Arizona AG Sues Temu Over Massive Data‑Theft Allegations

What happened

Kris Mayes, Attorney General of State of Arizona, filed a lawsuit on December 2, 2025 against online marketplace Temu under the state’s Consumer Fraud Act. The suit alleges that the Temu app secretly collects “an alarming amount of sensitive user data” well beyond what a typical shopping app needs, including GPS location, access to the device camera and microphone, and tracking of other apps on the user’s phone, without user knowledge or consent. According to the complaint, the app is engineered to evade forensic and security review, and may even self‑modify its code after installation.

Who is affected

The lawsuit specifically targets Temu users in Arizona, but the allegations apply broadly to anyone using the app in the U.S. Given Temu’s popularity (it was among the most‑downloaded shopping apps in the U.S. in 2023) and its customer base spanning across states, large numbers of consumers nationwide potentially face data‑privacy and security risks. 

Why CISOs should care

• This case underscores a broader trend: consumer‑facing mobile apps are under rising scrutiny for hidden data‑collection and spyware‑like behavior.
• For organizations issuing mobile phones or approving third‑party apps, the risk of sensitive data exfiltration via such apps is real. Undetected spyware in widely used consumer apps can lead to privacy breaches, compliance failures, and reputational damage.
• The lawsuit also highlights regulatory and legal risk: failure to monitor or restrict risky apps could expose firms to liability under consumer‑protection or privacy laws, even if the firm itself is not the target.

3 practical actions for CISOs

1. Review and tighten mobile‑app policies: Audit the list of consumer apps used by employees. Consider blacklisting apps with aggressive permissions, and require explicit approval for any shopping, marketplace, or third‑party‑store apps.
2. Deploy mobile threat detection & behavior monitoring: Use endpoint‑ and mobile‑security tools that can flag unusual app behavior (e.g., access to camera, microphone, location, or other apps) and detect self‑modifying or obfuscated code.
3. Update vendor and third‑party risk assessments: Expand your risk framework to treat consumer‑facing apps as potential supply‑chain or insider‑threat vectors. Include audit of app provenance, code reviews (where possible), and ongoing behavioral monitoring, not just at time of procurement but throughout use.