The State of Identity - January 10, 2025
In case you missed it, here’s a recap of some exciting news and developments this week impacting identity and fraud, cybersecurity, trust and safety, financial crimes compliance, and privacy and consent management.
🪄Innovation and New Technology Developments
Texas Lottery Implements Mandatory ID Scans for Age Verification at Self-Serve Vending Machines
The Texas Lottery Commission has introduced mandatory age verification for purchasing lottery tickets from self-serve vending machines, requiring buyers to scan a government-issued photo ID. This measure, implemented using the American Association of Motor Vehicle Administrators verification system, ensures compliance with the 18-and-over age requirement. The Commission assures that no data is collected or stored during the process, emphasizing that it is solely for age verification. (Source)
India's Draft Digital Personal Data Protection Rules, 2025: Age Verification, Parental Consent, and Data Oversight Under Scrutiny
India's draft Digital Personal Data Protection Rules, 2025, by MeitY, require age assurance and parental consent for minors under 18 to access social media. Platforms must verify parental identity via government sources like DigiLocker but lack clarity on age verification methods, excluding tools like biometric facial estimation. The rules mandate data breach notifications, dormancy-based data deletion, and establish a Data Protection Board with penalties up to ₹2.5 billion (~$29.2M). Critics, including the Internet Freedom Foundation, cite transparency issues and limited regional language access. Public comments are invited until February 18, 2025. (Source)
Telegram Introduces Third-Party Verification, NFT Gifts, and Enhanced Search for Safer, Interactive Platform Experience
Telegram has launched a third-party account verification system, enabling verified organizations, such as food-quality regulators or educational consortiums, to authenticate accounts with unique logos instead of blue checkmarks. This decentralized model aims to combat scams and misinformation while raising safety standards on social platforms. Other updates include NFT-based gifts created with Telegram Stars, tradeable on external platforms, new message search filters for chats, groups, and channels, expanded cryptocurrency monetization options, and emoji reactions for service messages to boost user engagement. (Source)
Pakistan Introduces Biometric Registration for Children to Enhance Security and Digital Identity Systems
Pakistan has introduced biometric registration for children aged 10 to 18 as part of civil registry updates. Starting January 1, 2025, the Child Registration Certificate (CRC) will feature fingerprint biometrics and facial photos, enhancing passport applications and security. Initiated by Federal Interior Minister Mohsin Naqvi, the measure aims to curb fraud, combat human trafficking, and improve services via the Pak ID mobile app. Future plans include adding iris scans and linking NADRA’s database with Union Councils for a unified digital ID system. (Source)
India's MOSIP Seeks Collaboration with SADC to Strengthen Digital Identity Systems Across Southern Africa
India’s Modular Open-Source Identity Platform (MOSIP) is working with the Southern African Development Community (Sadc) to enhance identification systems across its 16 member states. The platform enables governments to create scalable, customizable identity systems without vendor lock-in. MOSIP has collaborated with South Africa, is engaging Zambia, and is being considered by Nigeria for its digital identity system. Inspired by the EU’s Digital Identity Wallet, MOSIP prioritizes secure data transfer and user consent in its digital identity framework. (Source)
💰 Investments and Partnerships
TransUnion to Fully Acquire UK-Based Credit Platform Monevo, Boosting Consumer Credit Solutions
TransUnion has signed a definitive agreement to acquire the remaining ownership of Monevo, a UK-based credit prequalification and distribution platform, after initially acquiring a 30% stake in 2021. The transaction, expected to close by Q2 2025 pending regulatory approvals, will be funded with existing cash-on-hand and is not projected to materially impact TransUnion's 2025 financial performance. The acquisition aims to enhance both companies' value propositions by offering optimised credit solutions at scale and expanding their direct-to-consumer strategy in the U.S. and UK. Monevo’s platform connects over 150 global lenders and publishers, allowing consumers to compare tailored credit offers, improving approval visibility and minimizing credit score impact from unnecessary searches. (Source)
1Password Acquires Trelica to Enhance SaaS Access Management and Strengthen Extended Access Platform
TransUnion has agreed to acquire full ownership of Monevo, a UK-based credit prequalification and distribution platform, after acquiring a 30% stake in 2021. The deal, expected to close by Q2 2025 pending regulatory approvals, will be funded with existing cash and is not anticipated to significantly affect TransUnion's 2025 financial performance. The acquisition aims to scale optimized credit solutions and expand direct-to-consumer offerings in the U.S. and UK. Monevo’s platform connects over 150 global lenders and publishers, enabling consumers to compare tailored credit offers with improved approval transparency and reduced credit score impact from unnecessary searches. (Source)
ClearScore Acquires Aro Finance to Strengthen Embedded Finance and Secured Loan Offerings
ClearScore Group has acquired Aro Finance Ltd to expand into embedded finance and secured loan broking, leveraging partnerships with major UK retailers like Argos, Very.co.uk, and Asda. This acquisition combines Aro’s lending marketplace capabilities with ClearScore’s platform, enhancing borrowing options and integrating the Group’s debt consolidation tool, "Clearer," which directly settles consumer debts. Following its 2022 acquisition of Money Dashboard, ClearScore has bolstered its open banking expertise to improve underwriting and risk management. Pending FCA approval, Aro’s Manchester team will join ClearScore, advancing its strategy to diversify offerings and serve its 24 million global users. (Source)
⚖️ Policy and Regulatory
EU General Court Fines European Commission for GDPR Breach in Landmark Ruling
The EU General Court has fined the European Commission €400 ($412) for violating its own data protection laws, marking a precedent-setting decision. The Commission unlawfully transferred a German citizen’s personal data, including their IP address, to Meta Platforms in the U.S. without proper safeguards. The breach occurred when the citizen used the "Sign in with Facebook" feature on the EU login webpage to register for a conference. This ruling underscores the EU’s commitment to enforcing GDPR compliance, which has previously resulted in fines for major companies like Meta and LinkedIn. (Source)
U.S. Defense Department Expands Chinese Military Companies List to Include Biometrics and Tech Giants
The U.S. Department of Defense has updated its Section 1260H list of Chinese military companies, adding firms like Cloudwalk, Dahua, Hikvision, Huawei, Tencent, Yitu, and SenseTime for their dual-use technologies supporting China's military. While the listing has no immediate legal impact, it raises the risk of sanctions and has caused market disruptions, including stock declines. Some firms, such as Dahua and Hikvision, face allegations of involvement in Xinjiang human rights abuses, while others, like Tencent and SenseTime, deny military ties. Megvii was removed from the list, which China criticized as exaggerating the "China threat" for national security purposes. (Source)
Rivers Casino Philadelphia Faces Lawsuits Over Major Data Breach Exposing Sensitive Employee and Customer Information
Rivers Casino Philadelphia, operated by Rush Street Gaming, faces legal scrutiny after a November 2024 data breach exposed sensitive employee and customer information, including Social Security numbers and bank details. Disclosed in December, the breach has prompted lawsuits, including a class-action complaint citing negligence and weak data security. Critics claim the casino's response was delayed and inadequate, with victims reporting phishing and fraud. The incident underscores growing cybersecurity concerns in the gaming industry, a prime target for hackers due to its valuable data. (Source)
SEBI Fines Stockholding Services ₹9 Lakh for Systemic KYC Violations and Data Discrepancies
SEBI fined Stockholding Services Ltd ₹9 lakh for multiple KYC violations, including listing 1,103 clients aged 34-100 as "dependent children." Inspections uncovered issues like mismatched contact details, incorrect bank information, and the use of authorized persons' contact details instead of clients'. While the brokerage attributed errors to outdated practices and client confusion, it updated 947 accounts and suspended 156. SEBI stressed the systemic nature of the violations and the importance of robust KYC norms for transparency and preventing illegal activities. (Source)
Washington State Sues T-Mobile Over 2021 Data Breach That Exposed Millions' Personal Information Due to Alleged Cybersecurity Failures
Washington State has sued T-Mobile over a 2021 data breach that exposed sensitive information of over 79 million customers. The lawsuit alleges failure to address known cybersecurity weaknesses, inadequate customer notification, and misrepresentation of data protection measures. Exposed data included names, Social Security numbers, and driver’s license details, some of which surfaced on a cybercriminal forum. The suit cites technical flaws like weak credentials, no login rate-limiting, and poor monitoring. T-Mobile disputes the claims, calling the lawsuit unexpected and expressing willingness to engage in further discussions. (Source)
China-Linked Hackers Breach U.S. Treasury in Cyberattack, CISA Finds No Evidence of Wider Federal Intrusion
CISA reported no evidence of U.S. federal agencies being hacked beyond the Treasury Department in a December cyberattack. China-backed hackers accessed Treasury employee workstations and unclassified documents using a stolen private key from vendor BeyondTrust. The method of theft remains unclear, but the hackers targeted the global sanctions office. China denies involvement, while CISA continues monitoring and coordinating the response. (Source)
InfoCert Data Breach Exposes 5.5 Million Users' Personal Data Amid Third-Party Supplier Vulnerability
Italian digital identity provider InfoCert suffered a data breach affecting 5.5 million customers, with stolen data, including names, tax codes, and contact details, appearing on the dark web. The breach stemmed from a third-party supplier, not InfoCert’s systems, and no passwords or service credentials were compromised. InfoCert, part of the Tinexta Group and managing 1.8 million SPID identities, disclosed the incident before removing the notice and is investigating while reporting to authorities. The breach underscores cybersecurity challenges in the digital identity sector amid rising threats. (Source)
U.S. Sanctions Chinese Firm Integrity Tech Over Alleged Cyber Espionage Links to Flax Typhoon
The U.S. sanctioned Beijing-based Integrity Technology Group, linked to China-backed hacking group Flax Typhoon, for aiding cyberattacks on U.S. entities, including critical infrastructure, universities, and media. Between 2022 and 2023, Integrity Tech allegedly operated a botnet of 260,000 devices to hide Flax Typhoon's activities, dismantled by the FBI in September 2024. The sanctions follow a December cyberattack on the Treasury Department’s OFAC, attributed to China-backed hackers, potentially exposing sensitive sanctions-related data. The U.S. has labeled Chinese cyber actors a persistent national security threat. Integrity Tech has not responded to the allegations. (Source)
Hong Kong Police Bust AI-Powered Deepfake Syndicate Behind $4.4 Billion Global 'Pig Butchering' Scams
Hong Kong authorities dismantled a syndicate using AI deepfakes and dating apps to defraud victims in Taiwan, Singapore, and Malaysia, stealing over HK$34 million. Operating from Kowloon Bay, 31 suspects were arrested, and HK$100 million in assets, including cash and luxury goods, was seized. The group used face-swapping technology to create fake personas, luring victims into romantic relationships and convincing them to invest in fraudulent cryptocurrency platforms. Victims were blocked from withdrawing funds under pretexts like taxes, a hallmark of "pig butchering" scams. The operation, involving extensive money laundering, was led by the Commercial Crime Bureau. (Source)
Apple Settles $95 Million Lawsuit Over Siri Privacy Violations and Unintentional Recordings
Apple has agreed to a $95 million settlement to resolve a class-action lawsuit alleging Siri violated user privacy by unintentionally recording conversations and sharing them with third parties, including advertisers. Filed in October 2023 in Oakland, California, the settlement awaits approval from US District Judge Jeffrey White. The lawsuit claims Siri's accidental activations led to targeted ads based on overheard discussions, covering a class period from September 2014 to December 2024, spanning the "Hey, Siri" feature's release. (Source)
U.S. Court Rules FCC Lacks Authority to Reinstate Net Neutrality, Shifting Focus to State Laws and Congress
A U.S. appeals court ruled that the FCC cannot reinstate net neutrality rules, citing the Supreme Court's Loper Bright decision limiting federal agency powers. The decision blocks Biden administration efforts to restore open internet principles but leaves state-level rules, like California’s, intact. FCC Chair Jessica Rosenworcel called on Congress to legislate net neutrality, while industry leaders and former FCC Chair Ajit Pai praised the ruling, favoring investment over federal oversight. The decision may hinder federal internet regulation, though further legal action is possible. (Source)
🔗 More from Liminal
Access the Market & Buyer's Guide for Third-Party Risk Management in Link for insights to strengthen compliance and tackle emerging risks as the TPRM market nears $19.9 billion by 2030.
Our award-winning Link™ platform empowers you to monitor trends, access benchmark research reports, explore use cases, and more.
Interested in attending? Request an invite to our 4th annual exclusive CEO event, which will be held in Laguna Beach, California.