Welcome back to Mailfence’s Privacy and Cybersecurity Newsletter! October 2025 has brought both setbacks and victories for privacy advocates. From data breaches exposing millions to regulatory appointments that raise eyebrows, the tension between surveillance and security has never been more pronounced. Here’s what we’re covering this month:
- Major Data Breaches: October’s Privacy Failures
- Global Spyware Market: US Investment Surges Despite Policy Efforts
- Autonomous AI Hacking: The Cybersecurity Singularity Approaches
- WhiteBridge AI: Your Personal Data for Sale
- EU Chat Control Proposal Halted – A Win for Privacy
- Former Meta Lobbyist Joins Irish Data Protection Commission
- Social Media Surveillance Escalates in US and UK
Major Data Breaches: October’s Privacy Failures
October 2025 witnessed significant data breaches, exposing millions of users’ personal information through third-party compromises and poor security practices. Discord confirmed hackers stole government ID photos of at least 70,000 users through a third-party vendor, with documents published on the dark web. Prosper disclosed a breach affecting 17.6 million users, exposing Social Security numbers, government IDs, and financial data. Qantas saw data from over 5.7 million customers leaked after refusing ransom demands in a Salesforce campaign breach. These represent just a fraction of October’s breaches – dozens more incidents occurred globally, highlighting persistent vulnerabilities in data protection.
To mitigate breach risks, change passwords immediately on affected accounts and enable two-factor authentication. Use password managers for unique credentials, monitor financial accounts regularly, and place credit freezes with major credit agencies. Check Have I Been Pwned to monitor for exposure and remain vigilant against spear-phishing attempts.
Learn more:
Discord warns users after data stolen in third-party breach (Malwarebytes)
Prosper data breach puts 17 million people at risk of identity theft (Malwarebytes)
Qantas Data Breach Exposes Millions, Tied to Wider Salesforce Campaign (Security Boulevard)
Global Spyware Market: US Investment Surges Despite Policy Efforts
The Atlantic Council’s updated “Mythical Beasts” report reveals alarming growth in the global spyware market, now tracking 561 entities across 46 countries. Notably, US-based investment has tripled since 2023, making America the largest investor – despite government sanctions and export controls.
The report adds 130 new entities, including 43 from 2024. US investors fund notorious vendors, such as Israeli companies, whose spyware targets journalists and activists worldwide. NSO Group’s Pegasus was fined $168 million for attacks on WhatsApp, yet American AE Industrial Partners invested in Paragon Solutions, whose Graphite spyware surveilled Italian civil society.
Resellers and brokers play a key role, obscuring supply chains and evading accountability. Ten intermediaries in Mexico alone sold Pegasus via misleading contracts, largely overlooked by regulations.
To limit spyware risks: keep devices updated, use trusted security software, avoid suspicious links, enable multifactor authentication, review app permissions, and consider privacy-focused OSs. At-risk professionals should seek expert security audits and follow best practices from organizations like the Committee to Protect Journalists and Access Now.
Read more:
Mythical Beasts: Diving into the depths of the global spyware market (Atlantic Council)
Autonomous AI Hacking: The Cybersecurity Singularity Approaches
AI agents now autonomously hack computers at machine speed and scale, fundamentally changing cybersecurity. Summer 2025 marked this shift from concept to reality. XBOW submitted over 1,000 vulnerabilities to HackerOne in months, DARPA’s AI Cyber Challenge teams found 54 vulnerabilities in four hours, and Google’s Big Sleep discovered dozens of flaws in open-source projects.
Criminals have operationalised these capabilities. Ukraine’s CERT found Russian malware using AI to automate reconnaissance and data theft. Anthropic disrupted actors using Claude for complete attack chains – from network reconnaissance to ransom demands. Others deployed autonomous ransomware and HexStrike-AI agents that independently scan, exploit, and persist inside networks.
This threatens a cybersecurity singularity where attacks accelerate beyond response capacity. The assumption that defenders have time to patch is collapsing. AI agents turn rare expertise into commodity capabilities, giving average criminals outsized advantages and further tilting the already-imbalanced cyberattack/cyberdefence equation.
To protect yourself: maintain rigorous patch management, implement zero-trust architectures, use AI-enhanced security tools, employ network segmentation, and monitor for anomalous behaviour. Consider managed security services with AI capabilities. Most importantly, recognise traditional reactive security is obsolete – proactive, AI-augmented defence is now essential.
Continue reading:
Autonomous AI Hacking and the Future of Cybersecurity (Schneier on Security)
WhiteBridge AI: Your Personal Data for Sale
Lithuania-based WhiteBridge AI scrapes personal information from social networks and compiles “reputation reports” sold to anyone willing to pay – including the subjects themselves. The service generates AI-powered reports containing personal data, photos, alleged personality traits, background checks, and suggested conversation topics.
Privacy group noyb filed a complaint with Lithuanian authorities, arguing WhiteBridge lacks valid legal basis under GDPR. Most concerning is WhiteBridge’s targeting of affected individuals with slogans like “this is kinda scary,” profiting from anxiety about their own unlawfully collected data. Under Article 15 GDPR, individuals have the right to free data copies, yet WhiteBridge charges for access.
To protect yourself, carefully review and restrict social media privacy settings to limit public visibility. Regularly audit publicly accessible information and remove content where possible. Exercise your GDPR rights by submitting data access and deletion requests. Be cautious about creating extensive digital footprints, and consider pseudonyms for online activities.
Learn more:
Whitebridge.ai: your personal data is for sale to you and anyone (noyb)
Whitebridge AI faces complaint over reputation reports (The Register)
EU Chat Control Proposal Halted – A Win for Privacy
The European Parliament has halted the Chat Control proposal, which would have mandated mass scanning of private messages across encrypted messaging apps. This significant victory was driven by strong opposition from privacy advocates, digital rights organisations, and businesses concerned about the erosion of encryption and secure communication.
Mailfence actively participated in this fight, helping to rally companies to oppose the legislation and defend end-to-end encryption. The proposal would have created surveillance infrastructure, undermining the security architecture protecting billions of users worldwide. Whilst the pause is temporary, it represents a crucial moment for reassessing how to balance child protection objectives with fundamental privacy rights.
To safeguard your communications, continue using services with genuine end-to-end encryption. Stay informed about regulatory developments and support organisations defending digital rights. Privacy is a collective endeavour – the more people use secure communication, the stronger our defence of these rights becomes.
Continue reading:
Chat Control on hold, Europe’s Eastern flank remains passive (Euronews)
Former Meta Lobbyist Joins Irish Data Protection Commission
Niamh Sweeney, a former senior Meta lobbyist, was appointed as commissioner to the Irish Data Protection Commission (DPC) in October 2025, sparking widespread controversy. The DPC serves as the EU’s lead privacy regulator for major US technology companies including Meta, Google, and Microsoft – all headquartered in Ireland.
Sweeney spent over six years at Meta in senior policy roles during major privacy controversies, including Cambridge Analytica. Meta currently has two cases on appeal with the DPC worth €390 million and €1.2 billion. Privacy group noyb sharply criticised the appointment, arguing it undermines the DPC’s independence when public trust is already fragile. The regulator has been notoriously pro-business, collecting only 0.6% of billions in fines issued.
To limit regulatory capture’s impact on your privacy, carefully review privacy settings and opt out of data sharing wherever possible. Support privacy-focused alternatives to Big Tech platforms and encrypted email providers. Engage with digital rights organisations that hold regulators accountable, and make your voice heard through public consultations on privacy matters.
Read more:
Privacy groups criticise appointment of former Meta lobbyist to data protection watchdog (The Irish Times)
Social Media Surveillance Escalates in US and UK
October 2025 saw significant legal challenges to expanding social media surveillance programmes. Three major US labour unions filed a lawsuit against the Trump administration, alleging the use of artificial intelligence to conduct mass surveillance of visa holders’ social media. The Electronic Frontier Foundation represents the unions in this groundbreaking case.
The lawsuit claims the government deploys AI to scan social media at scales impossible with human review, targeting constitutionally protected speech by noncitizens lawfully present in the US. Immigration and Customs Enforcement has reportedly spent over $1.4 billion on surveillance technology, including facial recognition and automated content analysis. The UK also engages in social media monitoring for countering extremism.
To mitigate surveillance risks, carefully consider what you post publicly and adjust privacy settings. Use end-to-end encrypted messaging for sensitive communications rather than public platforms. Support organisations like the EFF that challenge unlawful surveillance. Remember that surveillance programmes often chill free speech, so staying informed about your rights is crucial.
Continue reading:
Labor Unions, EFF Sue Trump Administration to Stop Ideological Surveillance of Free Speech Online (Electronic Frontier Foundation)
The Trump Administration’s Increased Use of Social Media Surveillance (Schneier on Security)
Recommended Reading
- List of Recent Data Breaches in 2025 (bright defense)
- Cybersecurity & Privacy News and Analysis (Law360)
- Secure Email Hosting: Your Guide to Private Email (Mailfence Blog)
- 6 Essential GDPR Compliance Best Practices for Email Security (Mailfence Blog)
- Gmail vs Mailfence: A Full Comparison Guide (Mailfence Blog)
That’s All for This Month’s Newsletter!
Privacy challenges continue to evolve, requiring constant attention and informed action. The events of October 2025 underscore both the vulnerabilities in our current systems and the importance of continued advocacy for robust privacy protections. We hope these insights equip you to better protect your digital life. Stay vigilant, stay informed, and we’ll see you next month with more updates from the privacy and cybersecurity frontline.
Best,
Patrick
Get the latest privacy news in your inbox
Sign up to the Mailfence Newsletter.