Private Internet Access Transparency Report Q2 2025
Every quarter, we publish a transparency report to give users a clear view of the legal requests we receive and how we handle them. It’s part of our long-standing commitment to privacy and accountability.
In Q2 2025, our legal team received 46 requests from domestic and international authorities, including subpoenas, warrants, and other government or civil notices. As always, none resulted in the disclosure of user data. Our systems are built not to store any user activity, so there’s simply nothing to share.
Starting this quarter, we’ve updated how we present these requests. The numbers remain consistent with previous reporting periods; what’s changed is how we organize them. Subpoenas and warrants remain listed separately, while other official requests have been grouped under a single category for clarity. Foreign and informal notices are still included to reflect their ongoing relevance to our global user base.
You’ll find a summary of the numbers on our Transparency Report page, and a breakdown of the details below.
PIA’s Q2 2025 Transparency Report
This report covers the data requests our legal team received between April 1 and June 30. Before we get into the numbers, here’s a quick look at the types of legal notices we track.
Here’s a breakdown of the legal notices we received this quarter.
| Legal Processes | Received | Logs Produced |
| Subpoenas | 6 | 0 |
| Warrants | 2 | 0 |
| Other Government, law enforcement, and civil requests | 14 | 0 |
| Foreign and informal requests | 24 | 0 |
For context, in Q1 2025 we received 28 such requests, including 7 subpoenas and 0 warrants, compared to 46 in Q2. That’s a 64% increase overall, driven in part by a rise in informal or international notices. But the outcome hasn’t changed. Our infrastructure is built to prevent logs from being stored in the first place. That means there was nothing to look up, retrieve, or disclose, just as our no-logs policy is designed to ensure.
What Our Bug Bounty Turned Up in Q2
No system is flawless, which is why our bug bounty program stays open year-round. In Q2 2025, we received 41 reports from security researchers. Thirty-five were unique, but none revealed valid vulnerabilities. Still, every submission gave us something to review, and several helped us fine-tune edge cases and harden internal checks.
What Shaped Online Security in Q2 2025
Transparency means more than reporting what happens inside our own systems. It also means paying attention to the broader state of online security. These are the incidents and developments from Q2 2025 that highlight why privacy protections like PIA remain essential.
Ransomware Group Exploits Windows Vulnerability
In April, Microsoft patched a vulnerability in the Windows Common Log File System after it was used in active ransomware attacks. The group behind it, known as Storm-2460, was able to gain system-level access from a standard user account. The attacks hit organizations in the U.S., Spain, Venezuela and Saudi Arabia, locking victims out of critical systems. The flaw was serious enough that Microsoft flagged it as a top priority in its monthly update.
Hackers Hit Retail and Aviation
In April and May, Marks & Spencer, Harrods, and Co-op were hit by coordinated cyberattacks that took systems offline and exposed serious gaps in their infrastructure. The group behind it, Scattered Spider, used social engineering to get past internal controls and move laterally across networks. Then, in late June, Qantas confirmed it too had been breached. The same group was behind that incident, compromising customer data tied to its frequent flyer program. What started in UK retail quickly escalated to international aviation. And, by the end of the quarter, U.S. companies were being warned they could be next.
A 7.3 Tbps DDoS Attack Pushes New Limits
In May, Cloudflare stopped what it says was the largest DDoS attack ever recorded. It targeted an unnamed U.S.-based hosting provider and peaked at 7.3 terabits per second, delivering more than 37 terabytes of traffic in under a minute. The flood came from over 120,000 IP addresses across 161 countries, combining multiple attack methods in a single, concentrated hit. The goal was to overwhelm the system fast, before any defense had time to respond. The incident reflects how DDoS tactics are evolving: short, heavy, and increasingly harder to see coming.
