Key developments
Croydon facial recognition trial yields arrests, survives challenge
Metropolitan Police said its six-month live facial recognition pilot on Croydon High Street ran from October 2025 to March 2026 using static cameras mounted on lampposts in 24 operations, with bespoke watchlists created within 24 hours and deleted afterward. The force reported 173 arrests, more than 470,000 people passing the cameras, one false alert, and claimed crime fell 10.5% overall and violence against women and girls 21%. Separate reporting said the High Court rejected a human-rights challenge by Shaun Thompson and Big Brother Watch's Silkie Carlo, keeping the Met's policy in place.
Why it matters
It strengthens police arguments for wider biometric surveillance while intensifying pressure for clearer privacy safeguards and statutory limits.
Sources & driving stories
BBC LONDON
BBC London coverageYAHOO
Yahoo coverageInstructure settles Canvas breach as lawsuits multiply
Instructure said it reached an agreement with the unauthorized actor behind the Canvas breach after the attack disrupted students and faculty during finals. The company said the stolen data was returned and it received digital confirmation that remaining copies were destroyed, but it acknowledged there is no way to guarantee permanent erasure; reporting tied the incident to ShinyHunters and said it could affect nearly 9,000 schools and 275 million people. ABC4 reported three class actions alleging weak security and delayed or incomplete breach notice.
Why it matters
A major education-platform breach is moving from incident response into litigation and scrutiny over vendor security and notification practices.
Sources & driving stories
KXAN
KXAN coverageABC4 · Amelia Hobson
ABC4 coverageOdido says hackers revealed its breach first
Dutch telecom Odido said a February phishing intrusion went undetected for two days, and that ShinyHunters contacted the company on February 7 to say it held customer data. The company later learned business customers were affected after stolen data appeared on the dark web in early March, then sent 6.2 million messages, refused to pay ransom, and expanded its public explanation of the incident. Odido now faces two regulatory investigations and a class-action lawsuit.
Why it matters
It shows how attackers can outpace internal detection and how breach scope can widen after a company thinks it has already understood the incident.
Sources & driving stories
TECHZINE GLOBAL · Colin Baak
Techzine Global coverageWorth noting
WORTH NOTING
Skoda discloses online shop intrusion
The company said the breach may have exposed customer names, addresses, email addresses, phone numbers, order data and password hashes, and it took the shop offline while notifying regulators.
WORTH NOTING
ICE gets $12M surveillance contract
Reporting says Edge Ops won a no-bid contract for Project SAFE HAVEN, an AI tool described as tracking immigrants' routines and locations, while parts of the firm's website were alleged to be fabricated.
WORTH NOTING
Capita pension protest targets AGM
PCS members plan to protest over pension portal failures and an April data breach that briefly exposed records for 138 Civil Service Pension Scheme members.
Still unclear
OPEN QUESTION
Will Parliament set formal LFR limits?
The Met is continuing Croydon deployments after a court win, but campaigners say there is still no dedicated law explicitly regulating live facial recognition.
OPEN QUESTION
How much breach data is truly deleted?
Instructure and Odido both rely on attacker assurances or delayed discovery, highlighting how hard it is to verify erasure and the full scope of exfiltration.