Data incidents and vulnerabilities
Several recent incidents underline persistent operational risk: Google agreed to a roughly $134M Android data‑transfer settlement, Microsoft disclosed an outdated Android SDK flaw that may have exposed over 50 million users (including reports the bug threatened tens of millions of crypto‑wallet installs), and Figure Lending is facing a breach that impacts nearly one million users. Taken together, these cases show old attack surfaces and telemetry practices still creating large legal and reputational exposure. ((wpxi.com), (techradar.com), (coinpedia.org), PR Newswire)
Three separate cases landed within weeks of each other, and none of them involved some futuristic hack. One was background phone traffic, one was an old software kit inside Android apps, and one was a lender’s customer database. (wpxi.com, microsoft.com, prnewswire.com) Google agreed to a roughly $134 million settlement after Android users said their phones sent data to Google over cellular connections without permission, even when the devices were idle. The case is Taylor v. Google LLC, and WPXI described it as the largest payout in a conversion case. (wpxi.com, courtlistener.com) That case was not about a stranger breaking in. It was about a company allegedly using customers’ paid cellular data in the background for its own data transfers, which turns an ordinary phone bill into part of the dispute. (wpxi.com, topclassactions.com) The Microsoft case was a different kind of problem: a software development kit, which is a bundle of prebuilt code app makers plug in like a spare part, carried a flaw that could let one app steer another app into exposing data. Microsoft said the vulnerable component was a third-party Android kit called EngageSDK. (microsoft.com, techradar.com) Microsoft said the bug was an intent-redirection flaw, which in Android is like tricking a receptionist into forwarding a private envelope to the wrong desk. The company said the issue put sensitive data at risk across more than 50 million app installs. (microsoft.com, techradar.com) Crypto wallet apps were a big part of that exposure because many of them relied on the same kit. Microsoft’s post said millions of Android wallet installs were in scope, and Coinpedia reported the total at about 30 million wallet installs. (microsoft.com, coinpedia.org) The key detail is age. Microsoft said the vulnerable version was EngageSDK 4.5.4, which means the danger sat inside apps as a dependency, the same way a bad bolt can sit inside thousands of cars long after the factory stops thinking about it. (microsoft.com) Then there is Figure Lending, where the issue was not hidden phone traffic or a buggy app component but a breach notice tied to customer records. A PR Newswire release about litigation said the incident affected at least 967,000 users of Figure Lending Corp and related subsidiaries. (prnewswire.com, prnewswire.com) Figure is not a tiny app nobody has heard of. Its own site says it is the number one non-bank home equity line of credit lender in the United States, so a breach there reaches people applying for loans, sharing identity documents, and linking financial accounts. (figure.com, figure.com) Put together, these stories point to the same operational problem: companies keep getting hit by the parts users never see. Background telemetry, old third-party code, and stored financial records all live below the surface, but each one can still produce court cases, security advisories, and breach fallout with eight-figure or million-user consequences. (wpxi.com, microsoft.com, prnewswire.com)
