TL;DR:

  • IRS broke law “approximately 42,695 times” sharing taxpayer data with ICE. Federal judge finds IRS disclosed addresses without proper verification. In thousands of cases, ICE submitted requests with “Failed to Provide” or “NA NA” as addresses.
  • Milwaukee Sheriff negotiating facial recognition deal police just banned. Days after MPD halted its Biometrica contract, the Sheriff’s office signed a letter of intent with the same company. Same county, different rules.
  • Odido hackers publish 680,000 records, demand €1M+ ransom. ShinyHunters releasing Dutch telecom customer data in waves. Threaten 16 more days of leaks if ransom unpaid.
  • FISA 702: 52 days until warrantless surveillance law expires. Clean extension vs. SAFE Act reform showdown approaching. Administration still hasn’t taken a public position.
  • Mississippi hospital ransomware: Day 8. UMMC clinics remain closed. No word on patient data exfiltration.

IRS Violated Law 42,695 Times Sharing Immigrant Data with DHS

A federal judge dropped the number Thursday: 42,695 illegal disclosures of confidential taxpayer information to immigration enforcement.

U.S. District Judge Colleen Kollar-Kotelly found the IRS broke federal law when it shared addresses with ICE last August. The violations? IRS staff didn’t verify that ICE actually provided valid addresses before cross-referencing the data, a requirement under the Treasury-DHS data-sharing agreement signed in April by Secretary Scott Bessent.

How sloppy was ICE’s request data? Court filings reveal addresses submitted as "Failed to Provide," "Unknown Address," or just "NA NA." Thousands of requests lacked street names or numbers entirely.

DHS requested data on 1.2 million individuals. IRS provided information on roughly 47,300. Of those, 42,695 were disclosed without proper verification.

Acting IRS Commissioner Melanie Krause already resigned over this. A Massachusetts federal judge ordered the IRS to stop sharing data with DHS and ICE. The DC Circuit refused to block it. The legal firewall protecting taxpayer confidentiality has collapsed, and now the courts are fighting over the debris.

Sources: Washington Post, PBS, WSLS

Our coverage: IRS-ICE Data Sharing Saga

Milwaukee Sheriff Moves on Facial Recognition Despite Police Ban

Milwaukee Police Department halted facial recognition use in early February after public outcry. The same county’s Sheriff is moving forward anyway.

Milwaukee County Sheriff’s Office signed a letter of intent with Biometrica, the exact company MPD just walked away from. The Sheriff’s office is in “early drafting stage” negotiations to join Biometrica’s UMbRA face biometrics database.

The backstory: MPD was set to trade 2.5 million booking photos in exchange for free Biometrica access. Then the department admitted it had already been using facial recognition without public disclosure. The Fire and Police Commission pushed back. Chief Jeffrey Norman issued a moratorium.

Days later, the Sheriff’s office started negotiations with the same vendor. Any deal needs the Milwaukee County Executive’s approval, so there’s still a checkpoint. But the message is clear: ban it in one department, it routes around to another.

The ACLU of Wisconsin is demanding accountability. Critics point out that facial recognition misidentification rates are highest for people of color, a particular concern in Milwaukee.

Sources: Biometric Update, Urban Milwaukee, ACLU Wisconsin

Dutch Telecom Hackers Release 680K Records, Threaten 16 More Days of Leaks

The ShinyHunters ransom deadline for Odido expired. Now they’re publishing customer data in batches.

The Dutch telecommunications company confirmed 6.2 million accounts were compromised in the February 7 breach. ShinyHunters started with 680,000 records on the dark web this week, demanding over €1 million. Their warning: more data drops over the next 16 days if Odido doesn’t pay.

The exposed data is extensive: names, phone numbers, email addresses, dates of birth, bank account numbers (IBANs), passport numbers, driver’s license details. Internal notes about “financially vulnerable customers” were also leaked.

Scammers are already exploiting the breach. Fake compensation websites targeting Odido customers have appeared. The Dutch Public Prosecution Service opened a criminal investigation, but ShinyHunters operates outside easy jurisdictional reach.

ShinyHunters has been on a tear: Wynn Resorts, CarGurus, Figure Technology, TransUnion. Their technique is consistent: vishing attacks that social-engineer past SSO protections. The Odido breach appears to follow the same playbook.

Sources: NL Times, BleepingComputer, The Record

Related: ShinyHunters’ SSO Campaign | Odido Breach: Initial Coverage

FISA 702: 52 Days to Sunset

Section 702 expires April 20. Congress is nowhere near consensus. The administration hasn’t publicly committed to renewal.

The battle lines are drawn. The SAFE Act (S.3394), introduced by Senators Durbin and Lee, would require a FISA court order before agencies can read Americans’ communications swept up under 702. Ten bipartisan co-sponsors. Civil liberties groups endorsing from all sides.

On the other side: intelligence agencies insisting 702 is critical infrastructure. FBI privately warning against any lapse. The same arguments that narrowly preserved 702 in April 2024 when the warrant requirement lost 212-212.

New wrinkle this time: ICE’s deportation operations. Immigration enforcement’s access to surveillance data has shifted the political calculus. Some members who supported 702 before are asking harder questions now.

Director of National Intelligence Tulsi Gabbard previously said warrants “should generally be required” before reading Americans’ collected data. Whether that position survives administration deliberations remains unclear.

The White House convened top-level meetings February 11. CIA Director Ratcliffe, DNI Gabbard, Joint Chiefs Chairman Caine, and White House Chief of Staff attended. No public statement followed.

Sources: Nextgov, Brookings, CRS Report

Our coverage: What the SAFE Act Would Change | 702 Countdown

Quick Hits

UMMC ransomware: Day 8. Mississippi’s largest hospital system clinics remain closed. Staff on paper documentation. FBI and DHS investigating. No confirmation yet on whether patient data was stolen. Experts say recovery could take “weeks to months.” [Mississippi Today] [Full coverage]

Oklahoma one signature from privacy law #21. SB 546 passed the House 84-4. If Governor Kevin Stitt signs, Oklahoma joins 20 states with comprehensive privacy protections. The bill effective January 1, 2027. No universal opt-out signal. No private right of action. But companies will face enforcement for violations. [IAPP]

Meta Name Tag: FTC investigation requested. EPIC sent letters to FTC and state attorneys general requesting investigation into Meta’s planned facial recognition feature for Ray-Ban smart glasses. The feature would identify strangers in real time. During a social media trial, a judge ordered Ray-Ban glasses removed over concerns about jury identification. Meta admits it timed the announcement for a “dynamic political environment.” [Biometric Update]

California surveillance pricing investigation expands. AG Rob Bonta sent inquiry letters to grocers, hotels, and retailers about using personal data to set individualized prices. The FTC found some companies track consumer behavior for targeted pricing. If you’re getting different prices than your neighbor for the same item, that’s surveillance pricing, and California is cracking down. [Troutman Pepper]

NATO advancing “Future Surveillance Capability.” Allies agreed Wednesday to move to the next stage of a multi-domain surveillance project connecting ground, air, maritime, and space assets. The initiative redefines how NATO will “effectively conduct multi-domain surveillance and tactical control” using a “system of systems” architecture. [NATO]

What to Watch

  • March 3 DHS oversight hearing: Senate Judiciary Committee questioning DHS. ICE surveillance, biometrics, border enforcement all likely topics.
  • March 5 Penlink deadline: Congress demanded briefing on ICE’s warrantless phone tracking. Six days left.
  • Oklahoma governor deadline: Stitt must act on SB 546 soon.
  • Odido data releases: ShinyHunters threatening 16 days of leaks. Watch for escalation.
  • UMMC data disclosure: If patient records were exfiltrated, notification letters are coming.
  • Milwaukee County Executive: Will they sign off on Sheriff’s Biometrica deal?

Surveillance Law Countdown

FISA Section 702 expires in 52 days (April 20, 2026). The SAFE Act offers a clean path to reform. Clean extension without warrant requirements means another two years of warrantless American communications collection. Understand what’s at stake.

References

  1. Washington Post - IRS Broke Law 42,695 Times
  2. Biometric Update - Milwaukee Sheriff Biometrica
  3. NL Times - Odido Ransom Demand
  4. Nextgov - FISA 702 White House Meeting
  5. Mississippi Today - UMMC Recovery Timeline
  6. IAPP - Oklahoma Privacy Bill
  7. NATO - Future Surveillance Capability