In 2015, United suffered a breach affecting passenger manifests and MileagePlus accounts for approximately 4.2 million customers. The breach was linked to the same Chinese state-sponsored hackers (APT groups) who breached the US Office of Personnel Management. Exposed data included passport numbers, travel itineraries, contact details, and MileagePlus account information. United delayed disclosure to affected customers.

Chinese state-sponsored hackers lived inside the Starwood reservation system from July 2014 to September 2018 — four years undetected. 383 million guest records exposed including 5 million unencrypted passport numbers, credit card details, and stay histories. The ICO found Marriott failed to monitor privileged accounts, segment networks, or patch known vulnerabilities.

The Weather Channel internally described itself as "a location data company powered by the weather." By its own account, TWC collected more than 1 billion pieces of location data per week. The company built a proprietary location-driven marketing platform called JOURNEYfx to monetize this data. Location data was sold to hedge funds and private equity firms to monitor consumer spending, foot traffic patterns, and retail activity. The LA City Attorney's 2019 lawsuit revealed that the app's primary revenue model was location data monetization, not weather forecasting. Users downloaded a weather app. What they got was one of the largest location surveillance operations in the mobile ecosystem, disguised as a forecast. The weather was the product they showed you. Your location was the product they sold.

WeatherBug is owned by GroundTruth -- a company whose business is selling location-based advertising data and foot traffic analytics. GroundTruth is not a weather company. It is a location data company that owns a weather app. WeatherBug is the data collection mechanism. This completes a pattern across the weather app category: The Weather Channel internally called itself "a location data company powered by the weather." AccuWeather tracked users who explicitly denied location permission. WeatherBug is owned by an actual location data company. Three of the most popular weather apps in America are location surveillance tools disguised as utilities. GroundTruth sells "Blueprints" location audience segments to advertisers -- verified visit data showing which stores, restaurants, and businesses consumers visit. WeatherBug feeds this with precise GPS from 20 million users. The forecast is the product you see. The location data is the product that pays.

In June 2025, approximately 6 million Qantas customers had personal data exposed — names, emails, phone numbers, dates of birth, and frequent flyer numbers — after a social engineering attack on a Manila call centre. Attackers convinced outsourced staff to provide access. The breach revealed that Qantas had outsourced customer data handling to offshore call centres with weaker security controls than its Australian operations.

Delta deployed facial recognition across the entire Atlanta domestic terminal (the world busiest airport) in 2023, with plans for all US hubs. Delta CEO Ed Bastian stated the airline invested in making biometrics the "default" experience. Passengers reported that opting out requires verbally refusing to a gate agent in front of other passengers, creating social pressure. There are no separate non-biometric lanes. The EFF documented that Delta facial recognition data feeds into CBP systems regardless of domestic vs international travel.

The Verge proved in November 2022 that Eufy cameras were uploading facial recognition thumbnails to AWS cloud servers without user consent. Worse, camera feeds could be accessed remotely via a URL with no authentication — anyone with the link could watch live footage. The URLs used a predictable pattern based on device serial numbers.

An Associated Press investigation in August 2018 found that Google continued tracking and storing user location data even after users explicitly turned off the "Location History" setting. Other Google services -- including Search, Chrome, and the Weather app -- continued recording location. Internal Google employees told AP the company had made it "practically impossible" for users to prevent location tracking. In November 2022, Google agreed to pay $391.5 million to settle with 40 US state attorneys general over the misleading location tracking disclosures. Arizona secured an additional $85 million in a separate settlement. The investigation revealed that Google's "Location History" setting was essentially a decoy -- turning it off created the illusion of privacy while tracking continued through other channels.