United Kingdom
South Gloucestershire Council apologises for data breach exposing residents’ details
- Sensitive personal data of 625 residents who responded to a council consultation was accidentally published online for three days by South Gloucestershire Council.
- The exposed information included names, addresses, phone numbers, and email addresses, which were mistakenly left in a worksheet attached to consultation documents.
- The council removed the data promptly, reported the breach to the Information Commissioner’s Office (ICO), and assessed the incident as posing a low risk to those affected.
- Officials have apologised and pledged to strengthen data protection procedures and follow any further ICO guidance to prevent similar incidents.
UK water systems face growing cyber threat
- Five cyber incidents have targeted UK drinking water systems since January 2024, according to data obtained from the Drinking Water Inspectorate.
- Similar attacks worldwide, including in Ireland, the US, and Canada, have shown hackers can reach systems close to critical operations, raising fears over potential disruption.
- Currently, UK law only requires water utilities to report cyberattacks if they cause disruption, but the proposed Cyber Security and Resilience Bill (2025) would expand mandatory reporting.
- Experts warn that with drought pressures already straining UK water resources, utilities must also strengthen cyber defences to protect critical infrastructure.
United States
US lawmakers target Flock Safety over privacy and security concerns
- US lawmakers are calling for a federal investigation into Flock Safety, alleging poor cybersecurity practices and mishandling of Americans’ personal data collected through its vast license plate reader network.
- Flock’s cameras have allegedly enabled mass surveillance and law enforcement overreach, with reported cases of use in abortion-related investigations and immigration enforcement. The Electronic Frontier Foundation has also documented numerous errors and wrongful detentions caused by misread license plates.
- Growing opposition across seven US states has led communities to remove Flock cameras, warning that the company’s expanding surveillance tech could worsen misuse and data risks.
Pennsylvania University investigates data breach after offensive emails sent to alumni
- The University of Pennsylvania has reported a data breach affecting some of its systems and has called in the FBI to investigate.
- Hackers sent offensive emails to alumni, acting as the university and using insults and derogatory language about staff and students.
- A hacker group claimed the breach exposed data on 1.2 million financial donors to the university, though this has not been independently verified.
- The incident follows a wave of cyberattacks on universities, including recent breaches linked to a Hitler-supporting hacker who targeted other major US institutions like Columbia University.
Europe
Swedish regulator investigates massive Miljödata breach affecting 1.5 million people
- A data breach at Swedish IT firm Miljödata has exposed the personal data of over 1.5 million individuals, with stolen data later published on the Darknet, leading to a major investigation by the Swedish Data Protection Authority (IMY).
- The IMY is conducting GDPR compliance inspections into Miljödata and three public sector clients: the City of Gothenburg, Älmhult Municipality, and Region Västmanland, which relied on Miljödata’s IT systems to process personal data.
- The incident has raised national concern over the cybersecurity resilience of Sweden’s public sector IT systems, with IMY signalling it may expand its inquiry if further risks or affected entities are identified. The IMY is examining whether appropriate safeguards were in place, particularly for children and people with protected identities.
Denmark’s revised “chat control” plan raises privacy and anonymity concerns
- Denmark’s update to the EU’s “chat control” proposal replaces mandatory scanning of private messages with voluntary searches by providers, meaning companies may choose whether to do it.
- Former MEP Patrick Breyer cautioned that the plan ignores the European Parliament’s safeguard requiring a court order for access to private communications, weakening key privacy protections.
- The proposal would also ban under-16s from using messaging apps such as WhatsApp or Telegram, and end anonymous communication since users might need to verify their identity.
- Critics argue that the “voluntary” model could become de facto mandatory for platforms, creating pressure to implement mass scanning and eroding privacy, free expression, and secure communication across the EU.
International
Australia’s eSafety Commissioner enforces age limits to strengthen children online safety
- In Australia, Facebook, Instagram, TikTok, and other platforms have been formally notified that, from December 2025, they must prevent users under 16 from creating accounts to reduce children’s exposure to online harms.
- Platforms that fail to take reasonable steps to verify users’ ages and comply with the Online Safety Act may face penalties of up to AUD $49.5 million.
- eSafety will continuously review and update which platforms fall under these rules, recognising that new features or changes in data use can alter how services interact with young users’ information.
- Commissioner Julie Inman Grant said the measures form part of a digital safety strategy, giving children time to build resilience and ensuring tech companies design safer, more privacy-conscious online environments.
Stay updated with our weekly data protection news series. Discover more insights and previous updates on our Data Protection News hub.
