United Kingdom
HMRC to deploy AI to detect fraud and tax return mistakes
- HMRC has entered into a 10-year, £175 million contract with British tech company Quantexa to deploy AI-powered systems.
- The aim is to boost the tax office’s performance to quickly catch fraud, correct errors, and trace mismatched tax payments.
- The deal comes amid rising public frustration over HMRC’s performance largely driven by slow response times.
- Quantexa emphasised that the AI will support, rather than replace, human staff, ensuring all automated decisions remain transparent, explainable, and checked by people. To protect taxpayer privacy, HMRC data will be strictly isolated and will never leave the government’s secure environment.
South Staffordshire Water fined nearly £1m following major cyber-attack and data breach
- A phishing email allowed hackers to plant undetected malware in South Staffordshire’s systems for 20 months. The attacker stole and published 4.1 terabytes of data on the dark web before being discovered via IT performance issues and a failed ransom note.
- The cyber-attack compromised the personal details of approximately 634,000 people, including customers and employees.
- An ICO investigation revealed severe security lapses, including inadequate network access controls, unpatched critical systems, and the use of obsolete software like Windows Server 2003.
- South Staffordshire agreed to a voluntary settlement, receiving a 40% reduction for early admission of liability, resulting in a final penalty of £963,900.
MPs warn of dangerous development as Palantir gains access to identifiable NHS patient data
- MPs and privacy campaigners have warned that NHS England’s (NHSE) decision to grant Palantir staff unlimited access to identifiable patient information is dangerous and risks severely damaging public trust.
- NHSE allowed this access to Palantir as a data processor in order to speed up work on its Federated Data Platform (FDP).
- NHSE added that data access is heavily logged, restricted to a small number of engineers, and requires high-level director approval alongside government security clearance.
- The move has drawn sharp political condemnation as well as wide public concern, with critics calling for the project to be halted and denouncing Palantir’s expanding government footprint.
United States
Netflix sued by Texas over accusations of secretly tracking users
- Texas Attorney General has sued Netflix, accusing the company of operating a massive surveillance program that secretly records and monetises billions of user behavioural data points from both adults and children without consent.
- The complaint attacks manipulative platform design features (specifically autoplay) as intentional dark patterns engineered to eliminate natural stopping points and keep individuals hooked on screens, thereby artificially maximising the data harvest.
- Texas is seeking substantial civil penalties and asking the court to force Netflix to purge all deceptively gathered data, halt unauthorised targeted advertising, and completely disable autoplay features by default on all children’s profiles.
- Netflix has firmly rejected the claims, stating the lawsuit lacks merit.
General Motors agrees to $12.75m fine after selling drivers’ location data
- General Motors (GM) has agreed to a $12.75 million settlement with California’s Attorney General and local district attorneys after allegations that it unlawfully sold the personal information hundreds of thousands of individuals.
- GM quietly collected personal details, precise geolocations, and behavioural driving metrics. The company generated an estimated $20 million by selling this data to brokers, directly contradicting its privacy policy.
- The settlement also imposes strict, legally binding guardrails. GM faces a five-year ban prohibiting the sale of consumer driving information to any data broker, is heavily restricted in its general use of driver data, and must implement strict consumer opt-out protections.
Europe
Cyber-attack on Zara supplier exposes personal data of 197,000 customers
- Fashion giant Inditex confirmed breach stemming from unauthorised access to databases managed by a former third-party technology provider.
- Data verification platform Have I Been Pwned confirmed that 197,000 unique Zara customer email addresses were leaked. The stolen 140 GB dataset also contains specific order identifiers, geographic tracking data, and product codes.
- The ransomware group ShinyHunters claimed responsibility for the cyber-attack. The breach is part of a massive, coordinated international campaign by the group, which has recently targeted other high-profile entities including the European Commission, Google, Cisco, and Vimeo.
Ireland’s Data Protection Commission fines PTSB €250,000
- Ireland’s Data Protection Commission (DPC) has fined Permanent TSB (PTSB) a total of €277,500 and issued an official reprimand following an inquiry into a series of personal data breaches at the bank.
- The DPC ruled that PTSB violated the principle of integrity and confidentiality and failed to implement technical and organisational measures to secure customer data, alongside failing to notify regulators of the breaches within the mandatory 72-hour window.
- The breaches occurred when malicious actors holding partial customer data called the bank’s Open24 Contact Centre, successfully posed as account holders, and bypassed weak security checkpoints to alter account details and extract further sensitive personal information.
- Because appropriate security protocols, the victims were ultimately forced to close their bank accounts entirely, and some suffered direct financial losses.
International
Chinese worker replaced by AI is awarded compensation by court
- A Chinese court awarded a worker over £28,000 after he was illegally fired for refusing a 40% pay cut when his company replaced his role with AI.
- The ruling signals a shift in China’s approach, emphasising that while companies can adopt AI, they cannot use technology as a legal loophole to bypass labour protections.
- As China faces high youth unemployment, the government is moving away from purely optimistic AI messaging toward more active protection of workers displaced by automation.
- Legal experts note that foreseeable business upgrades through AI do not constitute the significant change in circumstances required for termination.
For the latest updates on major data breaches, HMRC’s AI fraud detection rollout, the NHS Palantir controversy, Netflix’s tracking lawsuit, and global cybersecurity incidents, visit our Data Protection News hub.
