United Kingdom
Reports warn that over half of insider cyberattacks on UK schools come from students directly
- The Information Commissioner Office’s (ICO) recent analysis of 215 personal data breach reports between 2022 and 2024 reveals students were behind 57% of insider cyber incidents in UK schools. Many exploited weak or shared login details, with 97% of stolen-credential cases linked to pupils.
- Easy access to systems, poor password practices, and unsupervised devices create openings for “teen hackers”. Motivations include dares, revenge, financial gain, and notoriety; thereby echoing National Crime Agency findings that 1 in 5 children aged from 10 to 16 try illegal online activities.
- Incidents ranged from viewing or altering personal data to using tools from hacker forums to bypass school security. One breach affected 1,400 students via an information-management system; another exposed 9,000 records including health and safeguarding data.
The ICO issues practical cybersecurity tips for small businesses
- UK government data estimates 7.7 million cybercrimes against businesses in the past year, and the ICO warns that many small firms still neglect basic protections, even as attacks become more sophisticated.
- The ICO urges businesses to adopt essential measures such as regular data backups stored separately and encrypted; strong, unique passwords and multi-factor authentication for accounts and devices; and up-to-date anti-virus/malware software and secure Wi-Fi connections with the use of VPNs when connecting to public networks.
- In the workplace, employees should lock screens when away and check what is visible when sharing screens, while companies are encouraged to limit access to staff who need it and teach teams how to spot phishing or suspicious emails. The ICO reminds that personal data should only be kept for as long as necessary and old records must be securely disposed of.
- Businesses must report data breaches to the ICO within 72 hours of discovery.
United States
DiDi to settle $740M U.S. investor lawsuit over IPO and cybersecurity disclosures
- DiDi Global has agreed in principle to pay $740 million to resolve a US class-action suit alleging it misled investors about Chinese regulatory concerns before its June 2021 Initial Public Offering (IPO). The deal is expected to be submitted to a Manhattan federal judge for approval in mid-October 2025.
- Investors claimed DiDi hid a directive from China’s Cyberspace Administration (CAC) to postpone its IPO until data-security and privacy issues around cross-border transfers were resolved, raising $4.4 billion despite unresolved compliance questions.
- Soon after the IPO, the CAC banned DiDi from registering new users and ordered its app removed from stores, causing shares to plunge; in 2022, CAC imposed a $1.2 billion fine over data-handling violations.
- The Manhattan federal judge is expected to review and potentially approve the $740 million settlement mid-October 2025, following the class-action lawsuit led by US investors.
Maryland’s MODPA introduces “strictly necessary” standard for sensitive personal information
- The Maryland Online Data Privacy Act (MODPA) is set to take effect on 1 October 2025. It establishes strict limits on the handling of sensitive personal information such as health data, racial or ethnic origin, precise geolocation, genetic/biometric data, religious beliefs, and information about children.
- Unlike most U.S. state privacy laws, consent is not enough; sensitive data may be collected, processed, or shared only when it is “strictly necessary” to provide or maintain a product or service requested by the consumer.
- Organisations must map and review all sensitive personal information processing activities, document necessity assessments, and decide whether to implement MODPA requirements company-wide or only for Maryland residents before 1 October, balancing risk, resources, and technology.
Europe
Kering data breach exposes millions of luxury brand customer records
- French luxury company Kering just confirmed that an unauthorised party accessed internal systems in June 2025, exposing customer data across some of its brands including Gucci, Balenciaga, Alexander McQueen.
- Personal information leaked includes names, email addresses, phone numbers, home addresses, and total in-store purchase amounts; although financial data such as credit card numbers or bank account information remain unaffected according to company statements.
- The cybercriminal group Shiny Hunters claims responsibility, and has reportedly accessed 7.4 million unique email addresses.
- Kering has notified relevant authorities and contacted impacted customers in accordance with applicable privacy laws, though it has not yet specified which countries or regions are affected.
Experts rally against EU “Chat Control” proposal over encryption, accuracy and privacy risks
- A group of 600+ AI experts, cryptographers, and security researchers have signed an open letter warning that the proposed EU Regulation to Prevent and Combat Child Sexual Abuse (CSAR), aka “Chat Control,” severely threatens privacy, security, and free speech.
- The proposal would require platforms to scan end-to-end encrypted content for child abuse material. Critics argue that this breaks the guarantees of secure encryption.
- Experts also highlight that detection technologies, especially those using AI, are not reliable enough: they point to high rates of false positives (innocent content flagged mistakenly) and false negatives (illicit content evading detection), creating both risks for individuals and burdens for authorities.
- The regulation is politically divisive: around 15 EU Member States support the measure; 6 are explicitly opposed; another 6 are undecided. Germany is widely seen as a key swing vote whose stance may be decisive. Votes are expected by October 14, 2025.
International
Canada’s halted asylum system upgrade left refugee data at risk
- Canada launched a $68M “asylum interoperability” project in 2019 to digitise refugee claims and improve data sharing between Immigration, Refugees and Citizenship Canada (IRCC), the Canada Border Services Agency (CBSA), and the Immigration and Refugee Board (IRB). The initiative was however shut down in 2024, after reaching only 64% completion.
- None of the three agencies finalised required Privacy Impact Assessments (PIAs) while rolling out new data-collection tools and real-time information exchanges. Documents show confusion over who was responsible, with departments “playing hot potato” over PIAs instead of treating them as a prerequisite. IRCC now says its PIA will not be finished until late 2025; CBSA has dropped its own assessment.
- Lawyers warn that implementing digital tools without privacy testing exposes highly sensitive refugee data, including personal histories and contact information, to leaks or misuse. Past email errors have already exposed claimants’ information to third parties, including people they were fleeing.
- Treasury Board rules require PIAs before launching or altering any system handling personal data, with a compliance deadline of mid-October 2025 for legacy programs. Critics say the government’s “move fast” approach undermined public trust and placed vulnerable people at greater risk, urging stronger accountability for privacy in digital government projects.
