United Kingdom
ICO to review how mobile games protect children’s data and online safety
- The UK Information Commissioner’s Office (ICO) is launching a review of 10 popular mobile games to check whether they protect children’s privacy, notably examining default privacy settings, geolocation controls, targeted advertising.
- This is driven by strong parental concern: parents worry about exposure to strangers or harmful content, and about how games collect, share, or use children’s personal data.
- The ICO’s action builds on its Children’s Code work, which has already forced major platforms to strengthen privacy for millions of children, now aiming to apply the same child-protective data-standards to mobile games, where intrusive design and tracking are increasingly common.
Post Office reprimanded by the ICO for preventable data breach
- The ICO reprimanded the Post Office after it accidentally published an unredacted legal document online, exposing highly sensitive personal data such as names and home addresses of 502 postmasters who were part of the Horizon IT litigation. This could have led to identity theft, harassment, or further harm to already vulnerable data subjects.
- The investigation found weak data-protection controls, including no proper checks before publishing documents, poor staff training, and no guidance on handling sensitive information.
- The ICO chose a reprimand instead of a fine, but highlighted that all organisations must build “data protection by design” into everyday operations to prevent similar breaches and protect people’s personal information.
United States
OpenAI API breach highlights risks around third-party data access
- OpenAI confirmed a breach affecting API users, caused by unauthorised access to its sub-processor Mixpanel’s analytics systems. Although ChatGPT user accounts were not exposed, the incident shows how data shared with external partners can create hidden vulnerabilities.
- Exposed information included account names, emails, device details, and organisation/user IDs, which can be used for targeted phishing.
- The breach underscores a broader online-safety principle: whenever businesses connect tools through APIs, data flows multiply, increasing privacy risks if employees use unapproved AI tools.
- To strengthen protection, users and organisations should apply AI-usage policies, restrict tools to approved platforms, disable optional data-training settings, use MFA, and stay alert to phishing attempts.
Marquis ransomware attack raises major online safety and data protection concerns
- A ransomware attack on fintech vendor Marquis exploited a vulnerability in its SonicWall firewall, allowing hackers to access files containing highly sensitive personal data that Marquis was storing on behalf of U.S. banks and credit unions.
- The exposed information includes Social Security numbers, taxpayer IDs, dates of birth, and financial account details, all of which are prime targets for identity theft and fraud.
- Because Marquis works behind the scenes for many financial institutions, the breach means customers may have their data compromised even if their own bank was not directly attacked.
- Although there is no evidence of misuse yet, the incident demonstrates how ransomware attacks on financial service vendors can lead to phishing attempts, account-takeover risks, and identity fraud.
Europe
EU investigates Meta’s WhatsApp AI policy over risks to competition, online safety and user control
- The EU’s antitrust probe focuses on whether Meta’s plan to restrict third-party AI assistants on WhatsApp could limit user choice and create a dominant gateway for AI services, raising concerns about online safety when a single platform controls which digital tools users can access.
- Regulators are examining whether Meta’s new policy would give its own “Meta AI” preferential access to WhatsApp’s user base, potentially crowding out safer or more privacy-protective AI alternatives, and reducing competition that often drives better data-protection standards.
- Small AI developers argue that being blocked from WhatsApp would cut off a major discovery channel, which could deny millions of users access to transparent, and more privacy-focused AI tools, concentrating the handling of personal data in the hands of one provider.
- The EU’s action, which could include suspending Meta’s policy or imposing fines, reflects broader efforts to ensure AI services operate under fair competition rules across Europe.
- The EU-Singapore council reaffirmed joint commitments to stronger cybersecurity, cross-border digital identity systems, and interoperable trust services to protect users and businesses as digital risks grow globally.
- Both sides described online safety as a priority, agreeing to collaborate on tackling scams, enhancing consumer protection, and exploring safeguards like age-verification tools to reduce harm and protect minors on digital platforms.
- The partnership’s agenda reflects a joint effort to build secure and trustworthy digital ecosystems within the global technological competition.
International
India’s mandatory government cybersecurity app for new smartphones
- India has ordered all new smartphones to come pre-loaded with a government cybersecurity app Sanchar Saathi that users cannot initially disable, raising concerns that the state is forcing software onto phones that can access calls, messages, photos, files, and the camera.
- Although the government says the app helps users verify phones and report fraud, experts warn that giving a state-run app such broad access could enable intrusive monitoring or large-scale data collection, creating a risk of government surveillance and weakening user control over their personal information.
- The government claimed users could delete the app, but did not explain how deletion is possible if the app’s functions “cannot be disabled or restricted,” raising questions about transparency and meaningful consent.
For the latest updates on the ICO mobile games privacy review, OpenAI API breach, Marquis ransomware attack, EU digital policy actions, and global cybersecurity incidents, visit our Data Protection News hub.
