September 2025 Privacy Pulse: Major Consumer Data Breaches

Privacy Failed in September: Data Brokers, Legal Setbacks, and the Breaches No One Stopped

The last five weeks have been marked by some of the most serious breaches and privacy shifts of 2025. Together, they show that the traditional security measures we once relied on—strong passwords, credit freezes, firewalls—are no longer enough. Personal data remains the fuel for cybercrime, and it continues to be exposed at alarming rates.

At mePrism Privacy, we believe individuals and organizations need to take active steps to reduce their online footprint, cut off the flow of data at its source, and lower the attack surface available to threat actors. The events this month make that case clearer than ever.

Major Consumer Data Breaches
(August 25 – September 30, 2025)

TransUnion Breach

• 4.4 million Americans were exposed when hackers infiltrated TransUnion through a compromised Salesforce integration.

• Data included Social Security numbers, names, and dates of birth.

• Attackers tied to the ShinyHunters group exploited weaknesses in third-party tools.

This breach highlights a growing trend: criminals do not always attack the core systems. They target vendors and applications that connect to those systems.

Scattered Spider and Criminal Alliances

• Scattered Spider, working with ShinyHunters, continues to evolve.

• In September, they claimed to be "going dark," but researchers uncovered fresh campaigns against financial and tech services.

• Their tactics rely heavily on data broker information to identify targets, enabling spear phishing and impersonation attacks.

Salesforce Supply Chain Campaign

• Major global firms including Google, Cisco, and Workday were affected.

• Attackers posed as IT staff, calling employees to trick them into installing malicious apps.

• Once installed, the apps provided deep and lasting access to customer records.

Retail and Luxury Sector Breaches

• Harrods: 430,000 customer records stolen.

• Kering (Gucci, Balenciaga): Customer identities, addresses, and purchase details exposed.

• Stellantis: Customer data breached via a third-party platform.

These incidents reinforce a critical truth: no industry is safe. Criminals go where the data and money flows.

Legal and Policy Shifts

Higher Bar for Privacy Lawsuits

The Ninth Circuit's Popa decision (August 26) raised the bar for consumers bringing privacy suits. Courts now require proof of concrete harm, not just statutory violations. This narrows legal recourse for victims.

Consent Strengthened

Courts in multiple states reaffirmed that consent is the strongest defense. If a company shows you agreed to terms of service or a privacy policy, your ability to sue is weakened.

Expanding State Privacy Laws

• Connecticut: Stronger consent requirements for sensitive data sales.

• Virginia: New protections for reproductive health data.

• Colorado: Expanded biometric protections with clear disclosure mandates.

Federal Retreat

The CFPB withdrew its proposed rule to regulate data brokers under the Fair Credit Reporting Act. Despite strong public support, federal oversight remains stalled.

The result: responsibility for protection continues to fall on individuals and organizations.

Why This Matters for You

Third-Party Risk

The TransUnion case proves even the most trusted companies can be breached through vendors. Your data does not just live where you gave it—it spreads across an invisible web of third-party systems.

Social Engineering

Groups like Scattered Spider exploit personal data to impersonate, trick, and defraud. The more they know about you or your employees, the more convincing they become.

Expanding Data Broker Market

The data broker industry is on track to reach $561 billion by 2029. As it grows, the odds that your data is bought, sold, or stolen increase. Manual opt-outs cannot keep pace with this scale.

Shrinking Legal Remedies

With courts tightening requirements and regulators stepping back, individuals have fewer legal protections when their data is misused.

The mePrism Privacy Model

At mePrism, we do not wait for breaches to happen. We reduce the odds of harm by:

• Removing personal data from over 600 data broker sites.

• Continuously scanning for re-emerging records and deleting them again.

• Offering privacy controls for major social media platforms.

• Providing dark web monitoring and breach alerts.

This model cuts off attackers during the intelligence-gathering phase, making phishing, impersonation, and fraud harder to execute.

For organizations, this means protecting employees, reducing liability, and making social engineering attacks less effective.

Spotlight: Healthcare Professionals and Institutions

Healthcare data remains one of the most targeted categories for cybercriminals. Patient records fetch high prices on the dark web, and healthcare professionals themselves are often targeted through personal data exposure.

Why this matters:

• Attackers use home addresses, family info, and contact details from data brokers to craft targeted phishing messages or even physical threats.

• Hospital systems are increasingly attacked through staff members rather than core IT infrastructure.

• Compliance requirements under HIPAA and state laws make reputational and legal consequences especially severe.

mePrism Privacy is proud to serve leading healthcare institutions, including Massachusetts General Brigham Hospital System. MGB uses our services to protect both employees and their families, reducing exposure and ensuring critical staff remain safe from cyber and physical threats.

For healthcare professionals, the stakes are not just financial—they are about patient safety and uninterrupted care.

Closing Thoughts

The events of the past month highlight a stark reality:

• Criminal groups are organized, well-funded, and persistent.

• Data brokers fuel their success.

• Legal protections are shrinking.

mePrism Privacy provides a way forward, helping individuals, employees, and organizations reclaim control over their data and reduce their exposure to threats.

The case is clear. Waiting is no longer an option.

Explore more from Our Team

Browse more posts written by our team to help you stay in control.