2025 in privacy, security, and AI
Were our 2025 predictions on the money, or did we get things horribly wrong? 2025 in review
Subscribe to FILED Newsletter
Hi there,
Welcome to FILED Newsletter, your round-up of the latest news and views at the intersection of data privacy, data security, and governance.
This month:
- PayPal accused of a significant breach of the GDPR
- LastPass fined for a 2022 breach
- How to talk to your Board about agentic AI
But first, we started the year with four big predictions for 2025. How did we do?
If you only read one thing:
2025 in privacy, security, and AI. What did we get wrong?
It’s December, a time to look back over a big year in privacy, AI, and security, and reflect on lessons learned. Just as important, a chance to show how smart we are: did we see any of this coming? In January’s edition, we made a set of four predictions. Let’s go back, give each a grade, and see our success rate.
1. In the US, the patchwork of privacy laws continues its expansion – 4/5
Prediction
“The incoming Trump administration is likely to loosen restrictions and enforcement at federal agencies like the Federal Trade Commission and the Federal Communications Commission...”
“... More states will look to fill the gap by enacting comprehensive privacy laws, with a particular focus on protecting consumer health information.”
“[There is] bipartisan support for a [federal] children’s online privacy law. The Kids Online Safety and Privacy Act – which passed in the Senate last year – is due to be reintroduced in the next Congress.”
How did we do?
You're usually pretty safe betting against a federal privacy law in favor of the states, but this year there was a bit more to it. The core prediction that federal privacy would stall while states surged ahead was almost entirely correct. Congress did not pass a comprehensive federal privacy law in 2025, and the American Privacy Rights Act remained stalled, leaving the US without a national baseline and forcing businesses to navigate an even more fragmented environment.
The situation in the states was more nuanced. Comprehensive privacy laws in Delaware, Iowa, Maryland, Minnesota, Nebraska, New Jersey, New Hampshire, and Tennessee took effect during 2025. Meanwhile, nine states amended their existing laws during the year. However, this year was the first since 2020 that no new state comprehensive privacy law was enacted. Bills in Alabama, Georgia and Oklahoma stumbled at the last hurdle, and Massachusetts lawmakers entered their recess without having enacted a comprehensive privacy law, though it’s on the table for early 2026.
We end the year with federal children’s online safety legislation still undecided, though laws aimed at protecting children by requiring age verification on adult sites have spread to half of the US, the UK, and beyond.
2. In Australia, more Privacy Act amendments may be made, just don’t call it “Tranche 2” - 3/5
Prediction
“It’s not a certainty that "Tranche 2” [of Privacy Act amendments] will be brought forward. More likely, some of the recommendations approved by the government will be passed, including a “fair and reasonable” test.”
How did we do?
We were half right. The broad package of privacy changes from the 2022 Privacy Act Review remained mostly pending. The anticipated introduction of a general “fair and reasonable” data handling test and other major reforms were not enacted by year-end. A key item from Tranche 1 unfolded as expected: Australia’s new statutory tort for serious invasions of privacy commenced on 10 June 2025. By October, the first court decision applying the privacy tort had already been published. However, we also overestimated the likelihood of smaller reforms like the “fair and reasonable test” being passed in 2025.
3. A surge in AI regulation and the “Brussels Effect” – Rating: 3.5/5
Prediction
“The EU’s AI Act went into force last year, but penalties will begin to bite in August. Most organizations will focus on GDPR compliance first.
“As with privacy, we should expect a flurry of US states to enact their own AI laws.”
“At the federal level, expect President-elect Donald Trump to repeal President Biden’s executive order on AI, and wider AI policy, early in his term (maybe not Day One).”
How did we do?
The call that 2025 would be the year AI regulation would “bite” was strong. The EU AI Act moved to practical implementation. Many organizations explicitly treated existing GDPR programs and risk‑based governance as their starting point for AI compliance.
Four US states signed or passed AI-specific laws or task forces, while at the federal level, AI remained tied to competition with China and national security; however, President Trump didn’t repeal the prior administration’s AI executive order, with more emphasis on reinterpretation, selective rollback, and competing initiatives than on a single clean repeal.
The one big miss? The new pivot towards regulatory “simplification”, with the European Commission last month proposing targeted changes to the GDPR, AI Act and related digital laws to reduce compliance burdens and streamline overlapping obligations, with an emphasis on promoting AI innovation.
4. AI becomes a key ingredient in cyberattacks – 4.5/5
Prediction
“AI will be increasingly used in ransomware attacks and phishing, but also in devising zero-day vulnerabilities ... the rate of state-sponsored attacks shows no sign of slowing.
How did we do?
We nailed it (sorry!) AI has indeed become deeply entwined in cyber threats, from phishing to ransomware and espionage. Attackers routinely leverage AI to generate convincing phishing emails, deepfake voices, and even polymorphic malware that adapts to evade detection.
Meanwhile, state-sponsored cyberattacks continued. Nation-state hackers (from groups linked to China, Russia, Iran, North Korea, etc.) maintained a high tempo of attacks on government systems and critical infrastructure in 2025.
AI company Anthropic reported many cases where suspected Chinese operators used Anthropic's AI coding tool Claude Code to target about 30 global organizations — with success in several cases. Claude Code carried out 80-90% of the operation on its own, Anthropic said. Google has also reported on Russian military hackers using an AI model to generate malware targeting Ukrainian entities.
RecordPoint in 2025
Finally, a word on RecordPoint’s year. We don’t start the year with a compilation of predictions for the business, but if we did, it’s unlikely we’d have included the following highlights from the year:
- RecordPoint customers would surpass 2 billion records under management
- We’d roll out a free AI governance tool, RexCommand, helping organizations to operationalize their AI policy
- We'd acquire a permissions assurance tool, Redactive, which will help customers manage oversharing and other permissions issues
- We’d publish another 15 great episodes of the FILED Podcast, featuring discussions on open data, building businesses on frontier AI models, and “the goon test.”
- And we’d make a splash at Microsoft Ignite, the company’s biggest conference, along with a paper airplane expert whose skills folding paper were only surpassed by an ability to draw a crowd
It’s been a big year, with many industries undergoing rapid change thanks to AI. Well done everyone for hanging in there. We’ll see you next year, with a fresh set of predictions (send us yours by replying to this email!) and, as always, the latest news and opinion.
🕵️ Privacy & governance
Following on from this month’s editorial: three US states — Kentucky, Indiana and Rhode Island — will ring in the new year with consumer data privacy rules, joining 16 other states with comprehensive consumer privacy laws in force.
🔐 Security
🔓Breaches
British luxury carmaker Jaguar Land Rover confirmed payroll and personal data of thousands of current and former employees was stolen during a large-scale cyber attack that struck the company in August 2025.
A 16TB unsecured MongoDB database exposed about 4.3 billion professional records, mainly LinkedIn-style data, enabling large-scale AI-driven social-engineering attacks.
Japanese office supplies retailer Askul said that a ransomware cyberattack discovered in October led to the leakage of about 740,000 sets of data concerning individual customers, corporate clients and employees.
Google and Apple rolled out emergency security updates after zero-day attacks.
🧑⚖️Legal cases & breach fallout
Why data movement remains an underrated risk.
Why is the retail industry a prime target for cyberattacks?
🤖 AI governance
How to talk to the Board about agentic AI [audio interview.]
The latest from RecordPoint
📖 Read
Reduce compliance risk today with automated information governance enforcement.
A guide to AI-driven governance in enterprises.
RecordPoint CTO Josh Mason was quoted in this piece on the EU privacy and AI law revamp, offering his take on whether companies should also give up on privacy and data/AI governance. (Hint: no.)
Both RecordPoint CEO Anthony Woodward and CTO Josh Mason were quoted in this piece in Forbes, focused on how the introduction of AI has made information governance vital for more than risk reduction.
🎧 Listen
Enterprises are cautious about AI for good reasons, but those who hesitate for too long are going to be left behind. In the latest episode of FILED, Anthony and Kris meet AI strategist, AI ethicist, and founder of Engage AI Jason Tan, who discusses the current state of AI adoption and the cautious stance of enterprises, compared with the proactive approach of startups.
