Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Privacy. Show all posts
Privacy Lawsuit
Alexa Amazon Customer Data Data collection Data Privacy Data Privacy Laws Data Safety User Data Personal Data Privacy privacy laws Privacy Lawsuit

Federal Judge Allows Amazon Alexa Users’ Privacy Lawsuit to Proceed Nationwide

 

A federal judge in Seattle has ruled that Amazon must face a nationwide lawsuit involving tens of millions of Alexa users. The case alleges that the company improperly recorded and stored private conversations without user consent. U.S. District Judge Robert Lasnik determined that Alexa owners met the legal requirements to pursue collective legal action for damages and an injunction to halt the alleged practices. 

The lawsuit claims Amazon violated Washington state law by failing to disclose that it retained and potentially used voice recordings for commercial purposes. Plaintiffs argue that Alexa was intentionally designed to secretly capture billions of private conversations, not just the voice commands directed at the device. According to their claim, these recordings may have been stored and repurposed without permission, raising serious privacy concerns. Amazon strongly disputes the allegations. 

The company insists that Alexa includes multiple safeguards to prevent accidental activation and denies evidence exists showing it recorded conversations belonging to any of the plaintiffs. Despite Amazon’s defense, Judge Lasnik stated that millions of users may have been impacted in a similar manner, allowing the case to move forward. Plaintiffs are also seeking an order requiring Amazon to delete any recordings and related data it may still hold. The broader issue at stake in this case centers on privacy rights within the home.

If proven, the claims suggest that sensitive conversations could have been intercepted and stored without explicit approval from users. Privacy experts caution that voice data, if mishandled or exposed, can lead to identity risks, unauthorized information sharing, and long-term security threats. Critics further argue that the lawsuit highlights the growing power imbalance between consumers and large technology companies. Amazon has previously faced scrutiny over its corporate practices, including its environmental footprint. 

A 2023 report revealed that the company’s expanding data centers in Virginia would consume more energy than the entire city of Seattle, fueling additional criticism about the company’s long-term sustainability and accountability. The case against Amazon underscores the increasing tension between technological convenience and personal privacy. 

As voice-activated assistants become commonplace in homes, courts will likely play a decisive role in determining the boundaries of data collection and consumer protection. The outcome of this lawsuit could set a precedent for how tech companies handle user data and whether customers can trust that private conversations remain private.
Read more »
Privacy
AI Chatbot AI Platform AI Privacy AI technology Chatbots ChatGPT ChatGPT risks Data Privacy data security Privacy

Think Twice Before Uploading Personal Photos to AI Chatbots

 

Artificial intelligence chatbots are increasingly being used for fun, from generating quirky captions to transforming personal photos into cartoon characters. While the appeal of uploading images to see creative outputs is undeniable, the risks tied to sharing private photos with AI platforms are often overlooked. A recent incident at a family gathering highlighted just how easy it is for these photos to be exposed without much thought. What might seem like harmless fun could actually open the door to serious privacy concerns. 

The central issue is unawareness. Most users do not stop to consider where their photos are going once uploaded to a chatbot, whether those images could be stored for AI training, or if they contain personal details such as house numbers, street signs, or other identifying information. Even more concerning is the lack of consent—especially when it comes to children. Uploading photos of kids to chatbots, without their ability to approve or refuse, creates ethical and security challenges that should not be ignored.  

Photos contain far more than just the visible image. Hidden metadata, including timestamps, location details, and device information, can be embedded within every upload. This information, if mishandled, could become a goldmine for malicious actors. Worse still, once a photo is uploaded, users lose control over its journey. It may be stored on servers, used for moderation, or even retained for training AI models without the user’s explicit knowledge. Just because an image disappears from the chat interface does not mean it is gone from the system.  

One of the most troubling risks is the possibility of misuse, including deepfakes. A simple selfie, once in the wrong hands, can be manipulated to create highly convincing fake content, which could lead to reputational damage or exploitation. 

There are steps individuals can take to minimize exposure. Reviewing a platform’s privacy policy is a strong starting point, as it provides clarity on how data is collected, stored, and used. Some platforms, including OpenAI, allow users to disable chat history to limit training data collection. Additionally, photos can be stripped of metadata using tools like ExifTool or by taking a screenshot before uploading. 

Consent should also remain central to responsible AI use. Children cannot give informed permission, making it inappropriate to share their images. Beyond privacy, AI-altered photos can distort self-image, particularly among younger users, leading to long-term effects on confidence and mental health. 

Safer alternatives include experimenting with stock images or synthetic faces generated by tools like This Person Does Not Exist. These provide the creative fun of AI tools without compromising personal data. 

Ultimately, while AI chatbots can be entertaining and useful, users must remain cautious. They are not friends, and their cheerful tone should not distract from the risks. Practicing restraint, verifying privacy settings, and thinking critically before uploading personal photos is essential for protecting both privacy and security in the digital age.
Read more »
User Security
Data Privacy Facial Recognition System Regulation Bill Technology User Security

Facial Recognition's False Promise: More Sham Than Security

 

Despite the rapid integration of facial recognition technology (FRT) into daily life, its effectiveness is often overstated, creating a misleading picture of its true capabilities. While developers frequently tout accuracy rates as high as 99.95%, these figures are typically achieved in controlled laboratory settings and fail to reflect the system's performance in the real world.

The discrepancy between lab testing and practical application has led to significant failures with severe consequences. A prominent example is the wrongful arrest of Robert Williams, a Black man from Detroit who was misidentified by police facial recognition software based on a low-quality image.

This is not an isolated incident; there have been at least seven confirmed cases of misidentification from FRT, six of which involved Black individuals. Similarly, an independent review of the London Metropolitan Police's use of live facial recognition found that out of 42 matches, only eight were definitively accurate.

These real-world failures stem from flawed evaluation methods. The benchmarks used to legitimize the technology, such as the US National Institute of Standards and Technology's (NIST) Facial Recognition Technology Evaluation (FRTE), do not adequately account for real-world conditions like blurred images, poor lighting, or varied camera angles. Furthermore, the datasets used for training these systems are often not representative of diverse demographics, which leads to significant biases .

The inaccuracies of FRT are not evenly distributed across the population. Research consistently shows that the technology has higher error rates for people of color, women, and individuals with disabilities. For example, one of Microsoft’s early models had a 20.8% error rate for dark-skinned women but a 0% error rate for light-skinned men . This systemic bias means the technology is most likely to fail the very communities that are already vulnerable to over-policing and surveillance.

Despite these well-documented issues, FRT is being widely deployed in sensitive areas such as law enforcement, airports, and retail stores. This raises profound ethical concerns about privacy, civil rights, and due process, prompting companies like IBM, Amazon, and Microsoft to restrict or halt the sale of their facial recognition systems to police departments. The continued rollout of this flawed technology suggests that its use is more of a "sham" than a reliable security solution, creating a false sense of safety while perpetuating harmful biases.
Read more »
Ransomware
Data Breach Data Privacy Digital Personal Double extortion Healthcare cybersecurity Misconfiguration Patient Ransomware

Over a Million Healthcare Devices Hit by Cyberattack

 


Despite the swell of cyberattacks changing the global threat landscape, Indian healthcare has become one of the most vulnerable targets as a result of these cyberattacks. There are currently 8,614 cyberattacks per week on healthcare institutions in the country, a figure that is more than four times the global average and nearly twice that of any other industry in the country. 

In addition to the immense value that patient data possesses and the difficulties in safeguarding sprawling healthcare networks, the relentless targeting of patients reflects the challenges that healthcare providers continue to face healthcare providers. With the emergence of sophisticated hacktivist operations, ransomware, hacking attacks, and large-scale data theft, these breaches are becoming more sophisticated and are not simply disruptions. 

The cybercriminal business is rapidly moving from traditional encryption-based extortion to aggressive methods of "double extortion" that involve stealing and then encrypting data, or in some cases abandoning encryption altogether in order to concentrate exclusively on exfiltrating data. This evolution can be seen in groups like Hunters International, recently rebranded as World Leaks, that are exploiting a declining ransom payment system and thriving underground market for stolen data to exploit its gains. 

A breach in the Healthcare Delivery Organisations' system risks exposing vast amounts of personal and medical information, which underscores why the sector remains a target for hackers today, as it is one of the most attractive sectors for attackers, and is also continually targeted by them. Modat, a cybersecurity firm that uncovered 1.2 million internet-connected medical systems that are misconfigured and exposed online in August 2025, is a separate revelation that emphasises the sector's vulnerabilities. 

Several critical devices in the system were available, including imaging scanners, X-ray machines, DICOM viewers, laboratory testing platforms, and hospital management systems, all of which could be accessed by an attacker. Experts warned that the exposure posed a direct threat to patient safety, in addition to posing a direct threat to privacy. 

In Modat's investigation, sensitive data categories, including highly detailed medical imaging, such as brain scans, lung MRIs, and dental X-rays, were uncovered, along with clinical documentation, complete medical histories and complete medical records. Personal information, including names, addresses and contact details, as well as blood test results, biometrics, and treatment records, all of which can be used to identify the individual.

A significant amount of information was exposed in an era of intensifying cyber threats, which highlights the profound consequences of poorly configured healthcare infrastructure. There has been an increasing number of breaches that illustrate the magnitude of the problem. BlackCat/ALPHV ransomware group has claimed responsibility for a devastating attack on Change Healthcare, where Optum, the parent company of UnitedHealth Group, has reportedly paid $22 million in ransom in exchange for the promise of deleting stolen data.

There was a twist in the crime ecosystem when BlackCat abruptly shut down, retaining none of the payments, but sending the data to an affiliate of the RansomHub ransomware group, which demanded a second ransom for the data in an attempt to secure payment. No second payment was received, and the breach grew in magnitude as each disclosure was made. Initially logged with the U.S. Health and Human Services (HHS) officials had initially estimated that the infection affected 500 people, but by July 2025, it had reached 100 million, then 190 million, and finally 192.7 million individuals.

These staggering figures highlight why healthcare remains a prime target for ransomware operators: if critical hospital systems fail to function correctly, downtime threatens not only revenue and reputations, but the lives of patients as well. Several other vulnerabilities compound the risk, including ransomware, since medical IoT devices are already vulnerable to compromise, which poses a threat to life-sustaining systems like heart monitors and infusion pumps. 

Telehealth platforms, on the other hand, extend the attack surface by routing sensitive consultations over the internet, thereby increasing the scope of potential attacks. In India, these global pressures are matched by local challenges, including outdated legacy systems, a lack of cybersecurity expertise, and a still-developing regulatory framework. 

Healthcare providers rely on a patchwork of frameworks in order to protect themselves from cybersecurity threats since there is no unified national healthcare cybersecurity law, including the Information Technology Act, SPDI Rules, and the Digital Personal Data Protection Act, which has not been enforced yet.

In their view, this lack of cohesion leaves organisations ill-equipped for future threats, particularly smaller companies with limited budgets and under-resourced security departments. In order to address these gaps, there is a partnership between the Data Security Council of India and the Healthcare Information and Management Systems Society (HIMSS) that aims to conduct a national cybersecurity assessment. As a result of the number of potentially exposed pieces of information that were uncovered as a result of the Serviceaide breach, it was particularly troubling. 

Depending on the individual, the data could include information such as their name, Social Security number, birth date, medical records, insurance details, prescription and treatment information, clinical notes, provider identifications, email usernames, and passwords. This information would vary by individual. As a response, Serviceaide announced that it had strengthened its security controls and was offering 12 months of complimentary credit and identity monitoring to affected individuals. 

There was an incident at Catholic Health that resulted in the disclosure that limited patient data was exposed by one of its vendors. According to the organisation's website, a formal notification letter is now being sent to potentially affected patients, and a link to the Serviceaide notice can be found on the website. No response has been received from either organisation regarding further information. 

While regulatory authorities and courts have shown little leniency in similar cases, in 2019, Puerto Rico-based Inmediata Health Group was fined $250,000 by the HHS' Office for Civil Rights (OCR) and later settled a lawsuit for more than $2.5 million with the state attorneys general and class actions plaintiffs after a misconfiguration resulted in 1.6 million patient records being exposed. As recently as last week, OCR penalised Vision Upright MRI, a small California imaging provider, for leaving medical images, including X-rays, CT scans, and MRIs, available online through an unsecured PACS server. 

A $5,000 fine and an action plan were awarded in this case, making the agency's 14th HIPAA enforcement action in 2025. The cumulative effect of these precedents illustrates that failing to secure patient information can lead to significant financial, regulatory, and reputational consequences for healthcare organisations. It has become increasingly evident that the regulatory consequences of failing to safeguard patient data are increasing as time goes on. 

Specifically, under the Health Insurance Portability and Accountability Act (HIPAA), fines can rise to millions of dollars for prolonged violations of the law, and systemic non-compliance with the law can result. For healthcare organisations, adhering to the regulations is both a financial and ethical imperative. 

Data from the U.S. As shown by the Department of Health and Human Services' Office for Civil Rights (OCR), enforcement activity has been steadily increasing over the past decade, with the year 2022 marking a record number of penalties imposed. OCR's Right of Access Initiative, launched in 2019, aims to curb providers who fail to provide patients with timely access to their medical records in a timely manner. 

It has contributed a great deal to the increase in penalties. There were 46 penalties issued for such violations between September 2019 and December 2023 as a result of enforcement activity. Enforcement activity continued high in 2024, as OCR closed 22 investigations with fines, even though only 16 of those were formally announced during that year. The momentum continues into 2025, bolstered by an increased enforcement focus on the HIPAA Security Rule's risk analysis provision, traditionally the most common cause of noncompliance. 

 Almost ten investigations have already been closed by OCR with financial penalties due to risk analysis failures as of May 31, 2025, indicating the agency's sharpened effort to reduce the backlog of data breach cases while holding covered entities accountable for their failures. It is a stark reminder that the healthcare sector stands at a crossroads between technology, patient care, and national security right now as a result of the increasing wave of cyberattacks that have been perpetrated against healthcare organisations. 

 Hospitals and medical networks are increasingly becoming increasingly dependent on the use of digital technologies, which means every exposed database, misconfigured system, or compromised vendor creates a greater opportunity for adversaries with ever greater resources, organisation, and determination to attack them. In the absence of decisive investments in cybersecurity infrastructure, workforce training, and stronger regulatory frameworks, experts warn that breaches will not only persist but will intensify in the future. 

A growing digitisation of healthcare in India makes the stakes even higher: the ability to preserve patient trust, ensure continuity of care, and safeguard sensitive health data is what will determine if digital innovation becomes a valuable asset or a liability, particularly in this country. In the big picture, it is also obvious that cybersecurity is no longer a technical afterthought but has evolved into a pillar of healthcare resilience, where failure has a cost that goes far beyond fines and penalties, and concerns involving patient safety as well as the lives of people involved.
Read more »
WhatsApp Web
Data Privacy Indian Government Mobile Security User Security WhatsApp Web

Indian Government Flag Security Concerns with WhatsApp Web on Work PCs

 

The Indian government has issued a significant cybersecurity advisory urging citizens to avoid using WhatsApp Web on office computers and laptops, highlighting serious privacy and security risks that could expose personal information to employers and cybercriminals. 

The Ministry of Electronics and Information Technology (MeitY) released this public advisory through its Information Security Awareness (ISEA) team, warning that while accessing WhatsApp Web on office devices may seem convenient, it creates substantial cybersecurity vulnerabilities. The government describes the practice as a "major cybersecurity mistake" that could lead to unauthorized access to personal conversations, files, and login credentials. 

According to the advisory, IT administrators and company systems can gain access to private WhatsApp conversations through multiple pathways, including screen-monitoring software, malware infections, and browser hijacking tools. The government warns that many organizations now view WhatsApp Web as a potential security risk that could serve as a gateway for malware and phishing attacks, potentially compromising entire corporate networks. 

Specific privacy risks identified 

The advisory outlines several "horrors" of using WhatsApp on work-issued devices. Data breaches represent a primary concern, as compromised office laptops could expose confidential WhatsApp conversations containing sensitive personal information. Additionally, using WhatsApp Web on unsecured office Wi-Fi networks creates opportunities for malicious actors to intercept private data.

Perhaps most concerning, the government notes that even using office Wi-Fi to access WhatsApp on personal phones could grant companies some level of access to employees' private devices, further expanding the potential privacy violations. The advisory emphasizes that workplace surveillance capabilities mean employers may monitor browser activity, creating situations where sensitive personal information could be accessed, intercepted, or stored without employees' knowledge. 

Network security implication

Organizations increasingly implement comprehensive monitoring systems on corporate devices, making WhatsApp Web usage particularly risky. The government highlights that corporate networks face elevated vulnerability to phishing attacks and malware distribution through messaging applications like WhatsApp Web. When employees click malicious links or download suspicious attachments through WhatsApp Web on office systems, they could inadvertently provide hackers with backdoor access to organizational IT infrastructure. 

Recommended safety measures

For employees who must use WhatsApp Web on office devices, the government provides specific precautionary guidelines. Users should immediately log out of WhatsApp Web when stepping away from their desks or finishing work sessions. The advisory strongly recommends exercising caution when clicking links or opening attachments from unknown contacts, as these could contain malware designed to exploit corporate networks. 

Additionally, employees should familiarize themselves with their company's IT policies regarding personal application usage and data privacy on work devices. The government emphasizes that understanding organizational policies helps employees make informed decisions about personal technology use in professional environments. 

This advisory represents part of broader cybersecurity awareness efforts as workplace digital threats continue evolving, with the government positioning employee education as crucial for maintaining both personal privacy and corporate network security.
Read more »
Personal Information
Cyber Security Data Privacy Data protection data security Data Surveillance Personal Data Personal Information

New York Lawmaker Proposes Bill to Regulate Gait Recognition Surveillance

 

New York City’s streets are often packed with people rushing to work, running errands, or simply enjoying the day. For many residents, walking is faster than taking the subway or catching a taxi. However, a growing concern is emerging — the way someone walks could now be tracked, analyzed, and used to identify them. 

City Councilmember Jennifer Gutierrez is seeking to address this through new legislation aimed at regulating gait recognition technology. This surveillance method can identify people based on the way they move, including their walking style, stride length, and posture. In some cases, it even factors in other unique patterns, such as vocal cadence. 

Gutierrez’s proposal would classify a person’s gait as “personal identifying information,” giving it the same protection as highly sensitive data, including tax or medical records. Her bill also requires that individuals be notified if city agencies are collecting this type of information. She emphasized that most residents are unaware their movements could be monitored, let alone stored for future analysis. 

According to experts, gait recognition technology can identify a person from as far as 165 feet away, even if they are walking away from the camera. This capability makes it an appealing tool for law enforcement but raises significant privacy questions. While Gutierrez acknowledges its potential in solving crimes, she stresses that everyday New Yorkers should not have their personal characteristics tracked without consent. 

Public opinion is divided. Privacy advocates argue the technology poses a serious risk of misuse, such as mass tracking without warrants or transparency. Supporters of its use believe it can be vital for security and public safety when handled with proper oversight. 

Globally, some governments have already taken steps to regulate similar surveillance tools. The European Union enforces strict rules on biometric data collection, and certain U.S. states have introduced laws to address privacy risks. However, experts warn that advancements in technology often move faster than legislation, making it difficult to implement timely safeguards. 

The New York City administration is reviewing Gutierrez’s bill, while the NYPD’s use of gait recognition for criminal investigations would remain exempt under the proposed law. The debate continues over whether this technology’s benefits outweigh the potential erosion of personal privacy in one of the world’s busiest cities.
Read more »
Personal Data
Advanced Social Engineering Customer Data Customer Data Exposed Data Breach Data Leak Data Privacy data security Malware. Scattered Spider Personal Data

Allianz Life Data Breach Exposes Personal Information of 1.4 Million Customers

 

Allianz Life Insurance has disclosed a major cybersecurity breach that exposed the personal details of approximately 1.4 million individuals. The breach was detected on July 16, 2025, and the company reported the incident to the Maine Attorney General’s office the following day. Initial findings suggest that the majority of Allianz Life’s customer base may have been impacted by the incident. 

According to Allianz Life, the attackers did not rely on exploiting technical weaknesses but instead used advanced social engineering strategies to deceive company employees. This approach bypasses system-level defenses by manipulating human behavior and trust. The cybercriminal group believed to be responsible is Scattered Spider, a collective that recently orchestrated a damaging attack on UK retailer Marks & Spencer, leading to substantial financial disruption. 

In this case, the attackers allegedly gained access to a third-party customer relationship management (CRM) platform used by Allianz Life. The company noted that there is no indication that its core systems were affected. However, the stolen data reportedly includes personally identifiable information (PII) of customers, financial advisors, and certain employees. Allianz SE, the parent company, confirmed that the information was exfiltrated using social engineering techniques that exploited human error rather than digital vulnerabilities. 

Social engineering attacks often involve tactics such as impersonating internal staff or calling IT help desks to request password resets. Scattered Spider has been known to use these methods in past campaigns, including those that targeted MGM Resorts and Caesar’s Palace. Their operations typically focus on high-profile organizations and are designed to extract valuable data with minimal use of traditional hacking methods. 

The breach at Allianz is part of a larger trend of rising cyberattacks on the insurance industry. Other firms like Aflac, Erie Insurance, and Philadelphia Insurance have also suffered similar incidents in recent months, raising alarms about the sector’s cybersecurity readiness.  

Industry experts emphasize the growing need for businesses to bolster their cybersecurity defenses—not just by investing in better tools but also by educating their workforce. A recent Experis report identified cybersecurity as the top concern for technology firms in 2025. Alarmingly, Tech.co research shows that nearly 98% of senior leaders still struggle to recognize phishing attempts, which are a common entry point for such breaches. 

The Allianz Life breach highlights the urgent need for organizations to treat cybersecurity as a shared responsibility, ensuring that every employee is trained to identify and respond to suspicious activities. Without such collective vigilance, the threat landscape will continue to grow more dangerous.
Read more »
data security
customer privacy Customer Trust Cyber Community Cyber Security Data Privacy Data Safety User Data data security

Why Web3 Exchanges Must Prioritize Security, Privacy, and Fairness to Retain Users

 

In the evolving Web3 landscape, a platform’s survival hinges on its ability to meet community expectations. If users perceive an exchange as unfair, insecure, or intrusive, they’ll swiftly move on. This includes any doubts about the platform’s transparency, ability to safeguard user data, or deliver features that users value.  

The challenge lies in balancing ideal user experience with realistic limitations. While complete invulnerability isn’t feasible, exchanges must adopt rigorous security protocols that align with industry best practices. Beyond technical defenses, they must also enforce strict data privacy policies and ensure customer funds remain entirely under user control. 

So, how can an exchange rise to these expectations without compromising service quality? The key lies in maintaining equilibrium between protection and functionality. A robust exchange must operate with enterprise-level security, including encryption at a high standard. Since smart contract flaws can remain hidden for long periods, it’s essential that platforms perform internal and third-party audits. 

Security firms and penetration testers, like red teams, simulate cyberattacks to expose and address weaknesses before attackers can exploit them. Users evaluating exchanges should consider not just the presence of encryption but also whether the platform uses external experts to continuously test its defenses. In handling funds, exchanges must mitigate risks such as consensus failures and ensure their infrastructure can validate and process inter-chain transactions securely. 

However, these protective measures shouldn’t come at the cost of speed or efficiency. Metrics such as transactions per second (TPS), consensus time, and finality should remain optimized for a seamless experience. Equally important is protecting user privacy. Web3 users face threats ranging from data leaks and surveillance to the misuse of trading data by advanced bots. 

These issues demand concrete actions—not vague assurances. Transparent privacy policies and secure data practices are essential. Enclave Markets has set an example in privacy-focused trading. Their off-chain enclave prevents malicious actors from seeing trade activity, effectively eliminating front-running and ensuring fair execution with zero spread and no slippage.  

Another often overlooked area is fairness in reward programs. Many exchanges structure incentives in ways that disproportionately benefit bots or large-scale traders. Enclave Markets addresses this with a more balanced rewards system that favors genuine users over manipulators. Their recently introduced EdgeBot allows users to track and trade tokens directly within Telegram, minimizing friction and response time. 

This type of intuitive innovation reflects a deep understanding of user needs. Ultimately, users must take responsibility to verify if a platform truly upholds the principles of fairness, security, and privacy. These aren’t optional features—they’re the foundation of any trustworthy Web3 exchange.
Read more »
Personal Information
customer data compromise customer data leak customer data privacy Data Breach Data Leak Data Privacy data security Database Leaked Fashion Retailer Personal Information

SABO Fashion Brand Exposes 3.5 Million Customer Records in Major Data Leak

 

Australian fashion retailer SABO recently faced a significant data breach that exposed sensitive personal information of millions of customers. The incident came to light when cybersecurity researcher Jeremiah Fowler discovered an unsecured database containing over 3.5 million PDF documents, totaling 292 GB in size. The database, which had no password protection or encryption, was publicly accessible online to anyone who knew where to look. 

The leaked records included a vast amount of personally identifiable information (PII), such as names, physical addresses, phone numbers, email addresses, and other order-related data of both retail and business clients. According to Fowler, the actual number of affected individuals could be substantially higher than the number of files. He observed that a single PDF file sometimes contained details from up to 50 separate orders, suggesting that the total number of exposed customer profiles might exceed 3.5 million. 

The information was derived from SABO’s internal document management system used for handling sales, returns, and shipping data—both within Australia and internationally. The files dated back to 2015 and stretched through to 2025, indicating a mix of outdated and still-relevant information that could pose risks if misused. Upon discovering the open database, Fowler immediately notified the company. SABO responded by securing the exposed data within a few hours. 

However, the brand did not reply to the researcher’s inquiries, leaving critical questions unanswered—such as how long the data remained vulnerable, who was responsible for managing the server, and whether malicious actors accessed the database before it was locked. SABO, known for its stylish collections of clothing, swimwear, footwear, and formalwear, operates three physical stores in Australia and also ships products globally through its online platform. 

In 2024, the brand reported annual revenue of approximately $18 million, underscoring its scale and reach in the retail space. While SABO has taken action to secure the exposed data, the breach underscores ongoing challenges in cybersecurity, especially among mid-sized e-commerce businesses. Data left unprotected on the internet can be quickly exploited, and even short windows of exposure can have lasting consequences for customers. 

The lack of transparency following the discovery only adds to growing concerns about how companies handle consumer data and whether they are adequately prepared to respond to digital threats.
Read more »
Workplace Security
AI Chatbots ChatGPT safety cybersecurity risks Data Privacy Sensitive Information Technology Workplace Security

Britons Risk Privacy by Sharing Sensitive Data with AI Chatbots Despite Security Concerns

 

Nearly one in three individuals in the UK admits to sharing confidential personal details with AI chatbots, such as OpenAI’s ChatGPT, according to new research by cybersecurity firm NymVPN. The study reveals that 30% of Britons have disclosed sensitive data—including banking information and health records—to AI tools, potentially endangering their own privacy and that of others.

Despite 48% of respondents expressing concerns over the safety of AI chatbots, many continue to reveal private details. This habit extends to professional settings, where employees are reportedly sharing internal company and customer information with these platforms.

The findings come amid a wave of high-profile cyberattacks, including the recent breach at Marks & Spencer, which underscores how easily confidential data can be compromised. NymVPN reports that 26% of survey participants have entered financial details related to salaries, mortgages, and investments, while 18% have exposed credit card or bank account numbers. Additionally, 24% acknowledged sharing customer data—such as names and email addresses—and 16% uploaded company financial records and contracts.

“AI tools have rapidly become part of how people work, but we’re seeing a worrying trend where convenience is being prioritized over security,” said Harry Halpin, CEO of NymVPN.

Organizations such as M&S, Co-op, and Adidas have already made headlines for data breaches. “High-profile breaches show how vulnerable even major organizations can be, and the more personal and corporate data that is fed into AI, the bigger the target becomes for cybercriminals,” Halpin added.

With nearly a quarter of people admitting to sharing customer data with AI tools, experts emphasize the urgent need for businesses to establish strict policies governing AI usage at work.

“Employees and businesses urgently need to think about how they’re protecting both personal privacy and company data when using AI tools,” Halpin warned.

Completely avoiding AI chatbots might be the safest option, but it’s not always realistic. Users are advised to refrain from entering sensitive information, adjust privacy settings by disabling chat history, or opt out of model training.

Using a VPN can provide an additional layer of online privacy by encrypting internet traffic and masking IP addresses when accessing AI chatbots like ChatGPT. However, even with a VPN, risks remain if individuals continue to input confidential data.
Read more »
Patient Data
Data Analytics Agency Data Breach Data Leak Data Privacy data security Data Theft Healthcare Healthcare Data Healthcare Security Patient Data

Episource Healthcare Data Breach Exposes Personal Data of 5.4 Million Americans

 

In early 2025, a cyberattack targeting healthcare technology provider Episource compromised the personal and medical data of over 5.4 million individuals in the United States. Though not widely known to the public, Episource plays a critical role in the healthcare ecosystem by offering medical coding, risk adjustment, and data analytics services to major providers. This makes it a lucrative target for hackers seeking access to vast troves of sensitive information. 

The breach took place between January 27 and February 6. During this time, attackers infiltrated the company’s systems and extracted confidential data, including names, addresses, contact details, Social Security numbers, insurance information, Medicaid IDs, and medical records. Fortunately, no banking or payment card information was exposed in the incident. The U.S. Department of Health and Human Services reported the breach’s impact affected over 5.4 million people. 

What makes this breach particularly concerning is that many of those affected likely had no direct relationship with Episource, as the company operates in the background of the healthcare system. Its partnerships with insurers and providers mean it routinely processes massive volumes of personal data, leaving millions exposed when its security infrastructure fails. 

Episource responded to the breach by notifying law enforcement, launching an internal investigation, and hiring third-party cybersecurity experts. In April, the company began sending out physical letters to affected individuals explaining what data may have been exposed and offering free credit monitoring and identity restoration services through IDX. These notifications are being issued by traditional mail rather than email, in keeping with standard procedures for health-related data breaches. 

The long-term implications of this incident go beyond individual identity theft. The nature of the data stolen — particularly medical and insurance records combined with Social Security numbers — makes those affected highly vulnerable to fraud and phishing schemes. With full profiles of patients in hand, cybercriminals can carry out advanced impersonation attacks, file false insurance claims, or apply for loans in someone else’s name. 

This breach underscores the growing need for stronger cybersecurity across the healthcare industry, especially among third-party service providers. While Episource is offering identity protection to affected users, individuals must remain cautious by monitoring accounts, being wary of unknown communications, and considering a credit freeze as a precaution. As attacks on healthcare entities become more frequent, robust data security is no longer optional — it’s essential for maintaining public trust and protecting sensitive personal information.
Read more »
employee productivity
Accountability Cyber Security Data Privacy Data security software Data tracking Employee employee cybersecurity Employee Data employee productivity

Balancing Accountability and Privacy in the Age of Work Tracking Software

 

As businesses adopt employee monitoring tools to improve output and align team goals, they must also consider the implications for privacy. The success of these systems doesn’t rest solely on data collection, but on how transparently and respectfully they are implemented. When done right, work tracking software can enhance productivity while preserving employee dignity and fostering a culture of trust. 

One of the strongest arguments for using tracking software lies in the visibility it offers. In hybrid and remote work settings, where face-to-face supervision is limited, these tools offer leaders critical insights into workflows, project progress, and resource allocation. They enable more informed decisions and help identify process inefficiencies that could otherwise remain hidden. At the same time, they give employees the opportunity to highlight their own efforts, especially in collaborative environments where individual contributions can easily go unnoticed. 

For workers, having access to objective performance data ensures that their time and effort are acknowledged. Instead of constant managerial oversight, employees can benefit from automated insights that help them manage their time more effectively. This reduces the need for frequent check-ins and allows greater autonomy in daily schedules, ultimately leading to better focus and outcomes. 

However, the ethical use of these tools requires more than functionality—it demands transparency. Companies must clearly communicate what is being monitored, why it’s necessary, and how the collected data will be used. Monitoring practices should be limited to work-related metrics like app usage or project activity and should avoid invasive methods such as covert screen recording or keystroke logging. When employees are informed and involved from the start, they are more likely to accept the tools as supportive rather than punitive. 

Modern tracking platforms often go beyond timekeeping. Many offer dashboards that enable employees to view their own productivity patterns, identify distractions, and make self-directed improvements. This shift from oversight to insight empowers workers and contributes to their personal and professional development. At the organizational level, this data can guide strategy, uncover training needs, and drive better resource distribution—without compromising individual privacy. 

Ultimately, integrating work tracking tools responsibly is less about trade-offs and more about fostering mutual respect. The most successful implementations are those that treat transparency as a priority, not an afterthought. By framing these tools as resources for growth rather than surveillance, organizations can reinforce trust while improving overall performance. 

Used ethically and with clear communication, work tracking software has the potential to unify rather than divide. It supports both the operational needs of businesses and the autonomy of employees, proving that accountability and privacy can, in fact, coexist.
Read more »
Warmwind
Artificial Intelligence Data Privacy operating systems Technology Warmwind

Germany’s Warmwind May Be the First True AI Operating System — But It’s Not What You Expect

 



Artificial intelligence is starting to change how we interact with computers. Since advanced chatbots like ChatGPT gained popularity, the idea of AI systems that can understand natural language and perform tasks for us has been gaining ground. Many have imagined a future where we simply tell our computer what to do, and it just gets done, like the assistants we’ve seen in science fiction movies.

Tech giants like OpenAI, Google, and Apple have already taken early steps. AI tools can now understand voice commands, control some apps, and even help automate tasks. But while these efforts are still in progress, the first real AI operating system appears to be coming from a small German company called Jena, not from Silicon Valley.

Their product is called Warmwind, and it’s currently in beta testing. Though it’s not widely available yet, over 12,000 people have already joined the waitlist to try it.


What exactly is Warmwind?

Warmwind is an AI-powered system designed to work like a “digital employee.” Instead of being a voice assistant or chatbot, Warmwind watches how users perform digital tasks like filling out forms, creating reports, or managing software, and then learns to do those tasks itself. Once trained, it can carry out the same work over and over again without any help.

Unlike traditional operating systems, Warmwind doesn’t run on your computer. It operates remotely through cloud servers based in Germany, following the strict privacy rules under the EU’s GDPR. You access it through your browser, but the system keeps running even if you close the window.

The AI behaves much like a person using a computer. It clicks buttons, types, navigates through screens, and reads information — all without needing special APIs or coding integrations. In short, it automates your digital tasks the same way a human would, but much faster and without tiring.

Warmwind is mainly aimed at businesses that want to reduce time spent on repetitive computer work. While it’s not the futuristic AI companion from the movies, it’s a step in that direction, making software more hands-free and automated.

Technically, Warmwind runs on a customized version of Linux built specifically for automation. It uses remote streaming technology to show you the user interface while the AI works in the background.

Jena, the company behind Warmwind, says calling it an “AI operating system” is symbolic. The name helps people understand the concept quickly, it’s an operating system, not for people, but for digital AI workers.

While it’s still early days for AI OS platforms, Warmwind might be showing us what the future of work could look like, where computers no longer wait for instructions but get things done on their own.

Read more »
LLaMA
AI Chatbots AI Models AI technology Chatbots ChatGPT Cloud Cyber Security Data Privacy data security DeepSeek Gemini AI LLaMA

Why Running AI Locally with an NPU Offers Better Privacy, Speed, and Reliability

 

Running AI applications locally offers a compelling alternative to relying on cloud-based chatbots like ChatGPT, Gemini, or Deepseek, especially for those concerned about data privacy, internet dependency, and speed. Though cloud services promise protections through subscription terms, the reality remains uncertain. In contrast, using AI locally means your data never leaves your device, which is particularly advantageous for professionals handling sensitive customer information or individuals wary of sharing personal data with third parties. 

Local AI eliminates the need for a constant, high-speed internet connection. This reliable offline capability means that even in areas with spotty coverage or during network outages, tools for voice control, image recognition, and text generation remain functional. Lower latency also translates to near-instantaneous responses, unlike cloud AI that may lag due to network round-trip times. 

A powerful hardware component is essential here: the Neural Processing Unit (NPU). Typical CPUs and GPUs can struggle with AI workloads like large language models and image processing, leading to slowdowns, heat, noise, and shortened battery life. NPUs are specifically designed for handling matrix-heavy computations—vital for AI—and they allow these models to run efficiently right on your laptop, without burdening the main processor. 

Currently, consumer devices such as Intel Core Ultra, Qualcomm Snapdragon X Elite, and Apple’s M-series chips (M1–M4) come equipped with NPUs built for this purpose. With one of these devices, you can run open-source AI models like DeepSeek‑R1, Qwen 3, or LLaMA 3.3 using tools such as Ollama, which supports Windows, macOS, and Linux. By pairing Ollama with a user-friendly interface like OpenWeb UI, you can replicate the experience of cloud chatbots entirely offline.  

Other local tools like GPT4All and Jan.ai also provide convenient interfaces for running AI models locally. However, be aware that model files can be quite large (often 20 GB or more), and without NPU support, performance may be sluggish and battery life will suffer.  

Using AI locally comes with several key advantages. You gain full control over your data, knowing it’s never sent to external servers. Offline compatibility ensures uninterrupted use, even in remote or unstable network environments. In terms of responsiveness, local AI often outperforms cloud models due to the absence of network latency. Many tools are open source, making experimentation and customization financially accessible. Lastly, NPUs offer energy-efficient performance, enabling richer AI experiences on everyday devices. 

In summary, if you’re looking for a faster, more private, and reliable AI workflow that doesn’t depend on the internet, equipping your laptop with an NPU and installing tools like Ollama, OpenWeb UI, GPT4All, or Jan.ai is a smart move. Not only will your interactions be quick and seamless, but they’ll also remain securely under your control.
Read more »
Technology
Artificial Intelligence CCPA Compliance Data Management Data Privacy GDPR Technology

Can AI Be Trusted With Sensitive Business Data?

 



As artificial intelligence becomes more common in businesses, from retail to finance to technology— it’s helping teams make faster decisions. But behind these smart predictions is a growing problem: how do you make sure employees only see what they’re allowed to, especially when AI mixes information from many different places?

Take this example: A retail company’s AI tool predicts upcoming sales trends. To do this, it uses both public market data and private customer records. The output looks clean and useful but what if that forecast is shown to someone who isn’t supposed to access sensitive customer details? That’s where access control becomes tricky.


Why Traditional Access Rules Don’t Work for AI

In older systems, access control was straightforward. Each person had certain permissions: developers accessed code, managers viewed reports, and so on. But AI changes the game. These systems pull data from multiple sources, internal files, external APIs, sensor feeds, and combine everything to create insights. That means even if a person only has permission for public data, they might end up seeing results that are based, in part, on private or restricted information.


Why It Matters

Security Concerns: If sensitive data ends up in the wrong hands even indirectly, it can lead to data leaks. A 2025 study showed that over two-thirds of companies had AI-related security issues due to weak access controls.

Legal Risks: Privacy laws like the GDPR require clear separation of data. If a prediction includes restricted inputs and is shown to the wrong person, companies can face heavy fines.

Trust Issues: When employees or clients feel their data isn’t safe, they lose trust in the system, and the business.


What’s Making This So Difficult?

1. AI systems often blend data so deeply that it’s hard to tell what came from where.

2. Access rules are usually fixed, but AI relies on fast-changing data.

3. Companies have many users with different roles and permissions, making enforcement complicated.

4. Permissions are often too broad, for example, someone allowed to "view reports" might accidentally access sensitive content.


How Can Businesses Fix This?

• Track Data Origins: Label data as "public" or "restricted" and monitor where it ends up.

• Flexible Access Rules: Adjust permissions based on user roles and context.

• Filter Outputs: Build AI to hide or mask parts of its response that come from private sources.

• Separate Models: Train different AI models for different user groups, each with its own safe data.

• Monitor Usage: Keep logs of who accessed what, and use alerts to catch suspicious activity.


As AI tools grow more advanced and rely on live data from many sources, managing access will only get harder. Businesses must modernize their security strategies to protect sensitive information without slowing down innovation.

Read more »
Ransomwares
Data Breach Data Privacy data security Data Theft Healthcare Data healthcare data breach Healthcare Industry Personal Information Ransomware attack Ransomwares

Horizon Healthcare RCM Reports Ransomware Breach Impacting Patient Data

 

Horizon Healthcare RCM has confirmed it was the target of a ransomware attack involving the theft of sensitive health information, making it the latest revenue cycle management (RCM) vendor to report such a breach. Based on the company’s breach disclosure, it appears a ransom may have been paid to prevent the public release of stolen data. 

In a report filed with Maine’s Attorney General on June 27, Horizon disclosed that six state residents were impacted but did not provide a total number of affected individuals. As of Monday, the U.S. Department of Health and Human Services’ Office for Civil Rights had not yet listed the incident on its breach portal, which logs healthcare data breaches affecting 500 or more people.  

However, the scope of the incident may be broader. It remains unclear whether Horizon is notifying patients directly on behalf of these clients or whether each will report the breach independently. 

In a public notice, Horizon explained that the breach was first detected on December 27, 2024, when ransomware locked access to some files. While systems were later restored, the company determined that certain data had also been copied without permission. 

Horizon noted that it “arranged for the responsible party to delete the copied data,” indicating a likely ransom negotiation. Notices are being sent to affected individuals where possible. The compromised data varies, but most records included a Horizon internal number, patient ID, or insurance claims data. 

In some cases, more sensitive details were exposed, such as Social Security numbers, driver’s license or passport numbers, payment card details, or financial account information. Despite the breach, Horizon stated that there have been no confirmed cases of identity theft linked to the incident. 

The matter has been reported to federal law enforcement. Multiple law firms have since announced investigations into the breach, raising the possibility of class-action litigation. This incident follows several high-profile breaches involving other RCM firms in recent months. 

In May, Nebraska-based ALN Medical Management updated a previously filed breach report, raising the number of affected individuals from 501 to over 1.3 million. Similarly, Gryphon Healthcare disclosed in October 2024 that nearly 400,000 people were impacted by a separate attack. 

Most recently, California-based Episource LLC revealed in June that a ransomware incident in February exposed the health information of roughly 5.42 million individuals. That event now ranks as the second-largest healthcare breach in the U.S. so far in 2025. Experts say that RCM vendors continue to be lucrative targets for cybercriminals due to their access to vast stores of healthcare data and their central role in financial operations. 

Bob Maley, Chief Security Officer at Black Kite, noted that targeting these firms offers hackers outsized rewards. “Hitting one RCM provider can affect dozens of healthcare facilities, exposing massive amounts of data and disrupting financial workflows all at once,” he said.  
Maley warned that many of these firms are still operating under outdated cybersecurity models. “They’re stuck in a compliance mindset, treating risk in vague terms. But boards want to know the real-world financial impact,” he said. 

He also emphasized the importance of supply chain transparency. “These vendors play a crucial role for hospitals, but how well do they know their own vendors? Relying on outdated assessments leaves them blind to emerging threats.” 

Maley concluded that until RCM providers prioritize cybersecurity as a business imperative—not just an IT issue—the industry will remain vulnerable to repeating breaches.
Read more »
Generative AI
ai agents AI Assistant AI cybersecurity Ai Data AI DIgital Assistant AI technology Cyber Security Data Privacy Generative AI

Personal AI Agents Could Become Digital Advocates in an AI-Dominated World

 

As generative AI agents proliferate, a new concept is gaining traction: AI entities that act as loyal digital advocates, protecting individuals from overwhelming technological complexity, misinformation, and data exploitation. Experts suggest these personal AI companions could function similarly to service animals—trained not just to assist, but to guard user interests in an AI-saturated world. From scam detection to helping navigate automated marketing and opaque algorithms, these agents would act as user-first shields. 

At a recent Imagination in Action panel, Consumer Reports’ Ginny Fahs explained, “As companies embed AI deeper into commerce, it becomes harder for consumers to identify fair offers or make informed decisions. An AI that prioritizes users’ interests can build trust and help transition toward a more transparent digital economy.” The idea is rooted in giving users agency and control in a system where most AI is built to serve businesses. Panelists—including experts like Dazza Greenwood, Amir Sarhangi, and Tobin South—discussed how loyal, trustworthy AI advocates could reshape personal data rights, online trust, and legal accountability. 

Greenwood drew parallels to early internet-era reforms such as e-signatures and automated contracts, suggesting a similar legal evolution is needed now to govern AI agents. South added that AI agents must be “loyal by design,” ensuring they act within legal frameworks and always prioritize the user. Sarhangi introduced the concept of “Know Your Agent” (KYA), which promotes transparency by tracking the digital footprint of an AI. 

With unique agent wallets and activity histories, bad actors could be identified and held accountable. Fahs described a tool called “Permission Slip,” which automates user requests like data deletion. This form of AI advocacy predates current generative models but shows how user-authorized agents could manage privacy at scale. Agents could also learn from collective behavior. For instance, an AI noting a negative review of a product could share that experience with other agents, building an automated form of word-of-mouth. 

This concept, said panel moderator Sandy Pentland, mirrors how Consumer Reports aggregates user feedback to identify reliable products. South emphasized that cryptographic tools could ensure safe data-sharing without blindly trusting tech giants. He also referenced NANDA, a decentralized protocol from MIT that aims to enable trustworthy AI infrastructure. Still, implementing AI agents raises usability questions. “We want agents to understand nuanced permissions without constantly asking users to approve every action,” Fahs said. 

Getting this right will be crucial to user adoption. Pentland noted that current AI models struggle to align with individual preferences. “An effective agent must represent you—not a demographic group, but your unique values,” he said. Greenwood believes that’s now possible: “We finally have the tools to build AI agents with fiduciary responsibilities.” In closing, South stressed that the real bottleneck isn’t AI capability but structuring and contextualizing information properly. “If you want AI to truly act on your behalf, we must design systems that help it understand you.” 

As AI becomes deeply embedded in daily life, building personalized, privacy-conscious agents may be the key to ensuring technology serves people—not the other way around.
Read more »
User Security
AI tools Cyber Security Data Privacy Generative AI User Security

New Report Ranks Best And Worst Generative AI Tools For Privacy

 

Most generative AI companies use client data to train their chatbots. For this, they may use private or public data. Some services take a more flexible and non-intrusive approach to gathering customer data. Not so much for others. A recent analysis from data removal firm Incogni weighs the benefits and drawbacks of AI in terms of protecting your personal data and privacy.

As part of its "Gen AI and LLM Data Privacy Ranking 2025," Incogni analysed nine well-known generative AI services and evaluated their data privacy policies using 11 distinct factors. The following queries were addressed by the criteria: 

  • What kind of data do the models get trained on? 
  • Is it possible to train the models using user conversations? 
  • Can non-service providers or other appropriate entities receive prompts? 
  • Can the private data from users be erased from the training dataset?
  • How clear is it when training is done via prompts? 
  • How simple is it to locate details about the training process of models? 
  • Does the data collection process have a clear privacy policy?
  • How easy is it to read the privacy statement? 
  • Which resources are used to gather information about users?
  • Are third parties given access to the data? 
  • What information are gathered by the AI apps? 

The research involved Mistral AI's Le Chat, OpenAI's ChatGPT, xAI's Grok, Anthropic's Claude, Inflection AI's Pi, DeekSeek, Microsoft Copilot, Google Gemini, and Meta AI. Each AI performed well on certain questions but not so well on others. 

For instance, Grok performed poorly on the readability of its privacy policy but received a decent rating for how clearly it communicates that prompts are used for training. As another example, the ratings that ChatGPT and Gemini received for gathering data from their mobile apps varied significantly between the iOS and Android versions.

However, Le Chat emerged as the best privacy-friendly AI service overall. It did well in the transparency category, despite losing a few points. Additionally, it only collects a small amount of data and achieves excellent scores for additional privacy concerns unique to AI. 

Second place went to ChatGPT. Researchers at Incogni were a little worried about how user data interacts with the service and how OpenAI trains its models. However, ChatGPT explains the company's privacy standards in detail, lets you know what happens to your data, and gives you explicit instructions on how to restrict how your data is used. Claude and PI came in third and fourth, respectively, after Grok. Each performed reasonably well in terms of protecting user privacy overall, while there were some issues in certain areas. 

"Le Chat by Mistral AI is the least privacy-invasive platform, with ChatGPT and Grok following closely behind," Incogni noted in its report. "These platforms ranked highest when it comes to how transparent they are on how they use and collect data, and how easy it is to opt out of having personal data used to train underlying models. ChatGPT turned out to be the most transparent about whether prompts will be used for model training and had a clear privacy policy.” 

In its investigation, Incogni discovered that AI firms exchange data with a variety of parties, including service providers, law enforcement, members of the same corporate group, research partners, affiliates, and third parties. 

"Microsoft's privacy policy implies that user prompts may be shared with 'third parties that perform online advertising services for Microsoft or that use Microsoft's advertising technologies,'" Incogni added in the report. "DeepSeek's and Meta's privacy policies indicate that prompts can be shared with companies within its corporate group. Meta's and Anthropic's privacy policies can reasonably be understood to indicate that prompts are shared with research collaborators.” 

You can prevent the models from being trained using your prompts with some providers. This is true for Grok, Mistral AI, Copilot, and ChatGPT. However, based on their privacy rules and other resources, it appears that other services do not allow this kind of data collecting to be stopped. Gemini, DeepSeek, Pi AI, and Meta AI are a few of these. In response to this concern, Anthropic stated that it never gathers user input for model training. 

Ultimately, a clear and understandable privacy policy significantly helps in assisting you in determining what information is being gathered and how to opt out.
Read more »
Privacy
Ads Data Privacy data security DPC EU European Cyber Security European Union Legal Action Against Meta Meta Chatbots Meta Data personalized ads Privacy

WhatsApp Ads Delayed in EU as Meta Faces Privacy Concerns

 

Meta recently introduced in-app advertisements within WhatsApp for users across the globe, marking the first time ads have appeared on the messaging platform. However, this change won’t affect users in the European Union just yet. According to the Irish Data Protection Commission (DPC), WhatsApp has informed them that ads will not be launched in the EU until sometime in 2026. 

Previously, Meta had stated that the feature would gradually roll out over several months but did not provide a specific timeline for European users. The newly introduced ads appear within the “Updates” tab on WhatsApp, specifically inside Status posts and the Channels section. Meta has stated that the ad system is designed with privacy in mind, using minimal personal data such as location, language settings, and engagement with content. If a user has linked their WhatsApp with the Meta Accounts Center, their ad preferences across Instagram and Facebook will also inform what ads they see. 

Despite these assurances, the integration of data across platforms has raised red flags among privacy advocates and European regulators. As a result, the DPC plans to review the advertising model thoroughly, working in coordination with other EU privacy authorities before approving a regional release. Des Hogan, Ireland’s Data Protection Commissioner, confirmed that Meta has officially postponed the EU launch and that discussions with the company will continue to assess the new ad approach. 

Dale Sunderland, another commissioner at the DPC, emphasized that the process remains in its early stages and it’s too soon to identify any potential regulatory violations. The commission intends to follow its usual review protocol, which applies to all new features introduced by Meta. This strategic move by Meta comes while the company is involved in a high-profile antitrust case in the United States. The lawsuit seeks to challenge Meta’s ownership of WhatsApp and Instagram and could potentially lead to a forced breakup of the company’s assets. 

Meta’s decision to push forward with deeper cross-platform ad integration may indicate confidence in its legal position. The tech giant continues to argue that its advertising tools are essential for small business growth and that any restrictions on its ad operations could negatively impact entrepreneurs who rely on Meta’s platforms for customer outreach. However, critics claim this level of integration is precisely why Meta should face stricter regulatory oversight—or even be broken up. 

As the U.S. court prepares to issue a ruling, the EU delay illustrates how Meta is navigating regulatory pressures differently across markets. After initial reporting, WhatsApp clarified that the 2025 rollout in the EU was never confirmed, and the current plan reflects ongoing conversations with European regulators.
Read more »
Privacy Issues
AI Chatbots AI technology chatbot security Data Leak Data Privacy data security Meta Meta Chatbots Personal Data Privacy Privacy Issues

Meta.ai Privacy Lapse Exposes User Chats in Public Feed

 

Meta’s new AI-driven chatbot platform, Meta.ai, launched recently with much fanfare, offering features like text and voice chats, image generation, and video restyling. Designed to rival platforms like ChatGPT, the app also includes a Discover feed, a space intended to showcase public content generated by users. However, what Meta failed to communicate effectively was that many users were unintentionally sharing their private conversations in this feed—sometimes with extremely sensitive content attached. 

In May, journalists flagged the issue when they discovered public chats revealing deeply personal user concerns—ranging from financial issues and health anxieties to legal troubles. These weren’t obscure posts either; they appeared in a publicly accessible area of the app, often containing identifying information. Conversations included users seeking help with medical diagnoses, children talking about personal experiences, and even incarcerated individuals discussing legal strategies—none of whom appeared to realize their data was visible to others. 

Despite some recent tweaks to the app’s sharing settings, disturbing content still appears on the Discover feed. Users unknowingly uploaded images and video clips, sometimes including faces, alongside alarming or bizarre prompts. One especially troubling instance featured a photo of a child at school, accompanied by a prompt instructing the AI to “make him cry.” Such posts reflect not only poor design choices but also raise ethical questions about the purpose and moderation of the Discover feed itself. 

The issue evokes memories of other infamous data exposure incidents, such as AOL’s release of anonymized user searches in 2006, which provided unsettling insight into private thoughts and behaviors. While social media platforms are inherently public, users generally view AI chat interactions as private, akin to using a search engine. Meta.ai blurred that boundary—perhaps unintentionally, but with serious consequences. Many users turned to Meta.ai seeking support, companionship, or simple productivity help. Some asked for help with job listings or obituary writing, while others vented emotional distress or sought comfort during panic attacks. 

In some cases, users left chats expressing gratitude—believing the bot had helped. But a growing number of conversations end in frustration or embarrassment when users realize the bot cannot deliver on its promises or that their content was shared publicly. These incidents highlight a disconnect between how users engage with AI tools and how companies design them. Meta’s ambition to merge AI capabilities with social interaction seems to have ignored the emotional and psychological expectations users bring to private-sounding features. 

For those using Meta.ai as a digital confidant, the lack of clarity around privacy settings has turned an experiment in convenience into a public misstep. As AI systems become more integrated into daily life, companies must rethink how they handle user data—especially when users assume privacy. Meta.ai’s rocky launch serves as a cautionary tale about transparency, trust, and design in the age of generative AI.
Read more »
Subscribe to: Posts (Atom)