TL;DR:

  • ShinyHunters dumped 2.2 million records from Harvard and UPenn after both universities refused to pay ransom: emails, phone numbers, donation histories, alumni bios all exposed
  • Milwaukee votes TODAY on whether police can trade 2.5 million mugshots for "free" access to Biometrica's facial recognition system
  • ICE and FBI are using facial recognition to monitor protesters: documented in Minneapolis raids, backed by ACLU lawsuit alleging unprecedented domestic surveillance
  • GEO Group pivots from prisons to surveillance: $121 million ICE contract for skip-tracing immigrants, plus ankle monitors, smartwatches, and tracking apps
  • ShinyHunters also hit Match Group: 10 million records from Hinge, OkCupid, and Match.com leaked including phone numbers and emails

ShinyHunters Dumps 2 Million Ivy League Records

Harvard and UPenn refused to pay. Now 2.2 million people are paying the price.

On February 4, the ShinyHunters extortion group published stolen data from both universities on their leak site. Harvard's dump: 1.1GB covering roughly 1.1 million records. UPenn: 483MB with another million-plus. The data includes email addresses, phone numbers, home addresses, business addresses, event attendance records, donation histories, and detailed alumni biographical information.

Harvard confirmed in December 2025 that attackers accessed their alumni affairs systems. The attack vector? Voice phishing. Someone called administrative staff, talked their way in, and walked out with alumni data going back years. The stolen records include a list of "top donors": names, contact info, and giving histories of the university's biggest financial supporters.

UPenn's breach followed the same playbook. ShinyHunters also grabbed admissions data and information about prospective students and their parents.

This is the same group that hit over 100 companies through Okta SSO attacks earlier this year. They've been busy: SoundCloud (29.8 million records), Panera Bread (5.1 million), and now two of America's most prestigious universities.

If you're a Harvard or UPenn alum, donor, prospective student, or family member of any of the above, assume your information is now public. The data is already circulating.

Sources: TechCrunch, Bank Info Security, InfoStealers

Milwaukee Votes Today: 2.5 Million Mugshots for "Free" Facial Recognition

The Milwaukee Fire and Police Commission meets today to decide whether the city's police can trade their mugshot database for access to Biometrica's facial recognition technology.

The deal: MPD hands over 2.5 million mugshots collected over decades. In exchange, they get "free" access to Biometrica's face-matching system. The company gets to add Milwaukee's mugshots to its database, which it can then sell access to other departments.

In May 2025, 11 of Milwaukee's 15 council members signed a letter urging the police chief to reject facial recognition expansion. They cited misidentification risks (which hit women and people of color hardest) and erosion of public trust. Alderman Marina Dimitrijevic says opposition has only grown since then.

The Wisconsin Bail Out the People Movement organized community opposition. The League of Women Voters of Milwaukee County raised concerns. The ACLU of Wisconsin called on the Milwaukee County Sheriff to decline the technology entirely.

MPD's argument: facial recognition has helped generate leads in homicides. The department says it would use the technology "carefully" as one tool among many.

We've covered Milwaukee's facial recognition fight before. Today's vote determines whether the city's mugshot archive becomes fuel for a commercial surveillance database.

Sources: Wisconsin Bail Out the People Movement, Milwaukee NNS, ACLU of Wisconsin

ICE and FBI Are Using Facial Recognition to Monitor Protesters

Federal agents aren't just using facial recognition to find undocumented immigrants. They're using it to track U.S. citizens who show up to protest.

Biometric Update reported in early February that ICE and FBI have expanded facial recognition deployment to anti-ICE protest investigations. The ACLU's response: a report titled "Face Recognition and the Trump Terror: A Marriage Made in Hell."

During the Minneapolis ICE raids in January, agents deployed what the ACLU lawsuit describes as an "unusually dense mix of biometric, social media, and data-analytics tools." Democracy Now documented ICE agents filming protesters and immigrants alike as part of what they called a "massive facial recognition push."

The tools: Mobile Fortify (the DHS app accessing 1.2 billion face images), Palantir's data integration platform, small surveillance drones, and license plate readers. All of it pointed at people exercising their First Amendment rights.

ICE leadership has explicitly asserted the authority to monitor "anti-ICE protester networks" (including citizens with no immigration connection) using "all available tools."

The Washington Post's interactive investigation mapped the surveillance arsenal. The pattern is clear: technology built for immigration enforcement is being deployed against domestic political activity.

Sources: Biometric Update, Washington Post, Democracy Now

GEO Group: From Private Prisons to Surveillance Empire

The private prison company is reinventing itself, and the new business model is tracking immigrants.

Bloomberg reported February 4 that GEO Group has become ICE's largest contractor, winning over $800 million in business in 2025 alone. The growth isn't coming from new prison beds. It's coming from surveillance technology.

Under a two-year, $121 million contract, GEO subsidiary BI Incorporated provides "skip tracing" services to ICE. Corporate investigators use surveillance to track immigrants to their homes and workplaces so federal agents can make arrests. Debt collector methodology applied to human beings.

BI Incorporated also supplies the hardware: GPS ankle monitors, voice recognition check-ins, smartwatch trackers, and mobile apps that turn immigrants' phones into monitoring devices. Industry analysts estimate GEO's surveillance business could generate $700 million through 2026.

The company has evolved from warehousing people to hunting them. Same customers, different product line.

Sources: Bloomberg, Jersey Vindicator, The Intercept

ShinyHunters Hit Dating Apps: 10 Million Hinge, OkCupid, Match Records

Your dating profile might be public now.

ShinyHunters claimed a breach of Match Group, the company that owns Tinder, Hinge, OkCupid, and Match.com. The stolen data: 1.7GB of compressed files allegedly containing 10 million records plus internal company documents.

The attack method: compromised an Okta SSO account that gave access to Match Group's AppsFlyer marketing analytics and cloud storage. The exposed data includes phone numbers, email addresses, user IDs, and IP addresses from Hinge, Match, and OkCupid users.

Match Group says login credentials, financial information, and private messages weren't accessed. Cold comfort if your dating profile data is now linked to your real identity.

ShinyHunters used the same Okta SSO attack pattern they deployed against over 100 companies earlier this year. They're not breaking sophisticated security. They're social engineering their way through identity providers.

Sources: Bleeping Computer, The Register, Malwarebytes

Regulators Actually Doing Something

GM/OnStar settlement finalized: The FTC finalized its order on January 14. GM can't sell geolocation or driving behavior data to consumer reporting agencies for five years. They must get explicit consent before collecting vehicle data, give consumers data access and deletion rights, and let people disable location tracking. The settlement came after the New York Times exposed GM selling driver data to LexisNexis and Verisk, which then used it to hike insurance rates.

Kaiser Permanente $46 million settlement: Claims are now open if you're a Kaiser member in California, Colorado, Georgia, Hawaii, Maryland, Oregon, Virginia, Washington, or DC who used their websites or apps between November 2017 and May 2024. Kaiser's sites used tracking code from Google, Meta, Microsoft, and Twitter that transmitted health information without consent. File by March 12 at kaiserprivacysettlement.com. Payouts estimated at $20-40 per person.

Sources: FTC - GM Settlement, CBS News - Kaiser Settlement

TikTok Privacy Policy Backlash Intensifies

TikTok's new American owners updated the privacy policy. Users actually read it. They're deleting the app in record numbers.

Sensor Tower data shows daily U.S. uninstalls surged to nearly 2.5 times the average over the previous three months. The trigger: TikTok's January 2026 policy update explicitly states the app may now collect "precise location" data if you have location services enabled. The previous policy said it didn't collect GPS data from U.S. users.

The policy also lists what TikTok might collect: racial or ethnic origin, religious beliefs, health diagnoses (mental and physical), sexual orientation, gender identity, citizenship status, immigration status, financial information, and government IDs.

We covered the immigration status angle when the policy first dropped. The backlash has only grown as more users encounter the mandatory acceptance prompt.

Sources: CBS News, Biometric Update, Storyboard18

What to Watch

  • Milwaukee FRT vote: Results expected this evening. We'll have an update.
  • FISA Section 702: 59 days until the warrantless surveillance authority sunsets on April 5. Reauthorization fight heating up.
  • UK facial recognition consultation: Ends February 12. The government wants 50 live FRT vans deployed nationwide.
  • Google Dark Web Report shutdown: February 16. Set up alternative monitoring now.
  • Kaiser settlement deadline: March 12 to file a claim.
  • TSA facial recognition expansion: 65 airports by spring. You can opt out. Know your rights.

What You Can Do Today

  • Harvard/UPenn alumni: Assume your data is exposed. Monitor your credit, change passwords on any accounts using university email addresses
  • Milwaukee residents: The Fire and Police Commission meets at City Hall today. Public comment matters.
  • Dating app users: Check if your Hinge/OkCupid/Match email is in the breach at Have I Been Pwned
  • Kaiser members: File your settlement claim at kaiserprivacysettlement.com before March 12
  • GM/OnStar users: Request your data and exercise your new deletion rights
  • TikTok users: Review what permissions you've granted in app settings. Consider whether the tradeoff is worth it.