All news with #regulatory action tag

🛡️ Dutch authorities arrested two co-owners of related hosting companies and seized over 800 servers on May 18, alleging they operated infrastructure used by Russia for cyberattacks and influence operations targeting the EU. The arrests follow investigative reporting that linked MIRhosting and WorkTitans to Stark Industries, an ISP sanctioned by the EU for facilitating DDoS, proxy, and anonymity services tied to Russia-backed actors. Officials searched businesses and data centers and charged the suspects with violating sanctions law by making economic resources available to sanctioned entities. Both suspects deny wrongdoing and one company says it has paused services to the implicated client pending internal review.

🛡️ European investigators dismantled First VPN in a joint operation led by France and the Netherlands, assisted by Europol and Eurojust. The service, widely promoted in Russia, was used by criminals for ransomware, fraud, and data theft to conceal identities and infrastructure. While the takedown is seen as warranted, experts warn that broad restrictions on VPNs risk harming legitimate privacy and business uses and could face legal challenges.

⚠️ On May 15 the UK government, the Financial Conduct Authority and the Bank of England issued a joint warning about cybersecurity threats from frontier AI. They noted models can outperform skilled practitioners at greater speed, scale and lower cost, amplifying risks to firms, customers and financial stability. The statement urges firms to strengthen governance, vulnerability management, third-party controls, protection and response capabilities and points to NCSC resources and prior resilience guidance.

📈The UK cybersecurity sector generated £14.7bn in revenue last year and contributed £9.1bn in gross value added, the government reported on 13 May. Employment rose to nearly 70,000 and the number of firms climbed to 2,603, with AI-focused cybersecurity vendors growing sharply. The government unveiled the Cyber Resilience Pledge and plans legislation via the Cyber Security and Resilience Bill to tighten standards. Experts warn that advances in AI increase risks and call for stronger, harmonized incident reporting and defences.

📢 The U.S. House Committee on Homeland Security has requested Instructure CEO Steve Daly to testify about two recent ShinyHunters attacks that breached the Canvas learning platform and disrupted final exams. The incidents exposed student and staff data and defaced login portals, impacting institutions nationwide. The committee seeks details on containment, notification, coordination with federal agencies, and raises concerns about Instructure’s incident response.

🔒 The ICO fined South Staffordshire Water Plc and parent South Staffordshire Plc £963,900 after a cyberattack that exposed the personal data of 663,887 customers and employees. The incident, traced back to September 2020 and active mainly between May and July 2022, began with a phishing intrusion that enabled malware to remain undetected for 20 months. The regulator identified multiple security failures, including insufficient privilege controls, monitoring that covered only about 5% of the IT estate, use of obsolete software and poor vulnerability and patch management.

⚖️ California Attorney General Rob Bonta reached a $12.75 million settlement with General Motors after an investigation found GM collected and sold Californians’ driving and location data through OnStar and the Smart Driver program without proper notice or consent. The probe identified transfers to brokers Verisk and LexisNexis between 2020–2024. In addition to a record civil penalty, GM must stop sales for five years, delete retained data absent consent, require brokers to purge received records, and bolster privacy compliance with periodic assessments.

⚠️ The FCC has extended the deadline for suppliers of banned foreign-made consumer routers to deliver security updates to US customers until at least 1 January 2029. The March 2026 import and sale ban put these devices on the FCC’s covered list, with limited exceptions for devices conditionally approved by the DoD or DHS. The extension, announced by the Commission’s Office of Engineering and Technology on 8 May, permits only software and firmware updates that mitigate harm and maintain functionality, not the addition of new features, and it also covers foreign-made drone systems and critical components.

⚠ CISA has ordered U.S. federal agencies to patch a high-severity vulnerability in Ivanti Endpoint Manager Mobile within four days after the flaw was observed exploited as a zero-day (CVE-2026-6973). Ivanti published updates (12.6.1.1, 12.7.0.1, 12.8.0.1) and urged customers to review and rotate Admin credentials. The issue requires administrative authentication, affects only on-prem EPMM appliances, and Shadowserver reports over 800 exposed instances online.

🔒 A jury found former federal contractor Sohaib Akhter guilty of conspiring to destroy dozens of government databases after being fired during a remote meeting in February 2025. Prosecutors say Akhter and his twin brother Muneeb ran write-protect commands and deleted roughly 96 databases hosting sensitive investigative and FOIA records for more than 45 agencies. They allegedly sought to hide their activity — even consulting an AI assistant about clearing system logs — and destroyed evidence; sentencing is set for September 9, 2026.

⚖️ NOYB has filed a complaint in an Austrian court arguing that LinkedIn’s paywalled "Who’s Viewed Your Profile" feature violates GDPR Article 15 by denying EU users free access to profile-visitor data. The group says LinkedIn refuses Data Subject Access Requests (DSARs) from non-paying users while providing the same information to Premium subscribers. LinkedIn rejects the claim, saying it discloses the information via its Privacy Policy and that users can control visibility settings. NOYB seeks regulatory enforcement and potential fines to stop what it calls illegal monetization of access rights.

🔎 ICE is developing prototype smart glasses that pair wearable cameras with on-device facial recognition and real-time queries to immigration, criminal, and watchlist databases. Reporting by Ken Klippenstein, linked in Bruce Schneier's post, describes efforts to integrate hardware and software for in-field identification and instant database matches. The program raises immediate concerns about accuracy, bias, data quality, oversight, and civil liberties if deployed without transparent safeguards.

🔒 Ten years after the EU adopted the General Data Protection Regulation (GDPR), experts say it fundamentally reshaped corporate privacy culture but left important gaps. Analysts credit the GDPR with embedding privacy into daily operations, raising standards, and creating accountability by forcing organizations to know and document their processing. Yet enforcement inconsistencies, international transfer disputes, widespread consent fatigue and the rise of generative AI expose legal and practical tensions that require clarification and coordination with newer digital rules.

🔒 The Federal Trade Commission will ban data broker Kochava and its subsidiary Collective Data Solutions (CDS) from selling precise geolocation data without consumers' affirmative express consent as part of a settlement stemming from an August 2022 suit. The FTC alleged Kochava supplied paid clients — via an AWS Marketplace feed — with high-volume raw latitude/longitude transactions that enabled tracking to sensitive sites. Under the proposed court order, sales or transfers of precise location data are prohibited unless consumers directly request a service and explicitly consent; the companies must also implement a sensitive location program, supplier assessments, consent withdrawal and disclosure mechanisms, incident reporting to the FTC, and retention/deletion schedules.

🔒Deniss Zolotarjovs, a Latvian national extradited to the United States, was sentenced to 8.5 years after pleading guilty to conspiracy to commit wire fraud and money laundering for his role as a negotiator in the Karakurt extortion operation. Prosecutors say he handled "cold case" extortions, researching targets and using stolen personal and health data to pressure victims. He is the first Karakurt member sentenced in the U.S.

🔒 French authorities have detained a 15-year-old on suspicion of selling data stolen from France Titres (ANTS) after the agency detected suspicious activity on April 13 and alerted prosecutors on April 16. Investigators say a user going by the alias breach3d offered between 12 and 18 million records on a cybercriminal forum; ANTS later reported 11.7 million impacted accounts. Exposed fields include full names, email addresses, dates of birth, postal addresses, and phone numbers, although ANTS said the stolen data could not be used for unauthorized access. Prosecutors are seeking formal charges and judicial supervision; the alleged offenses carry up to seven years’ imprisonment and a €300,000 fine.

⚠ APRA warns that frontier AI models such as Claude Mythos pose a rapidly evolving cyber risk to the banking sector by enabling faster, more automated discovery of vulnerabilities. The regulator found governance often treats AI as “just another technology,” missing distinctive features like predictive behavior, adaptability, bias and data risks, and urged firms to accelerate vulnerability identification and remediation. APRA called for robust security testing of AI‑generated code and deeper assessment of major AI platforms to avoid attackers outpacing current patch cycles.

🚨 A Romanian national, Thomasz Szabo, was sentenced to four years in U.S. federal prison after pleading guilty to conspiracy and threats involving explosives. Extradited from Romania in November 2024, Szabo led an online swatting community that organized bomb threats and swatting calls beginning in late 2020 and targeting more than 75 public officials, journalists, and religious institutions. The court also ordered three years of supervised release.

📚 The UK public education sector experienced a marked increase in reported cyber breaches in the Cyber Security Breaches Survey 2025/2026, published on 30 April by the Department for Science, Innovation and Technology (DSIT) and the Home Office. The report's Education Annex records rises across primary, secondary, further and higher education — notably higher education breaches climbed from 91% to 98% and secondary schools from 60% to 73%. While national breach levels for businesses and charities remained broadly stable, the education surge, falling small-business cyber hygiene and the low uptake of Cyber Essentials are being flagged as significant resilience concerns.

🛡️ Check Point has earned GovRAMP Authorization for the Check Point Infinity Platform for Government, extending its cloud security offering to U.S. federal, state, local, and tribal agencies. This follows its 2025 FedRAMP Authorization and is backed by prevention-first capabilities that ranked #1 in Miercom’s 2026 assessment. The authorization provides a vetted, consistent cybersecurity framework to support public-sector procurement and deployment. Organizations can expect unified protection with high effectiveness against phishing and AI-powered malware.