< ciso
brief />
Tag Banner

All news with #gdpr tag

61 articles · page 2 of 4

France Travail Fined €5m After 2024 Breach Exposed 43M

🔒 France Travail has been fined €5 million by the CNIL after a March 2024 cyber-attack that potentially exposed personal data for an estimated 43 million jobseekers. The regulator found failures including weak authentication for Cap Emploi advisors, insufficient logging and monitoring, and overly broad access permissions, breaching Article 32 of the GDPR. France Travail must provide evidence of corrective measures on a strict timeline or face a €5,000 daily fine.
read more →

France fines employment agency €5 million over breach

📢 France Travail was fined €5 million by CNIL after a 2024 breach exposed personal data for up to 43 million job seekers. CNIL said attackers used social engineering to hijack CAP EMPLOI advisers' accounts, exposing names, birth dates, national insurance numbers, addresses, emails and phone numbers. The watchdog ordered documented corrective measures and warned of €5,000 daily penalties if the agency fails to comply.
read more →

GDPR Violation Reports Surge to Highest Daily Rate

📈 A new DLA Piper report finds that notifications of GDPR violations across the EU averaged 443 reports per day in 2025, a 22% increase over 2024. The firm cautions that the dataset does not definitively explain the rise but highlights likely drivers such as geopolitical tensions, new attacker technologies, and expanded mandatory reporting laws. Annual fines remained near €1.2 billion while cumulative penalties total about €7.1 billion since 2018.
read more →

AI Agents Are Rewriting Compliance Controls—CISOs Must Act

🛡️ AI agents are being embedded into regulated workflows and are forcing a rethink of controls designed for human actors, including SOX, GDPR, PCI DSS, and HIPAA. Because agents act, adapt, and drift, controls that once relied on predictable human behavior can silently fail, collapsing segregation of duties and exposing sensitive data. CISOs should treat agents as non-human identities with least‑privilege access, strong credential management, continuous monitoring, and robust logging and change governance to keep regulated workflows auditable and defensible.
read more →

Over 160,000 Companies Notify Regulators of GDPR Breaches

📈 The number of organisations reporting GDPR breaches rose 22% in 2025 to a daily average of 443, according to DLA Piper, making this the first year since 2018 that notifications topped 400. Germany, the Netherlands and Poland recorded the most reports, and analysts pointed to geopolitical unrest and emerging AI-enabled threats as contributors. Annual GDPR fines remained stable at €1.2bn, with Ireland issuing the largest share, including a €530m penalty for TikTok over international data transfers.
read more →

Regular Cyber Risk Assessments Improve Data Security

🔍 Regular cyber risk assessments are essential for identifying vulnerabilities, prioritizing remediation, and documenting security progress for leadership. CISOs receive actionable insights about exposed data, authentication gaps, and compliance obligations (for example, GDPR and PCI DSS). Analyses show one in ten cloud datasets is broadly accessible and more than 99% of compromised accounts lacked MFA. Typical assessments take two to four hours and deliver prioritized, immediately actionable recommendations.
read more →

Third-Party Risk Management to Prevent Compliance Failures

🔒 Third Party Risk Management (TPRM) is a strategic program that helps organizations identify, assess, and control risks arising from external vendors and service providers. Core elements include risk identification and assessment, contract management, continuous monitoring and audits, and employee training. Compliance drivers such as SOC 2 and GDPR make robust TPRM essential to prevent legal and reputational damage. Integrating TPRM into enterprise risk frameworks and using automation improves consistency and oversight.
read more →

Ransomware gangs extort victims with compliance threats

🛡️ Ransomware groups are increasingly threatening victims with regulatory complaints in addition to data leaks, citing alleged violations of rules such as GDPR. Security vendors including Akamai report the tactic has grown over the past two years and is used by gangs like Anubis and Ransomhub to pressure high-compliance sectors such as healthcare. Experts warn AI accelerates the process by quickly identifying 'material' issues and producing legally framed complaints, tightening deadlines and raising stakes for victims.
read more →

France Fines Free Mobile €42M Over 2024 Data Breach

🔒 The French data protection authority, CNIL, fined Free Mobile and parent company Free a combined €42 million for insufficient protection of customer data after an October 2024 breach that exposed information of nearly 23 million subscribers. CNIL cited weak VPN authentication, poor detection of abnormal activity, delayed notifications, and excessive data retention. The companies must complete security fixes and perform mandated data clean-up within required deadlines.
read more →

Ransomware Gangs Use Compliance Violations to Extort

⚠️ Recent analyses show ransomware groups increasingly threaten victims by reporting alleged regulatory breaches to authorities, adding a compliance layer to the familiar double-extortion model. Researchers at Akamai observed this tactic over the past two years, citing groups such as Anubis and Ransomhub. Attackers target industries with high compliance risk and use AI to rapidly identify and craft legally framed complaints under GDPR, DORA and tightened SEC rules.
read more →

Italy Fines Apple €98.6M Over App Tracking Rules in EU Market

⚖️ Italy's antitrust authority has fined Apple €98.6 million after finding that its App Tracking Transparency (ATT) framework restricted App Store competition by imposing a burdensome double-consent process on third-party developers. The AGCM said Apple used its dominant distribution position to unilaterally set consent rules without consulting developers. Regulators noted they are not contesting Apple's privacy goals but found the ATT consent requirements disproportionate and harmful to ad-supported developers. Apple said it will appeal and defended its privacy protections.
read more →

Italy Fines Apple €98.6M Over App Store Tracking Policy

🔔 Italy's competition authority (AGCM) has fined Apple €98.6 million for using App Tracking Transparency (ATT) in a way the regulator says abused its dominant position in mobile app advertising. The AGCM found that ATT requires third-party apps to show a standardized tracking prompt while exempting Apple's own apps, creating a burdensome double-consent process because the ATT prompt does not satisfy GDPR requirements. Apple says it will appeal and continues to defend ATT as a privacy protection.
read more →

French Football Federation Discloses Member Data Breach

⚽ The French Football Federation (FFF) disclosed a data breach after attackers used a compromised account to access administrative management software used by clubs. FFF detected the unauthorized access, disabled the compromised account, and reset all user passwords across the system. Before they were evicted, threat actors exfiltrated personal and contact information for members. The federation said it has filed a criminal complaint, notified regulators, and will directly inform affected individuals while urging vigilance against phishing attempts.
read more →

French Football Federation Data Exposure Affects Millions

🔒 The French Football Federation (FFF) reported unauthorized access to the centralized software used by licensed clubs to manage player registrations, an intrusion it believes occurred on 20 November. Exposed fields include names, genders, dates and places of birth, nationalities, postal and email addresses, phone numbers and football license ID numbers. The FFF says it deactivated the compromised account, reset all user passwords, filed a complaint with authorities and notified CNIL and ANSSI. It will inform affected individuals with known emails and urged license holders to remain vigilant against phishing and scam attempts.
read more →

EU 'Chat Control' Shift Should Alarm Businesses Across Europe

⚠️ The EU Council's decision to frame communications scanning as voluntary is being presented as a retreat from plans to weaken end-to-end encryption, but privacy experts warn the danger persists. Campaigners including Patrick Breyer and European Digital Rights (EDRi) say this effectively privatizes Chat Control, enabling companies to deploy error-prone, warrantless client-side scanning. For enterprises and CISOs the main concern is data leakage: false positives could expose confidential documents, code, or strategic plans to outside authorities without corporate consent.
read more →

Unauthorized AI Use by STEM Professionals in Germany

⚠️A representative YouGov survey commissioned by recruitment firm SThree found that 77% of STEM professionals in Germany use AI tools at work without approval from IT or management. Commonly used services include ChatGPT, Google Gemini and Perplexity. Experts warn this shadow IT practice can lead to GDPR breaches, inadvertent disclosure of sensitive customer or internal data and the risk that providers will retain and reuse submitted content for training. In Germany, 23% report daily use, 29% weekly and 12% monthly; respondents cite efficiency gains and technical curiosity as primary drivers.
read more →

European Digital Sovereignty Summit Shifts Priorities

🔒 European leaders, including Chancellor Friedrich Merz and President Emmanuel Macron, will attend a Berlin summit of digital ministers and IT experts expected to draw about 900 participants. The conference highlights concerns that US laws such as CLOUD Act and FISA 702 can compel US cloud providers to disclose data held in Europe, driving calls to reduce dependencies on non‑European vendors. Officials and industry leaders emphasise technological controls — notably strong encryption and customer-held keys — and the need for scalable European cloud alternatives while addressing regulatory and startup barriers.
read more →

EU draft seeks GDPR changes for AI training and cookies

🛡️A leaked draft of the EU Commission’s proposed “Digital Omnibus” would amend the GDPR to absorb cookie rules and relax limits on AI training with personal data. The draft, due to be presented on 19 November 2025, would add Article 88a to move cookie regulation into the GDPR and allow processing on a closed list of low‑risk purposes or other legal bases including legitimate interest. Critics warn this shifts tracking from opt‑in to opt‑out and risks diluting privacy protections, while the proposal also narrows sensitive‑data protections and requires browsers to transmit consent preferences.
read more →

EU Commission proposes GDPR changes for AI and cookies

🔓 The European Commission's leaked "Digital Omnibus" draft would revise the GDPR, shifting cookie rules into the regulation and allowing broader processing based on legitimate interests. Websites could move from opt-in to opt-out tracking, and companies could train AI on personal data without explicit consent if safeguards like data minimization, transparency and an unconditional right to object are applied. Privacy groups warn the changes would weaken protections.
read more →

Clearview AI Faces Criminal Complaint in Austria Over GDPR

🔍 Clearview AI has been hit with a criminal complaint filed in Austria by the European Center for Digital Rights (noyb), alleging that the company ignored decisions by several EU data protection authorities. The complaint invokes GDPR provisions allowing criminal sanctions under Article 84 and seeks prosecution of executives, potentially including jail time and personal liability when traveling to Europe. The action follows fines and bans from multiple DPAs and ongoing appeals, notably only in the UK.
read more →