TikTok tracked the IP address of London-based journalist Cristina Criddle to establish who was secretly meeting with the press without her knowledge or consent. The app was used to spy on her via her cat Buffy's account. TikTok has confirmed that members of its internal audit department "misused their authority" by comparing the location of Cristina's IP address with the IP data of some of their own staff. Western users' data is never accessed or stored inside China, TikTok says. The company "deeply regrets" what it calls a "significant violation" of its code of conduct and is committed to ensuring it never happens again.

The National Cyber Security Centre (NCSC) report highlights the threat posed by the proliferation of commercial cyber tools and services to state and non-state actors. The report reveals that the commercial cyber sector, which includes off-the-shelf capability (Hacking-as-a-Service), bespoke hacking services (hackers-for-hire), and the sale of enabling capabilities such as zero-day exploits and tool frameworks, can lower the barrier to entry to obtaining capability and intelligence that they would not otherwise be able to develop or acquire. The report also points out that commercially available spyware for mobile devices has almost certainly been used by some states in the targeting of journalists, human rights activists, political dissidents and opponents and foreign government officials. Hacker-for-hire groups pose a potential corporate espionage threat against organisations and individuals with privileged or valuable confidential information in multiple sectors. The report concludes that the proliferation of commercial cyber capability will result in an expanding number of elements for cyber defence to detect and mitigate, and a similarly expanding number and type of victims.