United Kingdom
The UK withdraws controversial demand to access US Apple users’ data
- The UK has reportedly backed down from requiring Apple to create a back door into encrypted iCloud data of American users, as it would infringe on U.S. citizens’ civil liberties.
- The request, issued in December 2024, stemmed from the UK’s Investigatory Powers Act, which lets ministers issue Technical Capability Notices compelling tech firms to weaken encryption.
- Apple resisted by withdrawing its Advanced Data Protection feature from the UK and challenging the order in court, in addition to US officials pressing London to retreat from its stance.
- The UK’s move seems “hugely welcome,” but given that the legal authority to demand encryption back doors remains under the Act, similar clashes could re-emerge in the future.
UK telecom firm Colt faces $200k ransom threat after cyberattack exposing personal data
- Colt, a UK telecom company connecting 900 datacentres globally, was hit by a cyberattack on 12 August 2025, reportedly a ransomware operation claimed by the Warlock group demanding $200,000.
- The group is offering up to one million documents for sale, ranging from employee data and internal emails to financial records.
- Security experts link the breach to a SharePoint vulnerability (CVE‑2025‑53770), allowing attackers to bypass security patches, execute remote code, and exfiltrate cryptographic keys through an exploit chain known as ToolShell.
- Colt affirms that core network infrastructure remains unaffected and that internal support systems were taken offline as a precaution.
Yemen cyber army hacker jailed for defacements and mass data theft
- 26 year-old Al‑Tahery Al‑Mashriky, from South Yorkshire, was sentenced to 20 months in prison at Sheffield Crown Court after pleading guilty to nine offences under the Computer Misuse Act.
- Tied to extremist groups like Spider Team and the Yemen Cyber Army, he defaced many websites to spread political and religious messaging, including Yemen’s government websites, faith websites and the California State Water Board.
- Forensic analysis of his seized devices revealed personal data from over four million Facebook users, as well as usernames and passwords for services such as Netflix and PayPal.
- Al‑Mashriky claimed on a cybercrime forum to have hacked into 3,000 websites in just three months during 2022, highlighting the extent and scale of his activities before his arrest in August 2022.
United States
Google to settle YouTube children’s privacy suit for $30M
- Google has agreed to pay $30 million to settle a class-action lawsuit alleging that YouTube collected personal information from children under 13 without parental consent and used it for targeted advertising, which violates federal and state privacy laws. The settlement is preliminary and pending court approval.
- The lawsuit was filed by parents of 34 minors and accuses Google of continuing to engage in unlawful data collection practices even after a 2019 settlement with the FTC and New York Attorney General, which required Google to pay $170 million and alter its data practices.
- The class action applies to US children under the age of 13 who watched YouTube between July 1, 2013, and April 1, 2020. Up to 45 million children may be eligible, and if 1–2% file claims, payouts could range from $30 to $60 per claimant, prior to deductions for legal fees.
- Google denies any wrongdoing as part of the settlement. Plaintiffs’ attorneys intend to request up to $9 million in legal fees from the settlement fund.
FTC warns tech companies to not under-protect US users to meet EU/UK rules
- Federal Trade Commission (FTC) Chair Andrew Ferguson has cautioned leading tech companies (Apple, Alphabet, Meta, Microsoft, Amazon, and others) that in complying with foreign laws like the EU Digital Services Act and the UK’s Online Safety Act or Investigatory Powers Act, they must not weaken data privacy or encryption for American users.
- Ferguson stressed that applying broad, global policies to simplify compliance may violate U.S. law, especially if those policies diminish privacy or facilitate surveillance. It could constitute an unfair or deceptive practice under the FTC Act if promises of data protection are broken.
- This warning is part of a broader Trump administration strategy aimed at countering the influence of foreign digital regulation, including pressure against the EU Digital Services Act and supporting UK’s abandonment of a backdoor demand in the Apple case.
Europe
Austrian newspaper Der Standard’s “Pay or OK” consent model violates EU consent rules
- The Austrian Federal Administrative Court has upheld a decision by the national Data Protection Authority that Austrian newspaper Der Standard’s “Pay‑or‑OK” consent model violates EU data protection rules as it forces users into an all-or-nothing choice: pay for privacy or accept tracking.
- The court found that Der Standard’s global consent or pay option failed to allow users to consent to specific data processing purposes.
- Max Schrems, Austrian lawyer and privacy activist at NOYB, and others argue that when asked, only 1 to 7% of users want to be tracked for online advertisement, but almost all users agree to online tracking with the “Pay or OK” model.
Orange Belgium Breach: 850k customer records exposed
- Telecommunications company Orange Belgium has confirmed that it was the target of a cyberattack at the end of July, with a hacker gaining access to around 850,000 customer accounts.
- Exposed information included customers’ surnames, first names, telephone numbers, SIM card numbers, PUK codes, and tariff plans. Orange Belgium emphasised that no critical data such as passwords, email addresses, or banking details was compromised.
- Upon discovering the breach, Orange Belgium blocked system access, enhanced security measures, and notified relevant authorities and affected customers.
International
TPG cyberattack: iiNet data breach affects 280k customers in Australia
- TPG Telecom, the parent company of Australia’s iiNet, reported a cyberattack on its order management system used by iiNet, with a hacker gaining unauthorised access.
- The breach resulted in the theft of approximately 280,000 active email addresses, 20,000 active landline phone numbers, and additional personal details such as usernames, addresses, phone numbers for around 10,000 customers.
- The affected system did not store identity documents or financial information so banking details or other highly sensitive identifiers were not exposed.
- The breach has likely resulted from stolen employee credentials. TPG moved quickly to isolate the system, engaged external cybersecurity experts, and found no signs of impact to its broader infrastructure.
