Hacking group claims theft of 1 billion records from Salesforce customer databases</h3>
A group calling itself Scattered Lapsus$ Hunters opened a dark web leak site listing dozens of companies whose Salesforce data had been stolen through compromised Salesloft Drift tokens. The attackers threatened to publish around a billion records, and Salesforce told customers it would not pay any ransom.</p>
→ techcrunch.com</a></p>

7. Flock's gunshot microphones will start listening for human voices</h3>
Flock revealed that its acoustic sensors would expand from gunfire to detect sounds of human distress such as screaming. EFF warned that always listening microphones over public streets raise serious questions under state eavesdropping laws.</p>
→ www.eff.org</a></p>

8. SonicWall says every cloud backup was exposed</h3>
SonicWall admitted that an attacker reached the firewall configuration backups of all customers who used its cloud backup service. Those files reveal network layouts, access rules, and credentials that help attackers plan further intrusions.</p>
→ cyberscoop.com</a></p>

9. California signs the Defending Californians' Data Act</h3>
Governor Newsom signed SB 361, which forces data brokers to disclose whether they sell information to foreign actors, government bodies, or AI developers. The law also doubles the daily fine for brokers that ignore deletion requests.</p>
→ sd13.senate.ca.gov</a></p>

10. Virginia police tap surveillance cameras for immigration cases</h3>
Reporting found that Virginia's Flock camera network was searched nearly 3,000 times for immigration enforcement over a year. Local cameras sold to fight car theft were feeding a federal deportation effort.</p>
→ www.vpm.org</a></p>

11. EU pulls the Chat Control vote after Germany objects</h3>
The EU Council shelved its planned vote on the message scanning rule once Germany joined the opposition and formed a blocking minority. The proposal that would have forced scanning of private messages was held back yet again.</p>
→ www.govinfosecurity.com</a></p>

12. California requires device level age signals</h3>
Governor Newsom signed AB 1043, which makes operating system makers pass an age bracket signal to apps at account setup. Supporters say it avoids identity uploads, while critics warn it pushes age checks onto every device and platform.</p>
→ www.alstonprivacy.com</a></p>

13. Capita fined £14m over its 2023 ransomware breach</h3>
The UK Information Commissioner fined the outsourcing firm Capita £14m after a breach exposed data on more than six million people. Investigators found the company took 58 hours to isolate an infected device despite an early alert.</p>
→ www.theregister.com</a></p>

14. F5 says nation state hackers stole BIG-IP source code</h3>
F5 disclosed that attackers held long term access to its development systems and took source code and details of undisclosed flaws in its BIG-IP products. US authorities ordered federal agencies to patch at once given how widely the products are deployed.</p>
→ www.helpnetsecurity.com</a></p>

16. Qantas data appears on the dark web</h3>
Hackers published the records of more than five million Qantas customers after the airline declined to pay a ransom. The leaked files held names, email addresses, phone numbers, and dates of birth.</p>
→ www.euronews.com</a></p>

17. EC finds Meta and TikTok breached transparency rules under DSA</h3>
The European Commission found that Meta and TikTok had failed to give researchers adequate access to public data as the Digital Services Act requires. It also said Meta did not offer users on Instagram and Facebook a simple way to report illegal content, with possible fines of up to six per cent of global revenue.</p>
→ techcrunch.com</a></p>

18. Judge bars NSO from targeting WhatsApp users with spyware, reduces damages in landmark case</h3>
A US federal judge ordered the spyware maker NSO Group to stop targeting WhatsApp with its Pegasus tool, ruling that the conduct caused irreparable harm. The court let the injunction stand but cut the earlier jury award from 168 million dollars to 4 million dollars.</p>
→ therecord.media</a></p>

19. Conduent data breach impacts over 10.5 million individuals</h3>
The business services firm Conduent told regulators that a ransomware attack exposed the data of more than 10.5 million people across the United States. The stolen files held names, Social Security numbers, dates of birth, and medical and health insurance details.</p>
→ www.infosecurity-magazine.com</a></p>

20. DraftKings warns of account takeovers from reused passwords</h3>
DraftKings told customers that attackers had broken into accounts using passwords stolen from other sites. The exposed details included names, addresses, phone numbers, and the last digits of payment cards.</p>
→ www.bleepingcomputer.com</a></p>

Privacy Roundup #0230 • September 2025

hello@peterspath.net (Peter) — Thu, 02 Oct 2025 15:00:00 +0000

September 2025 brought record privacy fines, a string of supply chain breaches, and fresh fights over surveillance and encryption.</p>

1. Google must pay $425 million in privacy lawsuit, jury rules</h3>
A San Francisco jury ordered Google to pay 425.7 million dollars for tracking phone activity after users had switched the setting off. The case covered about 98 million devices, and Google said it would appeal.</p>
→ www.cbsnews.com</a></p>

3. Jaguar Land Rover extends production delay following cyberattack</h3>
A cyberattack forced Jaguar Land Rover to shut down its systems and halt production at its main British plants. Attackers leaked internal data, and the firm confirmed customer information had been taken.</p>
→ www.cybersecuritydive.com</a></p>

4. Stellantis says a third-party vendor spilled customer data</h3>
Stellantis confirmed that attackers reached customer data through a third-party platform serving its North American operations. The carmaker said the exposed records were limited to names and email addresses.</p>
→ www.theregister.com</a></p>

5. The Ongoing Fallout from a Breach at AI Chatbot Maker Salesloft</h3>
Hackers stole authentication tokens from Salesloft's Drift chatbot and used them to raid hundreds of connected Salesforce accounts. Google's researchers urged firms to revoke every token tied to the integration.</p>
→ krebsonsecurity.com</a></p>

6. Plex urges users to change passwords after data breach</h3>
Plex told users to reset their passwords after an intruder reached a database holding emails, usernames, and hashed passwords. The streaming firm forced a reset and advised people to switch on two-factor authentication.</p>
→ techcrunch.com</a></p>

7. Wealthsimple Data Breach Exposes Sensitive Client Information</h3>
The Canadian investment platform said a compromised third-party software package exposed data on less than one percent of its clients. The leaked records included contact details, government IDs, account numbers, and social insurance numbers.</p>
→ www.crowdfundinsider.com</a></p>

8. FTC Launches Inquiry into AI Chatbots Acting as Companions</h3>
The Federal Trade Commission ordered seven firms, including OpenAI, Meta, and Google, to explain how their chatbots affect children and teenagers. The agency asked what steps each company takes to limit harm and to warn parents.</p>
→ www.ftc.gov</a></p>

9. Mexican Allies Raise Alarms About New Mass Surveillance Laws, Call for International Support</h3>
Mexican civil society groups warned that new laws force every person to enrol in a biometric ID system and hand officials wide access to personal data. The digital rights group R3D challenged the measures in court and sought international backing.</p>
→ www.eff.org</a></p>

10. What WhatsApp's "Advanced Chat Privacy" Really Does</h3>
The Electronic Frontier Foundation pushed back on a viral claim that Meta AI reads private chats unless a setting is switched on. It explained that the AI only sees a message when a user invokes it, though WhatsApp still gathers metadata.</p>
→ www.eff.org</a></p>

11. Tile trackers leak unencrypted Bluetooth data, say boffins</h3>
Researchers at Georgia Tech found that Tile trackers broadcast their data without encryption, so anyone with the right gear can follow a tag. The flaw lets both the company and stalkers track a device over time.</p>
→ www.theregister.com</a></p>

12. California Privacy Protection Agency issues record $1.35 million fine against Tractor Supply Company</h3>
California's privacy agency reached a 1.35 million dollar settlement with Tractor Supply, its largest penalty so far. Regulators said the retailer failed to honour opt-out requests and lacked proper service provider contracts.</p>
→ www.whitecase.com</a></p>

13. California Finalizes Regulations to Strengthen Consumers' Privacy</h3>
California finalised rules on automated decision-making, risk assessments, and cybersecurity audits under the state privacy law. The rules take effect in January 2026, with phased deadlines stretching through the decade.</p>
→ cppa.ca.gov</a></p>

14. ICE to Buy Tool that Tracks Locations of Hundreds of Millions of Phones Every Day</h3>
Documents showed that ICE planned to buy a surveillance tool that maps billions of daily location signals from hundreds of millions of phones. An internal legal note said the agency could query the data without a warrant.</p>
→ www.404media.co</a></p>

15. Volvo NA staff data stolen in third-party ransomware attack</h3>
Volvo North America confirmed that a ransomware attack on its software supplier Miljodata exposed staff data, including names and social security numbers. The attack hit much of Sweden's public sector and many large firms.</p>
→ www.theregister.com</a></p>

16. 430k customers affected in Harrods' latest breach</h3>
The luxury retailer Harrods said attackers reached around 430,000 customer records through a third-party supplier. The exposed data covered names and contact details, and the firm refused to deal with the attackers.</p>
→ www.theregister.com</a></p>

17. What we know about the cyberattack that hit major European airports</h3>
A ransomware attack on Collins Aerospace check-in software disrupted Heathrow, Brussels, and Berlin airports for days. Staff fell back on manual processing, which led to long delays and many cancelled flights.</p>
→ www.cnbc.com</a></p>

18. Texas Expands and Modifies Data Broker Registration Law</h3>
Amendments to the Texas Data Broker Act took effect on the first of the month, widening the definition of a data broker and changing who must register. The update reflects a broader push by states to track and limit the trade in personal data.</p>
→ www.wilmerhale.com</a></p>

19. Microsoft Patch Tuesday, September 2025 Edition</h3>
Microsoft shipped fixes for more than 80 flaws, including several that attackers could use to seize control of a system. Prompt patching matters for privacy, since such bugs often open the door to data theft.</p>
→ krebsonsecurity.com</a></p>

20. Farmers Insurance Data Breach Affects 1.1 Million Customers</h3>
Farmers Insurance said attackers reached the records of more than 1.1 million customers through its Salesforce platform rather than its own network. The breach was part of a wider wave of thefts that hit firms using the same cloud service.</p>
→ scamicide.com</a></p>

Privacy Roundup #0229 • August 2025

hello@peterspath.net (Peter) — Thu, 04 Sep 2025 15:00:00 +0000

August 2025 was dominated by a wave of Salesforce supply chain breaches, fresh fights over encryption and age checks, and court wins against intrusive data collection.</p>

1. Google confirms data theft in Salesforce attacks</h3>
Google said one of its Salesforce systems was breached by the ShinyHunters group, which tricked staff into handing over access. The stolen records held contact details for small and medium business customers.</p>
→ www.bleepingcomputer.com</a></p>

2. TransUnion breach hits 4.4 million people</h3>
The credit reporting firm said hackers took names, addresses, dates of birth and Social Security numbers from its Salesforce account. No credit reports or core credit data were touched.</p>
→ techcrunch.com</a></p>

3. Torture Victim's Landmark Hacking Lawsuit Against Spyware Maker Can Proceed, Judge Rules</h3>
A federal judge in Oregon ruled that a Saudi activist may sue the spyware firm DarkMatter and three former executives for hacking her iPhone. The court let her claims proceed under the Computer Fraud and Abuse Act, the first time such a human rights case has gone this far.</p>
→ www.eff.org</a></p>

4. Workday discloses breach after Salesforce attacks</h3>
The HR software firm said attackers posing as IT staff tricked employees and reached a third party customer system. The thieves took business contact details such as names, email addresses and phone numbers.</p>
→ www.bleepingcomputer.com</a></p>

5. Salesloft Drift breach hits more than 700 firms</h3>
Google warned that stolen tokens for the Salesloft Drift tool let attackers raid Salesforce data at hundreds of organisations. The thieves searched the haul for passwords and cloud keys to reach further systems.</p>
→ thehackernews.com</a></p>

6. Pandora confirms customer data breach</h3>
The jewellery firm said names, dates of birth and email addresses were taken from its Salesforce database. The breach formed part of the same campaign of social engineering against support staff.</p>
→ www.bleepingcomputer.com</a></p>

7. Bouygues Telecom breach exposes 6.4 million</h3>
The French operator said attackers reached the data of 6.4 million accounts, including contact details and bank account numbers. Card numbers and account passwords were not part of the theft.</p>
→ techcrunch.com</a></p>

8. Orange Belgium breach affects 850,000</h3>
The carrier said attackers took names, phone numbers, SIM card numbers and PUK codes from 850,000 customers. The exposed SIM and PUK data raised fears of SIM swap fraud.</p>
→ www.securityweek.com</a></p>

9. Air France and KLM disclose customer breach</h3>
The airlines said attackers reached a third party support platform and took names, contact details and loyalty numbers. Passwords, passports and card data were not affected.</p>
→ www.bleepingcomputer.com</a></p>

10. Farmers Insurance breach impacts 1.1 million</h3>
The insurer began notifying 1.1 million customers after a third party database tied to Salesforce was breached. The stolen data held names, dates of birth, driving licence numbers and partial Social Security numbers.</p>
→ www.bleepingcomputer.com</a></p>

11. Columbia University breach hits 870,000 people</h3>
The university said a politically driven attacker took Social Security numbers, financial aid records and some health data. The breach reached students, applicants, alumni and staff.</p>
→ www.insidehighered.com</a></p>

12. Connex Credit Union breach exposes 172,000</h3>
The Connecticut lender said attackers reached files holding names, account numbers, Social Security numbers and government identity details. Members were told two months after the intrusion.</p>
→ www.infosecurity-magazine.com</a></p>

13. Pennsylvania Attorney General confirms ransomware breach</h3>
The office said a ransomware attack exposed Social Security numbers and medical information. The attack knocked out email, phones and case systems for about three weeks.</p>
→ therecord.media</a></p>

14. Women sue Tea app after data leak</h3>
Users of the women only dating safety app filed class actions after a breach spilled photos, identity documents and private chats. The leaked records led to online harassment of the women involved.</p>
→ www.washingtonpost.com</a></p>

15. Jury finds Meta broke California privacy law over Flo</h3>
A federal jury ruled that Meta unlawfully collected reproductive health data from users of the Flo period tracking app. The jury found Meta had no consent to gather the sensitive information for advertising.</p>
→ techcrunch.com</a></p>

16. UK drops its Apple encryption backdoor demand</h3>
US officials said Britain agreed to abandon its secret order for Apple to provide access to encrypted files. The deal protects American users, though questions remained about UK customers.</p>
→ www.nextgov.com</a></p>

17. FTC warns firms not to weaken encryption for foreign powers</h3>
The FTC chairman wrote to more than a dozen technology firms warning against censoring speech or breaking encryption to satisfy foreign laws. The letters named the UK Online Safety Act and Investigatory Powers Act as risks.</p>
→ www.bleepingcomputer.com</a></p>

18. Security researcher maps hundreds of TeslaMate servers spilling Tesla vehicle data</h3>
A researcher found more than 1,300 self hosted TeslaMate dashboards exposed online without any password. The open servers leaked owners' location histories, charging habits and recent trips for anyone to read.</p>
→ techcrunch.com</a></p>

19. Russian government hackers said to be behind US federal court filing system hack: Report</h3>
Reports said Russian state hackers breached the federal courts PACER and case filing systems and read sealed criminal records. The stolen files may have exposed the identities of confidential informants and other protected documents.</p>
→ techcrunch.com</a></p>

20. EU Chat Control plan heads for a decisive vote</h3>
A Polish compromise to ease the deadlock over the EU message scanning law failed, leaving the proposal heading towards a Council vote. Critics warned that the plan still threatened encryption and mass surveillance.</p>
→ euperspectives.eu</a></p>

Privacy Roundup #0228 • July 2025

hello@peterspath.net (Peter) — Thu, 07 Aug 2025 15:00:00 +0000

July 2025 brought mass breaches, fresh age checks, and a clearer look at how governments and firms hoard our data.</p>

1. Qantas data breach could affect 6 million customers</h3>
Qantas said attackers reached customer records through a third party platform used by one of its call centres. Names, email addresses, phone numbers and frequent flyer numbers were exposed for millions of people.</p>
→ www.helpnetsecurity.com</a></p>

2. Weak passwords expose data on tens of millions of McDonald's job seekers</h3>
Researchers guessed the login for McDonald's hiring chatbot and reached the records of about sixty four million applicants. The maker, Paradox.ai, had left a default username and password of "123456" in place.</p>
→ krebsonsecurity.com</a></p>

3. Women's safety app Tea leaks selfies and ID photos</h3>
A poorly secured store left about seventy two thousand images open, including selfies and government identity documents. The files spread to public forums, putting users at risk of harassment and fraud.</p>
→ chicago.suntimes.com</a></p>

4. UK age checks for adult sites begin under the Online Safety Act</h3>
From 25 July, sites serving adult content in the United Kingdom had to confirm that visitors are over eighteen. Critics warned that credit card and selfie checks force people to hand sensitive data to verification firms.</p>
→ www.thepinknews.com</a></p>

5. Meta board settles Cambridge Analytica claims for 190 million dollars</h3>
Shareholders accused Mark Zuckerberg and other leaders of letting the firm break a privacy order with regulators. The two sides settled on the second day of trial, so the executives avoided giving evidence.</p>
→ www.npr.org</a></p>

6. EFF exposes a power meter mass surveillance scheme in Sacramento</h3>
The local utility searched every customer's energy data and passed more than thirty three thousand tips to police. EFF called the decade long programme an illegal search of private household records.</p>
→ www.eff.org</a></p>

7. Amazon Ring revives direct police requests for home camera footage</h3>
Ring said police could again ask users for video and even request live access to home cameras. EFF warned this undoes earlier reforms and widens a network of private surveillance across neighbourhoods.</p>
→ www.eff.org</a></p>

8. Police arrest the suspected administrator of the XSS cybercrime forum</h3>
Ukrainian and French officers, backed by Europol, detained a man accused of running a forum with more than fifty thousand members. The site sold stolen data, malware and access to hacked systems.</p>
→ www.europol.europa.eu</a></p>

9. Schneier weighs encryption backdoors against the Fourth Amendment</h3>
Bruce Schneier reviewed a paper on the Dual_EC backdoor that the NSA pushed into security products. He asked whether secretly weakening encryption breaks the constitutional rule against unreasonable searches.</p>
→ www.schneier.com</a></p>

10. A DOGE staffer leaks a private xAI key from a sensitive system</h3>
Marko Elez, who held access to Treasury and Social Security data, published a working xAI key on a code site. The slip raised fresh doubts about how DOGE handles the personal records of Americans.</p>
→ krebsonsecurity.com</a></p>

11. EFF urges an appeals court to protect taxpayer privacy</h3>
EFF filed a brief against an arrangement that let the tax agency share protected records with immigration enforcement. It argued the deal breaks long standing limits on the use of tax data.</p>
→ www.eff.org</a></p>

12. EFF vows to fight on against online age mandates</h3>
After the Supreme Court upheld a Texas age check law, EFF set out its plan to resist broader mandates. It warned that such rules strip away the right to read and speak without proving who you are.</p>
→ www.eff.org</a></p>

13. Investigation maps the firm behind the Clothoff nudify app</h3>
A whistleblower told Der Spiegel that Clothoff runs a network of apps that turn ordinary photos into fake nudes. The operators hide their identity, even using AI to fake the face of the company chief.</p>
→ gigazine.net</a></p>

15. UK police charge four over the Scattered Spider ransom group</h3>
British authorities charged four people tied to a crew blamed for attacks on major retailers. The group is known for tricking staff and stealing data to extort large payments.</p>
→ krebsonsecurity.com</a></p>

16. EFF cautions that zero knowledge proofs cannot save digital ID</h3>
The group argued that clever cryptography does not fix the risks built into mandatory digital identity. Age and identity checks still push people to share more data and lose the chance to stay anonymous.</p>
→ www.eff.org</a></p>

18. Phishers target aviation executives to scam their customers</h3>
Krebs reported a scheme that hijacks executive email accounts in the aviation trade. The attackers then use that trust to redirect payments and steal money from suppliers and clients.</p>
→ krebsonsecurity.com</a></p>

19. Microsoft rushes a fix for attacks on a SharePoint zero day</h3>
Microsoft released an emergency patch after attackers exploited a flaw in on premises SharePoint servers. The hole let intruders run code and reach data held inside many organisations.</p>
→ krebsonsecurity.com</a></p>

20. Big Tech gives a mixed response to Treasury sanctions</h3>
The government sanctioned a network that hosted scam and cybercrime operations abroad. Krebs found that major technology firms were slow and uneven in cutting off the named bad actors.</p>
→ krebsonsecurity.com</a></p>

Privacy Roundup #0227 • June 2025

hello@peterspath.net (Peter) — Thu, 03 Jul 2025 15:00:00 +0000

June 2025 brought record credential leaks, fresh spyware findings and a wave of state and court decisions that pushed surveillance deeper into everyday life.</p>

1. Researchers find 16 billion login records exposed online</h3>
Cybernews reported thirty exposed datasets holding about 16 billion username and password pairs, most of them gathered by infostealer malware. The files covered accounts at Apple, Google, Facebook and many government services, though much of the data was recycled from older leaks.</p>
→ cybernews.com</a></p>

2. Meta and Yandex caught tracking Android users through localhost</h3>
Researchers showed that Facebook, Instagram and Yandex apps quietly listened on local ports to link people's web browsing to their real identities. Meta paused the technique within days of the disclosure, even during private browsing.</p>
→ www.theregister.com</a></p>

3. Supreme Court upholds Texas age verification law</h3>
On 27 June the court ruled six to three that Texas may force adult websites to verify the age of every visitor. Critics warned that the decision burdens lawful speech and pushes people to hand over identity documents to access content.</p>
→ www.eff.org</a></p>

4. ICE buys a tool that tracks phones across whole neighbourhoods</h3>
Documents reviewed by 404 Media showed that Immigration and Customs Enforcement bought access to commercial location data drawn from hundreds of millions of phones. An internal legal analysis stated the agency could query the data without a warrant.</p>
→ www.404media.co</a></p>

5. Citizen Lab confirms Paragon spyware on journalists' phones</h3>
Forensic analysis confirmed that Paragon's Graphite spyware infected the iPhones of an Italian reporter and another European journalist through a zero click attack. Apple had patched the flaw, which it tracked as CVE-2025-43200, in iOS 18.3.1.</p>
→ citizenlab.ca</a></p>

6. Court approves sale of 23andMe and its DNA database</h3>
A bankruptcy judge cleared the sale of 23andMe, including the genetic data of more than thirteen million customers, to a nonprofit led by founder Anne Wojcicki. More than two dozen states had sued to block the deal, arguing that genetic data is not ordinary property.</p>
→ www.npr.org</a></p>

7. Cyberattack on UNFI empties Whole Foods shelves</h3>
United Natural Foods, the main distributor for Whole Foods and thousands of grocers, took systems offline after detecting an intrusion on 5 June. The outage disrupted deliveries for days and forced the company to warn of product shortages.</p>
→ techcrunch.com</a></p>

8. Aflac discloses breach in wave of attacks on insurers</h3>
Aflac said on 20 June that intruders had reached its United States network on 12 June and may have taken personal and health data. Investigators tied the social engineering attack to the broader campaign against American insurers.</p>
→ www.bleepingcomputer.com</a></p>

9. EFF warns the EU encryption roadmap makes everyone less safe</h3>
The European Commission set out a plan to give police a way to read encrypted communications by 2030, part of its ProtectEU strategy. More than eighty groups and experts signed a letter saying any backdoor weakens security for all users.</p>
→ www.eff.org</a></p>

10. Germany fines Vodafone 45 million euros over data failings</h3>
The federal data protection regulator imposed two fines on Vodafone on 3 June for poor oversight of sales agents and weak customer verification. The penalties followed fraud cases and security flaws in the company's online portal and hotline.</p>
→ www.bfdi.bund.de</a></p>

11. Predator spyware rebuilds its hidden infrastructure</h3>
Insikt Group reported on 12 June that operators of Predator spyware had expanded their network to five layers to hide its origin. The researchers also found a previously unknown customer in Mozambique, despite earlier sanctions on the makers.</p>
→ therecord.media</a></p>

12. Meta brings targeted advertisements to WhatsApp</h3>
On 16 June Meta said it would place ads in the Updates tab of WhatsApp, using data such as location, language and channels followed. Privacy groups said any advertising built on personal data is a problem, even in an encrypted app.</p>
→ www.washingtonpost.com</a></p>

13. Health firm Episource reports breach affecting 5.4 million</h3>
Episource, which handles medical coding and risk work for health plans, disclosed that intruders took the records of about 5.4 million people. The stolen files included names, Social Security numbers, diagnoses and treatment details.</p>
→ www.securityweek.com</a></p>

14. Zoomcar breach exposes 8.4 million users</h3>
The car sharing firm told the United States Securities and Exchange Commission on 17 June that an intruder had reached the data of about 8.4 million users. The exposed records held names, phone numbers, addresses and car registration details.</p>
→ www.bleepingcomputer.com</a></p>

15. Privacy groups find data brokers skip state registration</h3>
A joint study by EFF and Privacy Rights Clearinghouse found that hundreds of data brokers registered in one state but not in others. The groups urged regulators to check whether the gaps point to widespread non compliance.</p>
→ www.eff.org</a></p>

16. NSO Group appeals the 168 million dollar WhatsApp award</h3>
The spyware maker asked the court to cut the damages or grant a new trial after a jury found it liable for hacking 1,400 WhatsApp users. NSO argued it could not pay the punitive award handed down in May.</p>
→ therecord.media</a></p>

17. EFF says Flock Safety updates cannot make plate readers safe</h3>
Flock Safety promised new privacy controls for its number plate cameras after public pressure. EFF argued that the firm's national, linked surveillance network is the real problem, and no setting can fix it.</p>
→ www.eff.org</a></p>

18. Ransomware attack at McLaren Health Care hits 743,000 people</h3>
The Michigan health system began notifying about 743,000 patients on 20 June about a breach traced to a 2024 ransomware attack. The stolen files held names, Social Security numbers, driving licence numbers and medical details.</p>
→ www.theregister.com</a></p>

19. Android 16 adds an Advanced Protection mode</h3>
Google shipped Android 16 with a single setting that gathers its strongest security and privacy tools in one place. EFF said people at higher risk, such as journalists and activists, should consider turning it on.</p>
→ www.eff.org</a></p>

20. EFF publishes its 2025 Who Has Your Back report</h3>
The annual report graded twenty four companies on how well they tell users about government data requests and disclose retention policies. Nine firms, among them Apple, Adobe and Dropbox, earned a star in every category open to them.</p>
→ www.eff.org</a></p>

Privacy Roundup #0226 • May 2025

hello@peterspath.net (Peter) — Thu, 05 Jun 2025 15:00:00 +0000

May 2025 brought record fines, insider breaches and government surveillance contracts that showed how data brokers, Big Tech and encryption sit at the centre of the privacy fight.</p>

1. Ireland fines TikTok 530 million euro for sending EU data to China</h3>
The Irish Data Protection Commission imposed a 530 million euro penalty on TikTok for unlawfully transferring European user data to servers in China and for failing to tell users where their data went. The regulator also ordered the company to bring its processing into line within six months.</p>
→ www.cnbc.com</a></p>

2. TeleMessage, a modified Signal clone used by US officials, is hacked</h3>
A hacker breached TeleMessage, the modified Signal app used by former national security adviser Mike Waltz, and extracted archived messages, contact details and login credentials. The breach showed that the archived chats were not end-to-end encrypted, contradicting the company's marketing.</p>
→ techcrunch.com</a></p>

3. Google agrees to pay Texas 1.375 billion dollars over tracking claims</h3>
Google settled two lawsuits brought by the Texas attorney general for 1.375 billion dollars, the largest such state settlement to date. The suits accused the company of tracking users' location, incognito searches and biometric data without consent.</p>
→ techcrunch.com</a></p>

4. Coinbase refuses 20 million dollar ransom after insider breach</h3>
Coinbase disclosed that bribed overseas support contractors copied the data of nearly 70,000 customers, including names, contact details and partial identity documents. The company refused a 20 million dollar extortion demand and offered the same sum as a reward for information on the attackers.</p>
→ www.coinbase.com</a></p>

5. Marks and Spencer confirms customer data stolen in cyber-attack</h3>
Marks and Spencer confirmed that attackers, linked to the Scattered Spider group, had stolen customer data during an attack that crippled its online operations. The exposed records included names, addresses, dates of birth and order histories, though the retailer said no usable payment details were held on its systems.</p>
→ www.infosecurity-magazine.com</a></p>

6. Trump signs the TAKE IT DOWN Act into law</h3>
President Trump signed the TAKE IT DOWN Act, which criminalises nonconsensual intimate imagery and forces platforms to remove flagged content within 48 hours. Digital rights groups warned that the vague language and tight deadline could pressure providers to over-remove content and weaken end-to-end encryption.</p>
→ www.cnn.com</a></p>

7. Regeneron wins bid to buy 23andMe and its DNA trove</h3>
Drugmaker Regeneron agreed to buy bankrupt 23andMe for 256 million dollars, gaining access to the genetic data of more than 15 million customers. The sale raised fresh concern about what happens to deeply sensitive DNA records when a company collapses.</p>
→ www.cnn.com</a></p>

8. LexisNexis says breach exposed data of 364,000 people</h3>
Data broker LexisNexis Risk Solutions disclosed that an attacker had accessed a GitHub account and exposed the records of more than 364,000 individuals. The stolen data included names, dates of birth, addresses, Social Security numbers and driver licence numbers.</p>
→ techcrunch.com</a></p>

9. Signal blocks Microsoft Recall from screenshotting chats</h3>
Signal added a screen security setting to its Windows desktop app that uses digital rights management flags to stop Microsoft Recall from capturing conversations. The company said Recall still placed content from privacy apps at risk despite a year of Microsoft adjustments.</p>
→ www.theregister.com</a></p>

10. Meta begins training AI on public posts from EU users</h3>
Meta started using public posts and comments from adult European users to train its AI systems after the Irish regulator allowed the plan to proceed. Privacy advocates in several countries criticised the move and the opt-out mechanism offered to users.</p>
→ www.theregister.com</a></p>

11. UK Legal Aid Agency breach exposes years of applicant data</h3>
The UK Legal Aid Agency revealed that attackers had downloaded a large volume of data on people who applied for legal aid between 2007 and May 2025. The exposed records may have included contact details, criminal history, national identity numbers and financial information.</p>
→ www.gov.uk</a></p>

12. Ascension notifies 437,000 patients of a third-party breach</h3>
Ascension told more than 437,000 patients that their data had likely been stolen through a hacked former business partner. The exposed information included names, Social Security numbers, health insurance details and clinical records.</p>
→ www.securityweek.com</a></p>

13. Adidas discloses breach through a customer service provider</h3>
Adidas disclosed that an unauthorised party had obtained consumer data through a third-party customer service provider. The affected records included names, email addresses, phone numbers, postal addresses and dates of birth, though no payment data was involved.</p>
→ www.computerweekly.com</a></p>

14. Dior discloses cyberattack and warns customers of data breach</h3>
Fashion house Dior disclosed that attackers had accessed a database holding customer contact details, postal addresses and purchase histories. The company said no passwords or payment information were exposed and began notifying affected customers in China and South Korea.</p>
→ www.bleepingcomputer.com</a></p>

15. KrebsOnSecurity hit with near-record 6.3 terabit DDoS</h3>
Security writer Brian Krebs reported that his site had been struck by a 6.3 terabit per second denial-of-service attack, the largest Google had ever handled. The traffic came from the Aisuru botnet, which assembles compromised home and Internet of Things devices.</p>
→ krebsonsecurity.com</a></p>

16. xAI developer leaks API key for private SpaceX and Tesla models</h3>
An xAI developer exposed a private API key on GitHub that granted access to dozens of fine-tuned models trained on internal data from SpaceX, Tesla and X. The key stayed live for about two months despite an early warning, raising fresh concerns about how Musk's companies handle sensitive data.</p>
→ krebsonsecurity.com</a></p>

17. FTC finalises order against GoDaddy over data security failures</h3>
The Federal Trade Commission finalised a consent order requiring GoDaddy to build a proper information security programme after years of weak protections led to several breaches. The order also bars the company from misrepresenting its security to customers.</p>
→ www.ftc.gov</a></p>

18. Montana becomes first state to close the data broker loophole</h3>
Montana enacted a law that bars law enforcement from buying sensitive personal data, including location and communications records, from data brokers. Police must now obtain a warrant, consent or a subpoena to access the kinds of data they could previously simply purchase.</p>
→ www.eff.org</a></p>

19. German court refuses to halt Meta AI training on user data</h3>
The Higher Regional Court of Cologne dismissed a consumer group's request for an injunction against Meta over the use of public posts to train its AI models. The court found that Meta's interest in processing the data outweighed the interests of the users affected.</p>
→ www.taylorwessing.com</a></p>

20. Jury orders NSO Group to pay 168 million dollars over WhatsApp hacks</h3>
A California jury ordered spyware maker NSO Group to pay Meta about 168 million dollars for enabling Pegasus attacks on roughly 1,400 WhatsApp users. The verdict was a rare courtroom defeat for the commercial spyware industry, which has long shielded itself from accountability.</p>
→ www.theregister.com</a></p>

Privacy Roundup #0225 • April 2025

hello@peterspath.net (Peter) — Thu, 01 May 2025 15:00:00 +0000

April 2025 saw Europe land its first Digital Markets Act fines on Apple and Meta, a run of large health and corporate breaches, and fresh fights over encryption, location tracking and government access to data.</p>

1. European Commission fines Apple 500 million euros under the Digital Markets Act</h3>
On 23 April the Commission found that Apple breached its anti-steering obligation by stopping developers from telling users about cheaper offers outside the App Store. It was the first fine ever issued under the Digital Markets Act and gave Apple sixty days to comply.</p>
→ digital-markets-act.ec.europa.eu</a></p>

3. UK tribunal blocks government attempt to keep the Apple encryption case secret</h3>
On 7 April the Investigatory Powers Tribunal refused the Home Office request to hold its case against Apple entirely behind closed doors. The judges called the secrecy bid a fundamental interference with the principle of open justice.</p>
→ www.computerweekly.com</a></p>

4. Blue Shield of California shared the health data of 4.7 million members with Google</h3>
The insurer disclosed that a Google Analytics misconfiguration had leaked member information to Google Ads from April 2021 until January 2024. The exposed details included plan types, doctor searches, postal codes and account identifiers.</p>
→ techcrunch.com</a></p>

5. DaVita confirms a ransomware attack on its dialysis network</h3>
The kidney care provider detected and contained the intrusion on 12 April after attackers encrypted part of its systems and stole data. The breach later turned out to affect about 2.7 million people, including names, Social Security numbers and clinical records.</p>
→ www.healthcare-brew.com</a></p>

6. Hertz discloses a breach tied to flaws in Cleo file transfer software</h3>
On 14 April Hertz began notifying customers across its Hertz, Dollar and Thrifty brands that their data had been taken through vulnerabilities in a vendor platform. Exposed records included names, contact details, driving licences and, for some, Social Security and passport numbers.</p>
→ www.securityweek.com</a></p>

7. 4chan taken offline after a major hack leaks source code and moderator emails</h3>
On 15 April the imageboard went dark after attackers from a rival forum claimed to have lived inside its systems for over a year. The leak exposed the site's PHP source code, internal admin panels and the email addresses of roughly 218 moderators and staff.</p>
→ techcrunch.com</a></p>

8. Whistleblower says DOGE siphoned sensitive case data from the labour board</h3>
A security architect told Congress that he watched gigabytes of data leave the National Labor Relations Board after DOGE staff demanded top-level access. The records can hold confidential information about union organisers and proprietary business data, and the outflows coincided with login attempts from a Russian address.</p>
→ krebsonsecurity.com</a></p>

10. Google abandons its plan to phase out third-party cookies in Chrome</h3>
On 22 April Google said it would not even show users a choice prompt and would keep third-party cookies working as they do now. The reversal ended a five-year effort that had already slipped past several deadlines.</p>
→ www.onetrust.com</a></p>

11. EFF tells Congress what a strong federal privacy law should contain</h3>
Responding to a House working group, the EFF set out priorities including data minimisation, opt-in consent and a ban on behavioural advertising. It put a private right of action at the top of the list, arguing that people must be able to sue companies that abuse their data.</p>
→ www.eff.org</a></p>

12. States move to shield location data from surveillance</h3>
The EFF mapped how California, Massachusetts, Illinois and other states are passing laws to limit tracking of people's movements. The piece highlighted tools such as Locate X that can follow a phone as its owner travels to seek reproductive healthcare.</p>
→ www.eff.org</a></p>

13. CISA warns of credential risk after a legacy Oracle cloud breach</h3>
On 16 April the US cyber agency issued guidance after a hacker stole old login credentials from a legacy Oracle environment. Oracle had publicly played down the incident even as it privately told customers their data was taken.</p>
→ www.cisa.gov</a></p>

14. Texas court dismisses the state privacy case against Allstate and Arity</h3>
On 10 April a judge ruled that Texas lacked jurisdiction over Allstate and its analytics subsidiary Arity. The state had accused them of turning ordinary phone apps into covert trackers that logged the driving routes of millions of people.</p>
→ www.mlex.com</a></p>

15. Marks & Spencer confirms a ransomware attack that stole customer data</h3>
The retailer admitted that attackers had used social engineering against a contractor before launching ransomware that crippled its systems. Stolen information included names, addresses and order histories, and the firm warned the disruption would cost it hundreds of millions of pounds.</p>
→ www.cybersecuritydive.com</a></p>

16. Eight state regulators form a bipartisan privacy enforcement consortium</h3>
On 16 April California's privacy agency and seven state attorneys general announced a memorandum to coordinate investigations and share resources. The Consortium of Privacy Regulators marks a shift towards joined-up enforcement of state privacy laws.</p>
→ www.maynardnexsen.com</a></p>

17. Photo shows a senior official using a modified Signal clone that archives messages</h3>
A Reuters photograph from a 30 April cabinet meeting appeared to show national security adviser Mike Waltz using TeleMessage, an app that clones Signal but stores copies of chats. Security researchers warned that such archiving undermines the very end-to-end encryption Signal provides.</p>
→ www.nbcnews.com</a></p>

18. US rule restricting bulk transfers of sensitive personal data takes effect</h3>
On 8 April the Justice Department's rule under Executive Order 14117 came into force, curbing sales of bulk sensitive American data to countries of concern. The named states include China, Russia, Iran and North Korea.</p>
→ www.reedsmith.com</a></p>

19. Ofcom consults on widening its online safety enforcement codes</h3>
On 24 April the UK regulator opened a consultation on expanding measures such as account blocking and disabling comments. The move came as platforms faced new duties to assess and reduce risks to children.</p>
→ www.ofcom.org.uk</a></p>

20. Yale New Haven Health notifies 5.5 million patients of a data breach</h3>
The Connecticut system disclosed that an intruder had accessed its network in March and exfiltrated files holding patient information. The records could include names, Social Security numbers, dates of birth and medical record numbers, making it the year's largest healthcare breach so far.</p>
→ techcrunch.com</a></p>

Privacy Roundup #0224 • March 2025

hello@peterspath.net (Peter) — Thu, 03 Apr 2025 15:00:00 +0000

March 2025 was dominated by encryption fights, a wave of breach disclosures and a sharp rise in government and corporate data grabs.</p>

1. Mozilla rewrites Firefox's terms of use after a user backlash</h3>
Mozilla revised the new Firefox Terms of Use within days of publishing them, after the original wording appeared to grant the company a broad licence over anything users typed or uploaded. It also quietly dropped its longstanding promise never to sell personal data, citing the shifting legal definition of a sale.</p>
→ techcrunch.com</a></p>

2. Apple takes the UK government to a secret surveillance tribunal</h3>
Apple lodged a complaint with the Investigatory Powers Tribunal over a Technical Capability Notice that orders it to break the encryption protecting iCloud data. The case is the first of its kind brought before the tribunal, and followed Apple withdrawing Advanced Data Protection from British users.</p>
→ www.theregister.com</a></p>

3. Age verification bills spread from pornography to skin cream</h3>
The Electronic Frontier Foundation warned that age verification mandates have spread far beyond adult websites to cover skincare products, dating apps and diet pills. It argued that no method of age checking is both accurate and private, and that each one forces everyone to hand over sensitive data.</p>
→ www.eff.org</a></p>

5. X suffers a major outage and disputes who was behind it</h3>
X was knocked offline by a distributed denial of service attack, with a group calling itself Dark Storm claiming responsibility. Elon Musk blamed addresses linked to Ukraine, but security researchers could not verify the claim and said most traffic came from elsewhere.</p>
→ cyberscoop.com</a></p>

6. Western Alliance Bank discloses breach linked to Cleo hack</h3>
Western Alliance Bank told nearly 22,000 customers that their data had been stolen through a vulnerability in the Cleo file transfer tool. The exposed records included names, Social Security numbers, dates of birth, passport details and financial account numbers.</p>
→ www.securityweek.com</a></p>

7. Amazon ends local voice processing on Echo devices</h3>
Amazon told Echo owners that its "Do Not Send Voice Recordings" option would stop working, sending all recordings to its cloud for processing. The company said its new generative features required the change, removing the only setting that had kept some voice data off its servers.</p>
→ www.malwarebytes.com</a></p>

8. SpyX stalkerware breach exposes nearly two million people</h3>
A breach at the stalkerware operation SpyX exposed records on close to two million people, including thousands of Apple users. Among the leaked data were around 17,000 iCloud usernames and passwords stored in plain text, alongside victims' device and location details.</p>
→ techcrunch.com</a></p>

9. HellCat hackers run a worldwide Jira hacking spree</h3>
The HellCat group worked through a string of large companies, including Jaguar Land Rover, by abusing Jira credentials harvested by infostealer malware. Stolen development logs, source code and employee data were leaked, with many credentials still valid years after they were taken.</p>
→ www.bleepingcomputer.com</a></p>

10. Clearview AI settles biometric case with an equity stake</h3>
A judge approved Clearview AI's settlement of an Illinois biometric privacy class action, valued at roughly 51 million dollars. Rather than cash, members of the class were granted a stake in the facial recognition company, an arrangement that twenty-two state attorneys general opposed.</p>
→ therecord.media</a></p>

11. US Treasury lifts sanctions on Tornado Cash</h3>
The Treasury removed the cryptocurrency mixer Tornado Cash from its sanctions list, reversing a designation it had imposed in 2022. The move followed a federal appeals court ruling that immutable smart contracts were not property that the government could sanction.</p>
→ www.coindesk.com</a></p>

12. Hacker defaces NYU website and exposes admissions data</h3>
A hacker took over New York University's website and posted data drawn from decades of admissions records. More than a million people had information exposed, including names, addresses, test scores and grade point averages, and the attacker framed the breach around the university's admissions practices.</p>
→ therecord.media</a></p>

13. 23andMe files for bankruptcy and its DNA data hangs in the balance</h3>
The genetic testing firm 23andMe filed for bankruptcy protection and its chief executive resigned, raising alarm about the fate of DNA data held on roughly fifteen million customers. Privacy advocates and state attorneys general warned that the sensitive genetic archive could be sold through the court process.</p>
→ techcrunch.com</a></p>

14. Virginia governor vetoes high-risk AI bill</h3>
Governor Glenn Youngkin vetoed House Bill 2094, which would have regulated high-risk artificial intelligence systems used in decisions about jobs, credit and healthcare. The veto stopped Virginia from becoming the second state, after Colorado, to adopt a broad AI governance law.</p>
→ iapp.org</a></p>

15. Security expert Troy Hunt is caught by a Mailchimp phish</h3>
Troy Hunt, who runs the Have I Been Pwned breach service, fell for a phishing email that captured his Mailchimp credentials. Attackers exported his newsletter list of around 16,000 subscribers, along with the IP addresses and approximate locations Mailchimp had collected.</p>
→ www.theregister.com</a></p>

16. The Atlantic publishes the full Signal war plans thread</h3>
After officials insisted no classified material had been shared, The Atlantic published the full Signal exchange in which Pentagon leaders discussed strikes on Yemen. The messages, sent to a group that had accidentally included the magazine's editor, contained aircraft types, weapons and attack timings.</p>
→ www.cnbc.com</a></p>

17. StreamElements discloses a third-party data breach</h3>
The streaming services firm StreamElements confirmed a breach at a former third-party provider after a hacker began leaking customer records. The stolen data covered roughly 210,000 customers and included names, addresses, phone numbers and email addresses.</p>
→ www.bleepingcomputer.com</a></p>

18. Utah makes app stores responsible for age verification</h3>
Utah became the first state to enact an App Store Accountability Act, shifting the duty to verify ages onto Apple and Google rather than individual apps. The law requires parental consent before minors can download apps, drawing fresh privacy concerns about centralised identity checks.</p>
→ techcrunch.com</a></p>

19. EFF argues online tracking is out of control</h3>
The Electronic Frontier Foundation set out how invisible tracking code on most websites lets companies, including data brokers, collect and sell information about people's browsing. It pointed to an updated version of its Privacy Badger tool that strips tracking added to links across Google and Facebook services.</p>
→ www.eff.org</a></p>

20. Oracle faces criticism over its handling of two breaches</h3>
Oracle came under fire for its response to two separate security incidents, one involving Oracle Health patient records and another involving claims of stolen Oracle Cloud credentials. The company flatly denied any cloud breach even as customers said leaked samples appeared genuine, and researchers accused it of careful wordsmithing.</p>
→ techcrunch.com</a></p>

Privacy Roundup #0223 • February 2025

hello@peterspath.net (Peter) — Thu, 06 Mar 2025 15:00:00 +0000

February 2025 was defined by encryption under siege, with Britain and Sweden pressing for backdoors while breaches, AI chatbots, and a new government data grab kept defenders busy.</p>

1. Apple pulls iCloud end-to-end encryption from the United Kingdom</h3>
Apple withdrew its Advanced Data Protection feature for British users on 21 February after the government secretly ordered the company to build a way into encrypted iCloud data. New users can no longer enable the protection, and existing users will eventually have to turn it off.</p>
→ www.bleepingcomputer.com</a></p>

2. Sweden weighs a law to force backdoors into Signal and WhatsApp</h3>
Swedish police and security agencies pushed legislation that would compel encrypted messaging apps to retain messages and hand over suspects' histories. Signal's president said the company would leave the Swedish market rather than break the encryption that underpins its service.</p>
→ therecord.media</a></p>

3. Judge blocks DOGE from accessing Treasury payment systems</h3>
A federal judge restricted the Department of Government Efficiency from reaching Treasury databases holding the payment records of millions of Americans. States had sued to stop the access, arguing that affiliates had been handed sensitive personal information they did not need.</p>
→ www.npr.org</a></p>

4. Musk's DOGE seeks access to sensitive IRS taxpayer records</h3>
DOGE pushed for entry to an IRS system holding Social Security numbers, bank details, and salary data for millions of taxpayers. Lawmakers and privacy advocates warned that giving a political appointee such reach raised grave risks of misuse.</p>
→ www.npr.org</a></p>

5. Experts flag security and privacy risks in the DeepSeek AI app</h3>
Security researchers warned that the Chinese chatbot collected extensive user data and sent it to servers in China, where authorities could compel its disclosure. The findings prompted bans on government devices across several American states and federal agencies.</p>
→ krebsonsecurity.com</a></p>

6. South Korea suspends DeepSeek downloads over privacy violations</h3>
South Korea's data protection regulator found that DeepSeek had transferred personal data, including user prompts, to third parties without proper consent. The company removed its app from South Korean stores on 15 February while the issues were addressed.</p>
→ thehackernews.com</a></p>

7. Mozilla rewrites Firefox terms after a privacy backlash</h3>
Mozilla introduced new Firefox terms granting itself a broad licence over information entered through the browser, alarming users who feared their data would be sold or fed to AI. Facing the outcry, Mozilla revised the language and insisted it was not using people's data to train AI.</p>
→ techcrunch.com</a></p>

8. Grubhub confirms a breach affecting customers and drivers</h3>
Grubhub disclosed on 4 February that an intrusion at a third-party contractor exposed customer and driver contact details, including names, email addresses, and phone numbers. Payment information was not taken, but the data later fed an extortion attempt tied to a wider campaign.</p>
→ techcrunch.com</a></p>

9. Background-check firm DISA reveals a breach affecting 3.3 million people</h3>
Employment screening provider DISA Global Solutions disclosed that hackers had accessed the data of more than 3.3 million people, including Social Security numbers and financial details. The company took roughly ten months after discovering the intrusion to notify those affected.</p>
→ techcrunch.com</a></p>

10. Australian IVF provider Genea confirms hackers accessed patient data</h3>
The fertility giant Genea told patients on 19 February that attackers had reached its systems during a cyberattack claimed by the Termite ransomware group. The stolen records included names, addresses, Medicare numbers, and sensitive medical histories.</p>
→ techcrunch.com</a></p>

11. Hacker leaks 34 million OmniGPT chat messages</h3>
A threat actor claimed to have breached the AI aggregator OmniGPT, exposing the email addresses and phone numbers of 30,000 users along with more than 34 million lines of conversation. The leaked logs reportedly contained credentials, billing details, and API keys.</p>
→ hackread.com</a></p>

12. China's Salt Typhoon keeps breaching telecom firms despite sanctions</h3>
Researchers reported that the Salt Typhoon group continued to compromise telecommunications providers by exploiting old Cisco vulnerabilities. The campaign followed earlier intrusions that reached the lawful intercept systems used for law enforcement wiretaps.</p>
→ techcrunch.com</a></p>

13. Court grants preliminary approval to Apple's $95 million Siri settlement</h3>
A federal judge preliminarily approved a $95 million deal settling claims that Siri recorded private conversations after accidental activations and shared them with third parties. Class members can claim up to $20 per device, and Apple agreed to delete older Siri audio recordings.</p>
→ www.courthousenews.com</a></p>

14. Spain arrests a hacker accused of attacking NATO and the United States Army</h3>
Spanish police arrested a suspect on 5 February over roughly forty cyberattacks that breached systems run by NATO, the United States Army, the United Nations, and Spanish bodies. Investigators said the suspect had leaked and sold stolen data under several aliases.</p>
→ www.bleepingcomputer.com</a></p>

15. Orange Group confirms a breach after a hacker leaks internal documents</h3>
The French telecoms operator Orange confirmed an intrusion at its Romanian operations after a HellCat-linked actor leaked thousands of files. The haul included around 380,000 email addresses, source code, contracts, and employee and customer records.</p>
→ www.bleepingcomputer.com</a></p>

16. Mozilla is still promoting the data removal service Onerep</h3>
Krebs on Security reported that Mozilla continued to recommend the data removal service Onerep almost a year after the founder was tied to people-search sites. The arrangement undercut Mozilla's privacy messaging, since the same person had profited from exposing the very data Onerep promised to scrub.</p>
→ krebsonsecurity.com</a></p>

17. Phished card data is being turned into Apple and Google wallets</h3>
Investigators detailed how Chinese cybercrime groups revived the carding trade by loading stolen card details into mobile wallets. The technique lets criminals spend phished funds online and in shops, bypassing many fraud controls.</p>
→ krebsonsecurity.com</a></p>

18. A notorious malware and spam host shifts onto Kaspersky networks</h3>
One of the most abuse-friendly bulletproof hosting providers for cybercriminals began routing its traffic through networks operated by the Russian security firm Kaspersky Lab. The move raised fresh questions about who is shielding online criminal infrastructure.</p>
→ krebsonsecurity.com</a></p>

19. New administration brings cuts to cyber and consumer protections</h3>
Krebs on Security reported that early moves under the new administration weakened agencies that guard data security and consumer privacy. The cuts threatened oversight of data brokers and the watchdogs that hold breached companies to account.</p>
→ krebsonsecurity.com</a></p>

20. United States soldier charged in the AT&T phone records hack</h3>
A serving soldier charged over the theft of AT&T customer call records had searched online whether hacking could be treason. The case shed light on how stolen telecom data, including the records of public figures, was traded among young criminals.</p>
→ krebsonsecurity.com</a></p>

Privacy Roundup #0222 • January 2025

hello@peterspath.net (Peter) — Thu, 06 Feb 2025 15:00:00 +0000

January 2025 opened the year with a flood of location data scandals, hard regulatory action against connected cars and data brokers, and a Supreme Court ruling that sealed the fate of TikTok.</p>

1. Apple agrees to pay 95 million dollars to settle Siri privacy lawsuit</h3>
Apple agreed to a 95 million dollar settlement over claims that Siri recorded private conversations after unintended activations and passed them to third parties. The plaintiffs said mentions of Air Jordan trainers and Olive Garden triggered matching advertisements, and Apple denied any wrongdoing.</p>
→ www.npr.org</a></p>

2. Telegram reports a sharp rise in handing user data to law enforcement</h3>
Telegram's transparency figures showed it gave phone numbers and IP addresses to United States authorities on 900 occasions in 2024, affecting 2,253 users. The surge followed the arrest of chief executive Pavel Durov in France and a quiet rewrite of the platform's data sharing policy.</p>
→ techcrunch.com</a></p>

3. Justice Department issues final rule curbing bulk data flows to countries of concern</h3>
On 8 January the Justice Department published its final rule restricting transfers of bulk sensitive personal data to China, Russia, Iran, North Korea, Cuba and Venezuela. The measure implements an executive order and covers genomic, biometric, geolocation, financial and health information.</p>
→ www.federalregister.gov</a></p>

4. Texas sues Allstate and Arity over secret driver tracking</h3>
Texas Attorney General Ken Paxton sued Allstate and its subsidiary Arity for collecting and selling the location data of more than 45 million drivers. The state alleged the firms paid app developers to embed a tracking kit in everyday apps, building what they called the world's largest driving behaviour database.</p>
→ www.texasattorneygeneral.gov</a></p>

5. A breach of Gravy Analytics threatens the location privacy of millions</h3>
Data broker Gravy Analytics confirmed that a hacker had taken files from its cloud environment using a misappropriated key, exposing vast quantities of precise smartphone location data. A threat actor posted samples showing tracked devices across the United States, Russia and Europe and threatened to release more.</p>
→ techcrunch.com</a></p>

6. FTC finalises order banning Mobilewalla from selling sensitive location data</h3>
The Federal Trade Commission finalised an order barring data broker Mobilewalla from selling location data that could reveal visits to clinics and places of worship. The agency said the firm sold the information without taking reasonable steps to confirm that consumers had consented.</p>
→ www.ftc.gov</a></p>

7. FTC takes action against General Motors over secret driver data sales</h3>
The Federal Trade Commission alleged that General Motors and OnStar collected precise location and driving behaviour data and sold it to third parties without clear consent. The proposed order imposes a five year ban on disclosing such data to consumer reporting agencies that had used it to set insurance rates.</p>
→ www.ftc.gov</a></p>

8. FTC finalises new children's privacy rule limiting data monetisation</h3>
On 16 January the Federal Trade Commission finalised its first major overhaul of the Children's Online Privacy Protection Rule since 2013. The amendments require parents to opt in to targeted advertising, expand the definition of personal information to include biometric identifiers, and limit how long operators may retain children's data.</p>
→ www.ftc.gov</a></p>

9. Biden issues an eleventh hour cybersecurity executive order</h3>
President Biden signed Executive Order 14144 to strengthen the security of federal software supply chains and promote privacy preserving digital identity. The order also directs agencies towards quantum resistant cryptography and expands sanctions powers against malicious cyber actors.</p>
→ www.npr.org</a></p>

10. Treasury sanctions a China based hacker over the OFAC breach</h3>
On 17 January the Treasury sanctioned Yin Kecheng over the compromise of its own network, including the Office of Foreign Assets Control. The attackers reached unclassified but sensitive documents by exploiting a stolen key from the third party software provider BeyondTrust.</p>
→ home.treasury.gov</a></p>

11. Supreme Court upholds the TikTok sale or ban law</h3>
The Supreme Court unanimously upheld the law requiring ByteDance to divest TikTok or face a nationwide ban, rejecting the company's free speech arguments. The government cited the risk of Chinese collection of data from 170 million American users and the potential to manipulate the platform's content.</p>
→ www.scotusblog.com</a></p>

12. Hewlett Packard Enterprise probes a hacker's data theft claim</h3>
Hewlett Packard Enterprise launched an investigation after the threat actor IntelBroker advertised files it said were stolen from the company's systems. The listing claimed to include source code, private repositories, digital certificates and some personal information, though the firm said it saw no evidence of operational impact.</p>
→ techcrunch.com</a></p>

13. Trump fires three members of the federal surveillance watchdog</h3>
President Trump dismissed three Democratic members of the Privacy and Civil Liberties Oversight Board by a one sentence email. The removals left the board without a quorum, stripping it of the ability to begin new oversight of government surveillance programmes.</p>
→ www.lawfaremedia.org</a></p>

14. Otelier breach exposes reservations for Marriott, Hilton and Hyatt guests</h3>
Hotel management platform Otelier suffered a breach after attackers reached its cloud storage using stolen employee credentials. The stolen records covered millions of guest reservations and personal details across major hotel brands, with credentials taken by information stealing malware.</p>
→ www.bleepingcomputer.com</a></p>

15. Community Health Center breach affects more than a million patients</h3>
The Connecticut nonprofit Community Health Center said it detected unauthorised activity on 2 January and that a hacker had exfiltrated data from its network. The exposed records of more than a million people included diagnoses, test results, insurance details and Social Security numbers.</p>
→ www.hipaajournal.com</a></p>

16. FTC takes action against GoDaddy over lax data security</h3>
The Federal Trade Commission alleged that GoDaddy failed to use basic protections such as multi factor authentication despite advertising award winning security. The agency said the lapses led to several breaches that let attackers reach customers' websites and data.</p>
→ www.ftc.gov</a></p>

17. PowerSchool begins notifying students and teachers after a mass breach</h3>
Education software vendor PowerSchool began notifying individuals affected by a breach of its support portal that was carried out with a single compromised credential. The exposed records relating to families and educators included names, grades, birth dates and Social Security numbers.</p>
→ techcrunch.com</a></p>

18. Researchers find an exposed DeepSeek database leaking chat logs</h3>
Security firm Wiz reported that the Chinese AI company DeepSeek had left a database open to the internet without authentication. The exposed records included more than a million log lines, user chat histories and secret keys that could have granted control of its systems.</p>
→ thehackernews.com</a></p>

19. AT&T and Verizon say they evicted the Salt Typhoon hackers</h3>
AT&T and Verizon stated in early January that they had removed the China linked Salt Typhoon group from their networks. The intrusions had reached systems used for court ordered wiretaps and exposed the call metadata of large numbers of users.</p>
→ www.cybersecuritydive.com</a></p>

20. Conduent cyberattack disrupts government services across several states</h3>
Outsourcing provider Conduent discovered a cyber incident on 13 January after attackers had lurked in its systems since October. The intrusion disrupted benefits and payment services for state agencies in Wisconsin, Oklahoma and elsewhere, and the company later confirmed that personal data had been taken.</p>
→ securityaffairs.com</a></p>

Privacy Roundup #0221 • December 2024

hello@peterspath.net (Peter) — Thu, 02 Jan 2025 15:00:00 +0000

December 2024 closed the year with record European fines, fresh data broker crackdowns, and a stark warning that lawful surveillance backdoors had become a national security liability.</p>

1. Irish regulator fines Meta €251 million over 2018 Facebook breach</h3>
The Irish Data Protection Commission fined Meta €251 million on 17 December for a 2018 flaw that let attackers steal access tokens for around 29 million accounts. The regulator found Meta had failed to document the breach properly and had processed more data than it needed.</p>
→ therecord.media</a></p>

2. Italy fines OpenAI €15 million over ChatGPT data collection</h3>
Italy's Garante fined OpenAI €15 million on 20 December, ruling that the company trained ChatGPT on personal data without a proper legal basis and without an adequate age check. The watchdog also ordered OpenAI to run a six month public awareness campaign about how it gathers data.</p>
→ www.euronews.com</a></p>

3. FTC bars Gravy Analytics and Venntel from selling sensitive location data</h3>
On 3 December the Federal Trade Commission announced a proposed order banning Gravy Analytics and its subsidiary Venntel from selling location data that tracks visits to clinics, churches and other sensitive sites. The companies must build a programme to identify and protect such locations.</p>
→ www.ftc.gov</a></p>

5. CISA and FBI urge Americans to use encrypted messaging apps</h3>
After the Salt Typhoon intrusions into US telecoms, officials on 4 December recommended that people move to end to end encrypted apps such as Signal. The advice marked a notable reversal for agencies that had long pressed for lawful access to encrypted communications.</p>
→ techcrunch.com</a></p>

6. Salt Typhoon shows the danger of surveillance backdoors</h3>
Reporting on 11 December argued that the Salt Typhoon breach exposed how the wiretap systems mandated by US law had handed foreign spies a way in. Security experts said the episode proved that no backdoor can be reserved for the good actors alone.</p>
→ theintercept.com</a></p>

7. Watchdog finds US border surveillance failing privacy rules</h3>
A Government Accountability Office assessment published on 20 December found that Customs and Border Protection had met none of six baseline privacy protections for its towers, aerostats and ground sensors. The agency had deployed years of mass surveillance without the required safeguards.</p>
→ www.eff.org</a></p>

8. Volkswagen leak exposes location data of 800,000 electric cars</h3>
A misconfigured cloud store run by Volkswagen's software unit Cariad left the precise location data of about 800,000 electric vehicles open for months. For many of the cars the data was accurate enough to map a driver's daily routine, and it touched politicians and police officers.</p>
→ electrek.co</a></p>

9. EU opens formal proceedings against TikTok over election risks</h3>
On 17 December the European Commission opened formal Digital Services Act proceedings against TikTok over its handling of risks to the annulled Romanian presidential election. Investigators will examine its recommender systems, coordinated inauthentic behaviour and political advertising.</p>
→ www.euronews.com</a></p>

10. Commission orders TikTok to preserve Romanian election data</h3>
Earlier, on 5 December, the Commission issued a retention order requiring TikTok to freeze and keep data tied to systemic risks around elections in the European Union. The order covered national votes between late November 2024 and the end of March 2025.</p>
→ www.jurist.org</a></p>

11. Amnesty exposes Serbian spyware and Cellebrite phone hacking</h3>
Amnesty International reported on 16 December that Serbian police and intelligence used Cellebrite tools and bespoke NoviSpy malware to break into the phones of journalists and activists. Devices were often infected while held during ordinary stops and interviews.</p>
→ www.amnesty.org</a></p>

12. Krispy Kreme discloses cyberattack disrupting online orders</h3>
Krispy Kreme told the Securities and Exchange Commission on 11 December that an intrusion had disrupted online ordering across parts of the United States. The Play ransomware group later claimed the attack, which exposed the personal data of more than 160,000 people.</p>
→ techcrunch.com</a></p>

13. France fines Orange €50 million for ads disguised as emails</h3>
The French regulator CNIL announced on 10 December a €50 million fine against Orange for slipping advertisements into users' inboxes that looked almost identical to real emails. More than 7.8 million people had seen the disguised messages.</p>
→ www.cnil.fr</a></p>

14. Dutch regulator fines Netflix €4.75 million over transparency</h3>
The Dutch Data Protection Authority fined Netflix €4.75 million on 18 December for failing to tell customers clearly what it did with their data between 2018 and 2020. People who asked what information the company held also received insufficient answers.</p>
→ therecord.media</a></p>

15. Apple agrees to $95 million settlement over Siri eavesdropping</h3>
On 31 December Apple settled a long running class action for $95 million over claims that Siri recorded users without the wake phrase. The plaintiffs said captured snippets were shared with third parties without consent.</p>
→ www.cbsnews.com</a></p>

16. Ascension confirms ransomware breach hit 5.6 million patients</h3>
The health system Ascension disclosed on 19 December that a May ransomware attack had exposed the records of nearly 5.6 million people. The stolen data included Social Security numbers, medical details and payment information.</p>
→ www.cybersecuritydive.com</a></p>

17. ConnectOnCall breach exposes data of more than 900,000 patients</h3>
The telehealth provider ConnectOnCall began notifying patients on 11 December after attackers reached its platform for three months earlier in the year. Names, phone numbers, health conditions and some Social Security numbers were taken.</p>
→ www.hipaajournal.com</a></p>

18. US soldier arrested over AT&T and Verizon extortion</h3>
A US Army soldier was arrested on 20 December over the theft and sale of call records from AT&T and Verizon under the alias Kiberphant0m. Investigators linked the case to the wider extortion campaign against Snowflake customers.</p>
→ krebsonsecurity.com</a></p>

19. Bitcoin ATM operator Byte Federal discloses 58,000 person breach</h3>
Byte Federal, one of the largest Bitcoin ATM operators in the United States, told 58,000 users on 12 December that attackers had reached their data through a flaw in GitLab. The exposed records included Social Security numbers, identity documents and user photos.</p>
→ techcrunch.com</a></p>

20. Spain fines Telefónica €1.3 million over 2022 data breach</h3>
Spain's data protection authority fined Telefónica €1.3 million, in a decision reported on 3 December, for weak safeguards behind a 2022 breach affecting more than a million Movistar and O2 customers. The regulator faulted both the inadequate security and the slow notification.</p>
→ www.telecompaper.com</a></p>

Privacy Roundup #0220 • November 2024

hello@peterspath.net (Peter) — Thu, 05 Dec 2024 15:00:00 +0000

November 2024 was dominated by the Salt Typhoon telecom espionage revelations, a wave of breach disclosures, and fresh fines and surveillance fights on both sides of the Atlantic.</p>

1. FBI and CISA confirm China-linked hackers breached multiple US telecoms</h3>
The two agencies acknowledged a broad espionage campaign in which Salt Typhoon stole call records and tapped court-ordered wiretap systems at several carriers. They confirmed that the intruders targeted communications belonging to people involved in government and politics.</p>
→ www.theregister.com</a></p>

2. T-Mobile detects intrusion attempts tied to the telecom spying campaign</h3>
T-Mobile said it spotted hackers probing its network through a connected wireline provider and severed the link before customer data was reached. The company reported the activity to the government while declining to name Salt Typhoon as the culprit.</p>
→ www.theregister.com</a></p>

3. Canadian man arrested over the Snowflake data extortions</h3>
Alexander Moucka, who used aliases including Judische, was held in Ontario on a US warrant tied to the theft of data from more than 160 Snowflake customers. Victims of the campaign included AT&T, Ticketmaster, and Neiman Marcus.</p>
→ krebsonsecurity.com</a></p>

4. Fintech giant Finastra investigates a file-transfer breach</h3>
Finastra, which serves most of the world's largest banks, found that an intruder used stolen credentials to take roughly 400 gigabytes of data from an internal transfer platform. A criminal then advertised the haul for sale on a cybercrime forum.</p>
→ krebsonsecurity.com</a></p>

6. Unsealed documents reveal how much NSO Group controls Pegasus</h3>
Court filings in WhatsApp's lawsuit showed that NSO, not its government clients, ran the data retrieval process behind its spyware. The papers also revealed that the firm cut off ten customers for abusing the tool.</p>
→ techcrunch.com</a></p>

8. EFF warns the national security state will make AI even less accountable</h3>
A White House directive pushed the security apparatus to lead on artificial intelligence, which EFF argued would deepen secrecy around already opaque systems. The group cautioned that classified AI used for consequential decisions would escape public scrutiny.</p>
→ www.eff.org</a></p>

9. Criminals abuse the FBI emergency data request system</h3>
Schneier highlighted how attackers used compromised police accounts to send fake emergency requests and trick companies into handing over user data. Some fraudulent requests cited invented threats such as human trafficking to add urgency.</p>
→ www.schneier.com</a></p>

10. Hot Topic breach exposes the data of 57 million customers</h3>
A breach notification service alerted tens of millions of shoppers that their details had been stolen from the retailer and its sister brands. The exposed records included email addresses, dates of birth, and partial payment card data.</p>
→ techcrunch.com</a></p>

11. Satellite giant Maxar confirms a breach of employee data</h3>
Maxar said a hacker using a Hong Kong address reached files holding staff names, addresses, and Social Security numbers. More than half of the firm's workers hold US security clearances for classified projects.</p>
→ techcrunch.com</a></p>

12. Andrew Tate's online platform is breached and its members exposed</h3>
Intruders copied chat servers and lifted hundreds of thousands of usernames and registered email addresses from the subscription site The Real World. They disrupted a live stream and passed the data to a breach notification service.</p>
→ www.theregister.com</a></p>

13. SelectBlinds discovers payment-skimming malware on its website</h3>
The retailer said malware had sat on its checkout page since early in the year, scraping the details of more than 200,000 customers. The harvested data included names, addresses, and full payment card numbers.</p>
→ therecord.media</a></p>

14. Amazon confirms employee data leaked through a contractor</h3>
Amazon acknowledged that staff records appeared on a crime forum after a breach at a vendor using the MOVEit file transfer tool. The exposed information covered names, work contact details, and office locations across millions of records.</p>
→ www.404media.co</a></p>

15. Senators demand an audit of airport facial recognition</h3>
A bipartisan group of twelve senators pressed the Department of Homeland Security to evaluate the accuracy and privacy effects of facial scanning before it spreads to hundreds of airports. They warned that mandatory scans could build a federal surveillance database without congressional approval.</p>
→ therecord.media</a></p>

16. British software firm Microlise confirms staff data stolen</h3>
Microlise said a cyberattack with the hallmarks of ransomware took some employee data and disrupted tracking systems used by DHL and Serco. The incident temporarily disabled vehicle tracking and panic alarms on prisoner transport vans.</p>
→ www.theregister.com</a></p>

17. Ford investigates breach claims and blames a third-party supplier</h3>
After criminals advertised a database of customer records, Ford said it found no breach of its own systems. The company traced the small exposed batch to publicly available dealer business addresses held by a supplier.</p>
→ www.theregister.com</a></p>

18. Nokia investigates a claimed theft of its source code</h3>
A pair of criminals said they obtained Nokia source code, keys, and credentials through a contractor that worked with the firm. Nokia investigated the claim, which raised questions about why outside contractors could reach such material.</p>
→ www.theregister.com</a></p>

20. Secret Service tracks phone locations without a warrant</h3>
Schneier flagged reporting that the Secret Service used the Locate X tool to follow people through location data harvested from ordinary apps. The agency argued that opaque terms of service mean it does not need a warrant for the practice.</p>
→ www.schneier.com</a></p>

Privacy Roundup #0219 • October 2024

hello@peterspath.net (Peter) — Thu, 07 Nov 2024 15:00:00 +0000

October 2024 brought record fines for Big Tech, a wave of mass breaches, and fresh proof that the state and data brokers keep buying their way around warrants.</p>

1. Ireland fines LinkedIn 310 million euros over behavioural advertising</h3>
The Irish Data Protection Commission fined LinkedIn 310 million euros on 24 October for processing members' data for behavioural analysis and targeted advertising without a valid legal basis. The regulator found the platform breached the fairness, lawfulness and transparency principles of the GDPR and ordered it to bring its advertising into line within three months.</p>
→ www.dataprotection.ie</a></p>

2. Chinese hackers breached the wiretap systems US law mandates</h3>
The Wall Street Journal reported on 5 October that a group known as Salt Typhoon had penetrated the networks of Verizon, AT&T and Lumen and reached the lawful interception systems used to fulfil court ordered wiretaps. The breach exposed exactly the kind of surveillance backdoor that security experts have warned about for decades.</p>
→ www.wsj.com</a></p>

3. Schneier says China is hacking the lawful access backdoor</h3>
Bruce Schneier argued on 8 October that the telecom breach proved a long standing point, that a wiretap capability built for the good guys is a capability anyone can abuse. He wrote that the law mandated backdoors under CALEA cannot tell a friendly agency from a hostile one.</p>
→ www.schneier.com</a></p>

4. FTC orders Marriott to overhaul security after three breaches</h3>
The Federal Trade Commission announced on 9 October that Marriott and its Starwood subsidiary must build a comprehensive security programme to settle charges over breaches that exposed data on more than 344 million guests. Marriott also agreed to pay 52 million dollars to 49 states and to let customers request deletion of their personal information.</p>
→ www.ftc.gov</a></p>

5. Internet Archive breach exposes 31 million accounts</h3>
The Internet Archive disclosed on 9 October that attackers had stolen authentication data for around 31 million registered users, including email addresses, screen names and hashed passwords. Days later the same intruders reached the organisation's Zendesk support system and read sensitive support tickets.</p>
→ www.bleepingcomputer.com</a></p>

6. FTC finalises its click to cancel rule for subscriptions</h3>
The Federal Trade Commission announced its final negative option rule on 16 October, requiring sellers to make cancelling a subscription as easy as signing up. The rule also forces clear disclosures and express consent before a company can enrol someone in a recurring charge.</p>
→ www.ftc.gov</a></p>

7. CFPB open banking rule gives people control of financial data</h3>
The Consumer Financial Protection Bureau finalised its personal financial data rights rule on 22 October, letting consumers move their banking data to another provider for free. The rule limits how authorised third parties may use and retain that data and bars them from exploiting it for unrelated purposes.</p>
→ www.consumerfinance.gov</a></p>

8. EFF tells Massachusetts court to limit reuse of monitoring data</h3>
The Electronic Frontier Foundation filed a brief on 22 October urging the state's highest court to bar police from mining pretrial electronic monitoring data to investigate unrelated crimes. The group argued that location data gathered for one purpose cannot become a general warrant for fishing expeditions.</p>
→ www.eff.org</a></p>

9. Cisco takes DevHub portal offline after data leak</h3>
A threat actor known as IntelBroker claimed on 14 October to have taken source code, certificates, API tokens and customer files from a Cisco environment. Cisco confirmed on 18 October that the data came from a public facing DevHub instance and took the portal offline after the hacker published stolen files.</p>
→ www.bleepingcomputer.com</a></p>

10. Hot Topic breach exposes millions of shopper records</h3>
A hacker using the alias Satanic posted on 21 October claiming to have taken vast amounts of personal data from Hot Topic and its sister brands. The stolen records included names, addresses, phone numbers and partial payment card details, traced to malware on a third party vendor.</p>
→ cyberinsider.com</a></p>

11. California regulator opens data broker registration probe</h3>
The California Privacy Protection Agency announced on 30 October that its enforcement division was reviewing whether data brokers had registered as the Delete Act requires. Brokers that fail to register face penalties of 200 dollars a day ahead of a 2026 platform that will let people delete their data from every broker at once.</p>
→ cppa.ca.gov</a></p>

12. EFF warns age verification laws will harm more than they help</h3>
The Electronic Frontier Foundation filed a brief with the Fifth Circuit on 4 October arguing that Mississippi's age verification law violates the First Amendment. The group said the law burdens adults and minors alike, threatens online anonymity and creates fresh privacy risks without protecting children.</p>
→ www.eff.org</a></p>

13. Fidelity breach exposes data of 77,000 customers</h3>
Fidelity Investments told regulators in early October that an intruder using two newly created customer accounts had accessed the data of more than 77,000 people. The exposed records included Social Security numbers and driver's licence details, though the firm said no customer accounts were touched.</p>
→ techcrunch.com</a></p>

14. Indian court orders Telegram to delete Star Health leak bots</h3>
The Madras High Court ordered on 25 October that Telegram block chatbots used to leak the medical records and policy documents of Star Health customers. The insurer had sued Telegram and Cloudflare after a hacker offered the data of about 31 million policyholders for sale.</p>
→ www.businesstoday.in</a></p>

15. Change Healthcare tells 100 million people their data was stolen</h3>
Change Healthcare began notifying roughly 100 million Americans on 30 October that their medical, financial and personal data had been stolen in a February ransomware attack. The breach exposed health records, billing information and Social Security numbers in the largest healthcare data theft yet recorded.</p>
→ krebsonsecurity.com</a></p>

16. Mobile ad data fuels a global surveillance free for all</h3>
Brian Krebs reported on 23 October that commercial tools such as Babel Street let almost anyone track a person's movements using the advertising identifiers leaking from ordinary phone apps. The investigation showed how police officers, abortion seekers and other vulnerable people can be followed with no warrant and little recourse.</p>
→ krebsonsecurity.com</a></p>

17. EFF warns a sale of 23andMe data would endanger privacy</h3>
The Electronic Frontier Foundation cautioned on 9 October that the company's signal it might sell itself put the genetic data of around 15 million customers at risk. The group set out steps people can take to delete their samples and pressed any buyer to honour strong privacy commitments.</p>
→ www.eff.org</a></p>

18. EFF tells New York that age checks threaten everyone's privacy</h3>
The Electronic Frontier Foundation submitted comments in October on New York's plan to enforce its Stop Addictive Feeds Exploitation Act for minors. The group argued that requiring platforms to verify ages would force every user to surrender identity data and chill protected speech.</p>
→ www.eff.org</a></p>

19. Casio confirms ransomware attack leaked personal data</h3>
Casio confirmed on 14 October that a ransomware attack had exposed the personal data of employees, business partners and some customers, alongside sensitive company files. The Underground gang claimed the intrusion and threatened to publish confidential documents after the firm refused to meet its demands.</p>
→ techcrunch.com</a></p>

20. Brazil arrests hacker linked to the National Public Data breach</h3>
Brazilian police announced on 18 October the arrest of a man suspected of being USDoD, the cybercriminal tied to the National Public Data breach that leaked Social Security numbers for much of the United States. The same figure was blamed for breaching the FBI's InfraGard programme and leaking the contact details of 80,000 members.</p>
→ krebsonsecurity.com</a></p>

Privacy Roundup #0218 • September 2024

hello@peterspath.net (Peter) — Thu, 03 Oct 2024 15:00:00 +0000

September 2024 brought record European fines, fresh breach disclosures and a sharp reminder that surveillance reaches from telecom wiretap systems to children's social accounts.</p>

1. Irish regulator fines Meta 91 million euro over plaintext passwords</h3>
The Irish Data Protection Commission fined Meta 91 million euro on 27 September for storing some Facebook and Instagram passwords in readable plaintext. The regulator found four breaches of the GDPR, including a failure to notify and document the incident promptly.</p>
→ www.dataprotection.ie</a></p>

2. Dutch watchdog fines Clearview AI 30.5 million euro for illegal face database</h3>
The Dutch Data Protection Authority fined Clearview AI 30.5 million euro on 3 September for building a database of more than thirty billion scraped facial images without consent. The regulator added penalties of up to 5.1 million euro if the company does not stop the violations.</p>
→ www.autoriteitpersoonsgegevens.nl</a></p>

4. Telegram agrees to hand user IP addresses and phone numbers to police</h3>
On 23 September, Telegram changed its privacy policy to share IP addresses and phone numbers of suspects with authorities in response to valid legal requests. The shift followed the arrest of founder Pavel Durov in France and widened cooperation far beyond terrorism cases.</p>
→ www.bleepingcomputer.com</a></p>

5. MoneyGram says hackers stole customer personal and transaction data</h3>
MoneyGram disclosed that attackers accessed customer data between 20 and 22 September, prompting a week of service outages. The stolen records included names, addresses, dates of birth, Social Security numbers, bank account numbers and copies of government identification.</p>
→ techcrunch.com</a></p>

7. Instagram makes teenage accounts private by default</h3>
Meta announced Instagram Teen Accounts on 17 September, placing users under sixteen into private profiles with stricter messaging and content settings. Teenagers need a parent's permission to loosen the defaults, and the changes began rolling out in the United States, Canada, the United Kingdom and Australia.</p>
→ about.fb.com</a></p>

8. AT&T agrees to pay 13 million dollars to the FCC over a vendor breach</h3>
The Federal Communications Commission announced a 13 million dollar settlement with AT&T on 17 September over a cloud breach at one of its vendors. The vendor retained the billing data of around nine million customers for years after it should have been destroyed, and attackers exfiltrated it in 2023.</p>
→ broadbandbreakfast.com</a></p>

9. China-linked Salt Typhoon hackers breach US broadband and wiretap systems</h3>
On 25 September it emerged that the Salt Typhoon group had compromised major US broadband providers and the systems used for court-authorised wiretaps. The intrusion raised fears that a foreign government had gained access to sensitive law enforcement surveillance data.</p>
→ www.semafor.com</a></p>

10. Disney to drop Slack after a 1.1 terabyte data leak</h3>
Disney told staff on 20 September that it would stop using Slack following a breach that leaked more than a terabyte of internal messages and files. The leaked trove included unreleased project details, login credentials and crew passport numbers.</p>
→ fortune.com</a></p>

11. 23andMe agrees to a 30 million dollar settlement over genetic data breach</h3>
On 12 September, 23andMe agreed to a 30 million dollar settlement over the 2023 breach that exposed the data of nearly seven million customers. The case alleged the company failed to protect sensitive genetic information and to warn users targeted by ancestry.</p>
→ www.malwarebytes.com</a></p>

12. Apple moves to drop its lawsuit against spyware maker NSO Group</h3>
Apple asked a court on 13 September to dismiss its own case against the Pegasus spyware vendor NSO Group. The company argued that pursuing the suit risked exposing sensitive threat intelligence that could help spyware makers refine their tools.</p>
→ therecord.media</a></p>

13. California signs laws extending privacy rules to artificial intelligence</h3>
Governor Gavin Newsom signed AB 1008 on 28 September, clarifying that personal information under the state privacy law can exist inside artificial intelligence systems. A companion law, AB 2013, requires generative AI developers to disclose details about their training data.</p>
→ www.wsgr.com</a></p>

14. UK regulator reprimands Sky Betting and Gaming over advertising cookies</h3>
The Information Commissioner's Office reprimanded Bonne Terre, trading as Sky Betting and Gaming, for setting advertising cookies before users could refuse them. Personal data was shared with advertising technology firms the moment people opened the site, without prior consent.</p>
→ ico.org.uk</a></p>

15. Medicare contractor breach affects more than three million people</h3>
The Centers for Medicare and Medicaid Services began notifying affected individuals on 6 September after a breach at contractor Wisconsin Physicians Service. The incident stemmed from the MOVEit file transfer flaw and exposed names, Social Security numbers and Medicare identifiers.</p>
→ www.cms.gov</a></p>

16. Dell investigates leak of employee records on a hacking forum</h3>
Dell began investigating a breach after a hacker leaked details of more than ten thousand employees and partners on 19 September. The exposed records included full names, internal identifiers and employment status drawn from the company's systems.</p>
→ www.bleepingcomputer.com</a></p>

17. EFF warns the FTC report shows commercial surveillance is out of control</h3>
The Electronic Frontier Foundation argued on 26 September that the new FTC findings confirmed an unchecked surveillance economy. The group called for comprehensive privacy legislation rather than relying on companies to police their own data practices.</p>
→ www.eff.org</a></p>

18. Slim CD breach exposes credit card data of 1.7 million people</h3>
The payment gateway Slim CD disclosed on 6 September that attackers had access to its systems for almost ten months. The compromised data included names, addresses and credit card numbers and expiry dates of around 1.7 million individuals.</p>
→ www.securityweek.com</a></p>

19. Fortinet confirms customer data stolen from a third-party cloud drive</h3>
Fortinet confirmed on 13 September that a hacker had stolen customer files from a third-party cloud-based shared drive. The attacker claimed to hold 440 gigabytes of data and published it after the company refused to pay a ransom.</p>
→ techcrunch.com</a></p>

20. ESO Solutions ransomware attack compromises data of 2.7 million patients</h3>
The healthcare and emergency services software provider ESO Solutions disclosed a ransomware attack that exposed the records of around 2.7 million patients. Attackers exfiltrated data before encrypting company systems, exposing sensitive medical and personal details.</p>
→ www.bleepingcomputer.com</a></p>

Privacy Roundup #0217 • August 2024

hello@peterspath.net (Peter) — Thu, 05 Sep 2024 15:00:00 +0000

August 2024 brought the arrest of Telegram's founder, a record GDPR fine on Uber, the National Public Data mega-breach and a run of court rulings that reshaped surveillance and Big Tech privacy.</p>

2. Telegram CEO Pavel Durov indicted in France</h3>
French police arrested Telegram co-founder Pavel Durov at a Paris airport on 24 August, and prosecutors indicted him days later on charges tied to crime on the platform. One of the charges, providing cryptology services without a licence, alarmed privacy advocates across the messaging industry.</p>
→ www.npr.org</a></p>

3. Federal court rules Google is an illegal monopoly</h3>
Judge Amit Mehta ruled on 5 August that Google had unlawfully maintained its monopoly over search and search advertising. The decision opened the door to remedies that could reshape how the company collects and exploits user data.</p>
→ www.goodwinlaw.com</a></p>

4. Dutch regulator fines Uber 290 million euros over US data transfers</h3>
The Dutch Data Protection Authority fined Uber 290 million euros for sending European drivers' personal data to the United States without proper safeguards. The penalty ranked among the largest ever imposed under the GDPR.</p>
→ www.autoriteitpersoonsgegevens.nl</a></p>

5. X agrees to suspend use of EU data to train Grok</h3>
Ireland's Data Protection Commission won an undertaking from X to stop processing European users' public posts to train its Grok artificial intelligence tool. It was the first time the regulator had used its urgent High Court powers in this way.</p>
→ www.dataprotection.ie</a></p>

6. Brazil lifts its ban on Meta training AI with user data</h3>
Brazil's data protection authority lifted the suspension that had stopped Meta from using public posts to train its generative models. The regulator allowed processing to resume after Meta improved transparency, while keeping data of under-eighteens off limits.</p>
→ thehackernews.com</a></p>

7. City of Columbus sues researcher who exposed its ransomware leak</h3>
The City of Columbus, Ohio, sued the security researcher who revealed that data stolen in a ransomware attack contained unencrypted personal records of residents. Critics said the lawsuit tried to silence a whistleblower rather than protect the public.</p>
→ www.malwarebytes.com</a></p>

8. Halliburton hit by RansomHub ransomware attack</h3>
Oil services giant Halliburton disclosed in an SEC filing that an unauthorised party had accessed its systems and disrupted operations. Researchers later linked the August intrusion to the RansomHub ransomware gang, and the company reported a 35 million dollar loss.</p>
→ www.bleepingcomputer.com</a></p>

9. Toyota confirms third-party data breach impacting customers</h3>
Toyota confirmed that customer and employee data had been stolen after a hacker leaked 240GB of files on a forum. The carmaker blamed a third-party entity and said its own systems were not breached.</p>
→ www.bleepingcomputer.com</a></p>

10. Microchip Technology discloses cyberattack impacting operations</h3>
Chipmaker Microchip Technology told regulators that an intrusion had disrupted servers and forced factories to run below normal levels. The company later said attackers obtained employee contact details and hashed passwords.</p>
→ www.bleepingcomputer.com</a></p>

11. Enzo Biochem fined 4.5 million dollars over 2023 ransomware breach</h3>
The attorneys general of New York, New Jersey and Connecticut fined biotech firm Enzo Biochem for security failures that exposed health data on 2.4 million people. Investigators found shared logins, no multi-factor authentication and a password left unchanged for a decade.</p>
→ www.theregister.com</a></p>

12. ADT confirms breach exposing customer contact details</h3>
Home security firm ADT disclosed that an attacker had accessed databases holding customer email addresses, phone numbers and postal addresses. The company said it had no reason to believe financial data or home security systems were compromised.</p>
→ www.sec.gov</a></p>

13. Microsoft pushes Recall to October after privacy backlash</h3>
Microsoft said its controversial Recall feature, which captures screenshots of user activity, would reach Windows Insiders in October rather than launch broadly. The delay followed sustained criticism from researchers who showed how easily the snapshots could be extracted.</p>
→ www.malwarebytes.com</a></p>

14. Google says Iranian group targeted Trump and Biden campaign staff</h3>
Google's Threat Analysis Group reported that the Iran-linked group APT42 had run phishing operations against people tied to both presidential campaigns. The disclosure detailed how the attackers compromised the personal accounts of political figures.</p>
→ abcnews.go.com</a></p>

15. Justice Department sues TikTok over children's privacy</h3>
The US Department of Justice sued TikTok and ByteDance, alleging they collected data from millions of children without parental consent in breach of federal law. The complaint sought heavy civil penalties and an order to stop the practice.</p>
→ www.npr.org</a></p>

16. NIST releases first finalised post-quantum encryption standards</h3>
The National Institute of Standards and Technology published three finished standards for encryption designed to resist future quantum computers. The release gave organisations a concrete path to protect long-lived data against a coming threat.</p>
→ www.nist.gov</a></p>

17. Appeals court rules geofence warrants are categorically unconstitutional</h3>
The Fifth Circuit held in United States v. Smith that geofence warrants, which sweep up location data from everyone near a place, violate the Fourth Amendment. Privacy advocates welcomed the ruling as a check on dragnet location surveillance.</p>
→ www.eff.org</a></p>

18. Cyberattack on Mobile Guardian wipes thousands of student devices</h3>
A breach of the school device management platform Mobile Guardian let an intruder remotely wipe iOS and ChromeOS devices around the world. Singapore reported that roughly 13,000 students across 26 schools lost access to their machines.</p>
→ techcrunch.com</a></p>

19. Patelco Credit Union confirms member data exposed in ransomware attack</h3>
Patelco Credit Union acknowledged that a ransomware attack had exposed personal data including Social Security numbers and dates of birth. The breach affected more than a million current and former members and employees.</p>
→ www.cutimes.com</a></p>

20. EFF warns that police drones erode backyard privacy</h3>
The Electronic Frontier Foundation argued that the spread of police drones threatens privacy in spaces that courts once treated as protected. With old aerial surveillance precedents offering little shield, it urged states to require warrants for drone flights.</p>
→ www.eff.org</a></p>

Privacy Roundup #0216 • July 2024

hello@peterspath.net (Peter) — Thu, 01 Aug 2024 15:00:00 +0000

July 2024 was dominated by the fallout from the Snowflake breaches, record-breaking fines and bans, and fresh fights over surveillance and online safety law.</p>

1. AT&T says criminals stole phone records of nearly all customers</h3>
AT&T disclosed on 12 July that attackers had downloaded call and text records covering almost all of its wireless customers from a third-party cloud workspace. The stolen metadata revealed who contacted whom and, for some accounts, cell tower identifiers that could approximate a person's location.</p>
→ techcrunch.com</a></p>

2. Twilio confirms breach after hackers leak 33 million Authy phone numbers</h3>
Twilio confirmed that attackers had abused an unsecured endpoint to harvest the phone numbers of 33 million users of its Authy two-factor authentication app. The exposed numbers gave criminals a ready list of targets for phishing and SIM-swapping attacks.</p>
→ www.securityweek.com</a></p>

3. Evolve Bank says ransomware gang stole data on millions of customers</h3>
Evolve Bank and Trust confirmed that the LockBit ransomware group had stolen the personal information of more than seven million people after the bank refused to pay. The haul included names, Social Security numbers, and bank account details, which the gang then published on its leak site.</p>
→ techcrunch.com</a></p>

4. HealthEquity says data breach affects 4.3 million people</h3>
The health savings account custodian HealthEquity disclosed that a partner's compromised credentials had exposed the protected health information of 4.3 million individuals. The leaked records included names, addresses, Social Security numbers, and employment details.</p>
→ www.bleepingcomputer.com</a></p>

5. Texas wins 1.4 billion dollar biometric settlement against Meta</h3>
Texas secured a record 1.4 billion dollar settlement from Meta over its capture of residents' facial geometry without consent through Facebook's tag suggestions feature. The Electronic Frontier Foundation argued the outcome would have come sooner had individuals been allowed to sue directly.</p>
→ www.eff.org</a></p>

6. US Commerce Department ban forces Kaspersky out of the country</h3>
Kaspersky said it would wind down its United States operations after the Commerce Department barred new sales of its security products from 20 July. Officials warned that the Russian firm could be compelled to gather and weaponise the data of American users.</p>
→ techcrunch.com</a></p>

7. CrowdStrike update bricks Windows machines around the world</h3>
A faulty Falcon Sensor channel file from CrowdStrike crashed roughly 8.5 million Windows machines on 19 July, grounding flights and disrupting hospitals and banks. The episode showed how deeply a single security vendor's code is woven into critical infrastructure.</p>
→ www.theregister.com</a></p>

8. The KOSA internet censorship bill passes the Senate</h3>
The Senate passed the Kids Online Safety Act by 91 votes to 3, advancing a measure that would create a duty of care for online platforms. The Electronic Frontier Foundation warned the bill would chill protected speech and push services towards privacy-invasive age verification.</p>
→ www.eff.org</a></p>

9. RockYou2024 leak compiles nearly 10 billion passwords</h3>
A forum user published a file containing close to 10 billion unique plaintext passwords gathered from thousands of past breaches. Researchers warned the trove could fuel credential-stuffing and brute-force attacks against almost any unprotected system.</p>
→ www.malwarebytes.com</a></p>

11. UN cybercrime draft convention dangerously expands surveillance powers</h3>
The Electronic Frontier Foundation warned that the draft UN Cybercrime Convention would authorise open-ended evidence gathering with weak privacy safeguards. Civil society groups urged delegates to push back before the final negotiating session opened.</p>
→ www.eff.org</a></p>

12. AI mass surveillance at the Olympics is a privacy nightmare</h3>
Techdirt examined France's deployment of algorithmic video surveillance for the Paris Olympics under a law that civil liberties groups say breaches the GDPR. France became the first EU country to legalise such a sweeping AI-powered monitoring system.</p>
→ www.techdirt.com</a></p>

13. Google abandons its plan to drop third-party cookies in Chrome</h3>
Google reversed its long-running pledge to phase out third-party cookies, choosing instead to let users make a browser-wide choice about tracking. Privacy advocates and regulators had spent years scrutinising both the cookies and the Privacy Sandbox meant to replace them.</p>
→ www.theregister.com</a></p>

14. FTC bans NGL Labs from offering its anonymous app to minors</h3>
The Federal Trade Commission and the Los Angeles District Attorney barred the anonymous messaging app NGL from serving anyone under 18 and secured a five million dollar payment. Regulators said the firm sent users fake messages to push paid subscriptions and falsely claimed its AI filtered out bullying.</p>
→ techcrunch.com</a></p>

15. Supreme Court rules platforms have a First Amendment right to curate</h3>
The Supreme Court held in the NetChoice cases that platforms have a constitutional right to decide what speech they carry, free of state mandates. The Electronic Frontier Foundation welcomed the decision while warning that related laws still threaten privacy through age verification.</p>
→ www.eff.org</a></p>

16. Patelco Credit Union shuts down banking systems after ransomware attack</h3>
The California credit union took its online banking, mobile app, and call centre offline after a ransomware attack disrupted its systems at the start of July. The shutdown left more than 400,000 members unable to access many services for days.</p>
→ www.bleepingcomputer.com</a></p>

17. Rite Aid confirms breach exposing data on 2.2 million people</h3>
Rite Aid confirmed that the RansomHub gang had stolen the personal details of 2.2 million customers in a June intrusion that it disclosed in July. The exposed records included names, addresses, dates of birth, and government identification numbers tied to past purchases.</p>
→ www.bleepingcomputer.com</a></p>

18. Weak Squarespace defaults let attackers hijack domains</h3>
Krebs on Security reported that weak authentication defaults in Squarespace's migration of Google Domains let attackers seize at least a dozen organisations' domains. The hijackers exploited accounts that legitimate owners had never claimed, redirecting websites and email to themselves.</p>
→ krebsonsecurity.com</a></p>

19. Email addresses of 15 million Trello users leaked online</h3>
A threat actor published more than 15 million Trello email addresses gathered by abusing an unsecured API that linked addresses to public profiles. The combined data of email addresses and real names handed phishers and stalkers a convenient targeting list.</p>
→ www.bleepingcomputer.com</a></p>

20. ADT confirms breach after customer data leaked on hacking forum</h3>
The home security company ADT confirmed that attackers had stolen customer records and posted them on a hacking forum at the end of July. The exposed data included customer emails, addresses, and details of the products they had bought.</p>
→ www.bleepingcomputer.com</a></p>

Privacy Roundup #0215 • June 2024

hello@peterspath.net (Peter) — Thu, 04 Jul 2024 15:00:00 +0000

June 2024 was dominated by the sprawling Snowflake credential thefts, fresh curbs on Big Tech artificial intelligence and surveillance, and a run of regulators, courts and breach disclosures reshaping data protection.</p>

1. Snowflake breach exposes 165 customer organisations</h3>
Mandiant and Snowflake disclosed in June that a financially motivated group it tracks as UNC5537 had used stolen passwords to raid roughly 165 customer accounts. None of the affected tenants had enforced multi-factor authentication, and many credentials had not been changed for years.</p>
→ thehackernews.com</a></p>

2. Hacker accesses internal Tile tool that hands location data to police</h3>
On 12 June a hacker reached an internal tool at the location tracker maker Tile that processes data requests from law enforcement, using the credentials of a former employee. The intruder scraped customer names, physical addresses, email addresses and phone numbers, then attempted to extort the company.</p>
→ www.404media.co</a></p>

3. Microsoft reverses course and makes Windows Recall opt-in</h3>
After security researchers showed that the Recall feature stored unencrypted screenshots of everything a user did, Microsoft announced in June that it would be turned off by default. The company also required Windows Hello and encryption before the tool could be switched on.</p>
→ therecord.media</a></p>

4. Apple unveils Private Cloud Compute for on-device and cloud artificial intelligence</h3>
At its developer conference on 10 June, Apple announced Private Cloud Compute, a system meant to extend device-level privacy guarantees into the cloud. The company said personal data sent for processing would not be accessible to anyone, including Apple, and pledged to publish the code for public inspection.</p>
→ security.apple.com</a></p>

5. Meta pauses plans to train artificial intelligence on European user data</h3>
On 14 June the Irish Data Protection Commission said Meta had agreed to pause training its models on data from European users. The company had planned to rely on legitimate interests rather than seek explicit consent, prompting regulatory engagement and public criticism.</p>
→ www.dataprotection.ie</a></p>

6. noyb files complaints in eleven countries over Meta artificial intelligence training</h3>
On 6 June the privacy group noyb lodged complaints with eleven European data protection authorities, asking them to halt Meta's planned data use through an urgency procedure. It argued that using years of public and non-public posts to train artificial intelligence without consent breached the data protection rules.</p>
→ noyb.eu</a></p>

7. Truist Bank confirms breach as data appears for sale</h3>
Truist Bank confirmed in June that its systems had been breached after a dark web seller offered stolen records. The post claimed to contain data on tens of thousands of employees along with bank transaction details such as names, account numbers and balances.</p>
→ www.malwarebytes.com</a></p>

8. United States bans Kaspersky software</h3>
On 20 June the Commerce Department issued a first-of-its-kind determination prohibiting the sale of Kaspersky antivirus and security products to people in the United States. Officials said the Russian firm's software could be exploited to gather sensitive data and pass it to the Russian government.</p>
→ www.bis.gov</a></p>

9. Julian Assange pleads guilty and walks free</h3>
The WikiLeaks founder pleaded guilty in June to a single count of conspiring to obtain and disclose classified national defence information. He received a sentence of time served and was freed, ending a long legal battle over the publication of secret documents.</p>
→ www.justice.gov</a></p>

10. Polyfill supply-chain attack hits more than 100,000 websites</h3>
In late June the cdn.polyfill.io domain began injecting malicious code into a widely used JavaScript library, redirecting visitors on more than 100,000 sites to scam pages. Cloudflare responded by automatically rewriting requests to serve a safe mirror of the library instead.</p>
→ blog.cloudflare.com</a></p>

11. EFF opposes the American Privacy Rights Act</h3>
On 24 June the Electronic Frontier Foundation told Congress it opposed the American Privacy Rights Act in its current form. The group warned that the bill would freeze protections in place, override stronger state laws and stop states from passing tougher rules.</p>
→ www.eff.org</a></p>

12. FTC refers TikTok children's privacy complaint to the Justice Department</h3>
On 18 June the Federal Trade Commission announced it had referred a complaint against TikTok and ByteDance to the Justice Department. The regulator said it had reason to believe the companies were violating the children's privacy law after a review of an earlier settlement.</p>
→ www.ftc.gov</a></p>

13. Clearview AI settles biometric privacy case with an equity stake</h3>
In June Clearview AI reached an unusual settlement of biometric privacy claims, granting the class a 23 percent ownership stake in the company rather than a cash payment. The fund was valued at roughly 51.75 million dollars and addressed the firm's scraping of billions of facial images.</p>
→ www.biometricupdate.com</a></p>

14. Detroit settles wrongful facial recognition arrest case</h3>
On 28 June the city of Detroit agreed to pay 300,000 dollars to Robert Williams, who was wrongly arrested after a false facial recognition match. The settlement also imposed strict limits on police use of the technology, barring arrests based on a match alone.</p>
→ fortune.com</a></p>

15. Australian regulator takes Medibank to court over 2022 breach</h3>
On 5 June the Australian Information Commissioner began civil penalty proceedings against the insurer Medibank in the Federal Court. The action alleges that the company failed to take reasonable steps to protect the personal information of 9.7 million people exposed in a 2022 attack.</p>
→ www.oaic.gov.au</a></p>

16. Synnovis ransomware attack disrupts London hospitals and exposes patient data</h3>
A ransomware attack on the pathology provider Synnovis on 3 June forced major London hospitals to cancel thousands of operations and appointments. On 20 June the attackers published stolen data, including patient names, NHS numbers and test results.</p>
→ www.bleepingcomputer.com</a></p>

17. Los Angeles County health agency discloses phishing breach affecting 200,000 people</h3>
In mid-June the Los Angeles County Department of Public Health disclosed a phishing attack that compromised the credentials of dozens of staff. The intrusion exposed sensitive information on more than 200,000 people, including diagnoses, prescriptions and Social Security numbers.</p>
→ www.infosecurity-magazine.com</a></p>

18. Alleged leader of the Scattered Spider hacking group arrested</h3>
On 15 June Krebs on Security reported that police in Spain had arrested a 22-year-old British man accused of leading the Scattered Spider extortion group. The group has been tied to data theft and phishing attacks against numerous large companies.</p>
→ krebsonsecurity.com</a></p>

19. EU vote on message-scanning Chat Control proposal is withdrawn</h3>
A planned Council vote on the child sexual abuse regulation, known to critics as Chat Control, was pulled in late June amid heavy opposition. Campaigners and technical experts warned that the bulk scanning of private messages would undermine encryption for millions of users.</p>
→ www.patrick-breyer.de</a></p>

20. Pure Storage confirms breach of its Snowflake workspace</h3>
On 11 June the storage company Pure Storage confirmed that attackers had accessed a Snowflake workspace containing telemetry information. The exposed data included company names, usernames and email addresses, though the firm said it did not contain credentials for customer systems.</p>
→ www.theregister.com</a></p>

Privacy Roundup #0214 • May 2024

hello@peterspath.net (Peter) — Thu, 06 Jun 2024 15:00:00 +0000

May 2024 was dominated by the Snowflake breach wave and a fierce backlash against artificial intelligence features that quietly harvest personal data.</p>