All news with #regulatory action tag

⚖️ The U.S. Department of Justice resentenced Conor Brian Fitzpatrick (aka Pompompurin) to three years in prison after vacating his prior 17‑day time‑served sentence for operating BreachForums and possessing child sexual abuse material. Fitzpatrick pleaded guilty in 2023 to access device conspiracy, access device solicitation, and CSAM possession and agreed to forfeit domains, devices, and cryptocurrency representing illicit proceeds. The resentencing followed a Fourth Circuit decision that remanded his case for a new term.

🛡️ Attaullah Baig, former head of security at WhatsApp, has filed a whistleblower lawsuit alleging that Facebook knowingly failed to fix multiple security flaws in breach of its 2019 settlement with the FTC. The complaint asserts that in 2022 roughly 100,000 accounts were compromised daily, rising to as many as 400,000 daily lockouts by last year, and that inadequate anti-scraping protections exposed profile data at scale. Baig invokes the whistleblower-protection provisions of the Sarbanes-Oxley Act, and the filing has prompted wider media coverage and potential regulatory scrutiny.

🔍 The DHS Office of Inspector General (OIG) audit found that CISA misused federal funds and undermined its mission by broadly administering the Cyber Incentive program. The review identified 240 recipients in non-cyber support roles, poor record-keeping in OCHCO, and $1.4m in undocumented back pay among more than $138m disbursed since 2020. Payments typically ranged from $21,000 to $25,000 annually per person, more than 40% of staff received incentives, and the OIG issued eight recommendations to tighten eligibility, tracking, governance and recovery procedures; CISA has concurred with all recommendations.

🚨 U.S. Senator Ron Wyden requested that the FTC investigate Microsoft for what he describes as “gross cybersecurity negligence” after product weaknesses tied to Kerberos and legacy RC4 usage contributed to ransomware incidents, including the May 2024 Ascension Health breach that exposed data for 5.6 million patients. Wyden says his office alerted Microsoft in July 2024 and urged setting stronger ciphers like AES as defaults; he criticized an October Microsoft blog as too technical to warn corporate decision-makers. Microsoft replied that RC4 accounts for under 0.1% of traffic, that full removal risks breaking legacy systems, and that deprecation is on its roadmap.

🛡️ US Senator Ron Wyden has asked the Federal Trade Commission to investigate Microsoft following the 2024 ransomware attack on healthcare operator Ascension, which exposed data for 5.6 million patients after a contractor clicked a malicious Bing search result. Wyden says default Microsoft settings and support for the outdated RC4 standard enabled a Kerberoasting technique that granted administrative access. He notes Microsoft was warned in July 2024 and posted a blog in October announcing a planned update, but nearly a year later no update has been issued nor direct customer outreach made. The letter frames Microsoft’s control over default configurations as a systemic national security risk.

🔍 Senator Ron Wyden has asked the Federal Trade Commission to investigate Microsoft for what he describes as "gross cybersecurity negligence" that he says facilitated ransomware attacks on U.S. critical infrastructure, including healthcare. Wyden's four-page letter to FTC Chair Andrew Ferguson cites the 2024 Ascension breach attributed to Black Basta and details an attack chain that began when a contractor clicked a malicious link after using Microsoft's Bing search. The senator highlights exploitation of insecure default Kerberos settings and legacy RC4 support enabling Kerberoasting, and criticizes Microsoft for not enforcing stronger defaults and minimum password requirements while noting the company's published mitigations and planned deprecations.

🚨 Senator Ron Wyden has asked the FTC to investigate Microsoft for what he calls "gross cybersecurity negligence," arguing insecure defaults enabled widespread ransomware attacks. He cites the February 2024 Ascension Health breach that exposed 5.6 million patient records and describes how a single click enabled lateral movement via Kerberoasting and lingering RC4 support. Wyden criticizes Microsoft for building a >$20 billion security business of add-on protections while leaving core products vulnerable and says promised fixes and plain-language guidance were inadequate. The letter warns this pattern poses national-security and industry-wide risks.

🛡️ CISA released "CISA Strategic Focus: CVE Quality for a Cyber Secure Future," a roadmap that shifts the CVE Program from its Growth Era to a Quality Era emphasizing trust, responsiveness, and improved vulnerability data. The plan highlights expanded community partnerships, potential diversified government sponsorship, technological modernization, and stronger transparency and communications. It also prioritizes data quality improvements, including standardized enrichment approaches such as Vulnrichment and expanded Authorized Data Publisher capabilities.

📧 The FTC chairman sent a letter to Google’s CEO asking why Gmail flagged Republican fundraising messages as spam while allegedly allowing similar Democratic messages through. Email-intelligence firms report that WinRed has triggered far more spamtraps than ActBlue, driven by aggressive list and delivery practices that degrade sender reputation. Blocklists and reputation signals, not political content, explain many filtering outcomes, experts say. The dispute highlights both operational deliverability risks for campaigns and potential regulatory overreach.

⚖️The European Commission has fined Google €2.95 billion ($3.5 billion) for abusing its dominance in the digital advertising technology market and favoring its adtech services over competitors. The regulator ordered Google to stop anti-competitive "self-preferencing" practices and to take measures to mitigate conflicts of interest in adtech. Google said the decision is wrong and plans to appeal, warning the changes could harm thousands of European businesses. Separately, France's CNIL fined Google €325 million for placing ads in Gmail without proper consent and violating cookie rules.

⚠️A 30-year-old man has been charged for a March 2022 cyberattack on Rosneft Deutschland that reportedly stole and deleted about 20 TB of data, leaving a 'Glory to Ukraine' message. Prosecutors allege the breach exposed backups, virtual machines, mail server images and device backups, prompting remote wipes and nearly €12.4M in combined losses. Authorities charged him with computer sabotage, data alteration, and data espionage.

🔒 The FTC and DOJ have acted against Chinese toy maker Apitor Technology after its robot toys and companion Android app transmitted precise geolocation data about children without parental notice or consent. The company integrated a third-party SDK, JPush, which collected street-level location sufficient to identify homes and routines. Apitor agreed to a settlement with a suspended $500,000 penalty, a permanent ban on collecting sensitive kids’ data without parental consent, and obligations to delete illegally gathered records and submit to monitoring.

🔒 Texas Attorney General Ken Paxton has filed suit against PowerSchool after a December breach exposed personal data for 62.4 million students, including over 880,000 Texans. The attacker used a subcontractor’s stolen credentials to access the PowerSource portal, demanded a $2.85 million ransom, and later extorted individual districts. A 19‑year‑old subsequently pleaded guilty in connection with the attack and extortion efforts.

⚖ The French data protection authority CNIL has fined Google €325 million for placing advertising cookies and showing ads in Gmail's 'Promotions' and 'Social' tabs without valid user consent after investigations in 2022–2023. CNIL found Google failed to inform new account holders that accepting advertising cookies was required to access services, breaching Article L.34-5 and the French Data Protection Act (Article 82). The authority said the cookie-related practices affected over 74 million accounts (53 million individuals saw the ads), described the conduct as negligent and cited prior sanctions; it also fined Shein €150 million the same day for separate cookie violations.

⚖️ The French data protection authority, CNIL, has fined Google €325 million ($379 million) and Shein €150 million ($175 million) for placing advertising cookies without valid consent. CNIL found users were nudged to accept personalized ad cookies during Google account creation and that information remained unclear even after an opt-out option was added in October 2023. The regulator also said targeted ads placed inside Gmail's Promotions and Social tabs required explicit consent under the CPCE. Shein has updated systems and plans to appeal; Google must comply within six months or face €100,000-per-day penalties.

⚖️ The European Court of Justice's General Court has dismissed a legal challenge seeking to annul the EU-US Data Privacy Framework (DPF), finding that, at the time of adoption, US law ensured an adequate level of protection for personal data transferred from the EU. Negotiated in July 2023, the DPF now stands as the main mechanism for transatlantic data flows, providing immediate relief to the European Commission and many businesses. Critics including Max Schrems and advocacy group NOYB have signalled likely appeals, meaning the ruling may not be the final word and legal uncertainty could continue.

🔒 The U.S. Department of Justice has sued toy maker Apitor after an FTC referral, alleging it allowed a Chinese third party to collect precise geolocation data from children without notifying parents or obtaining consent required under COPPA. Apitor's Android app for robot toys uses the JPush SDK, which reportedly collected location data for any purpose, including targeted advertising. Under a proposed settlement, Apitor must secure third-party COPPA compliance, notify parents, delete collected personal information, limit retention, and faces a $500,000 penalty that is currently suspended amid claimed financial hardship.

🔒 Authorities, working with the Alliance for Creativity and Entertainment (ACE), have disrupted Streameast, the world's largest illegal live sports streaming network, and arrested two individuals in Egypt. The ad-supported platform, active since 2018, operated roughly 80 domains and drew hundreds of millions of visits monthly. Law enforcement seized devices and financial records while ACE redirected many domains to a Watch Legally portal. Investigators say the operation routed significant advertising revenue through a UAE shell company.

⚖️ The FTC secured a $10 million settlement with Disney after finding the company mislabeled children’s content on YouTube, enabling collection of kids' personal data without parental notice or consent. The complaint says Disney applied channel-level tags that caused many videos to be marked as 'Not Made for Kids' instead of Made for Kids, circumventing COPPA protections. The settlement imposes a civil penalty, requires parental notice prior to data collection, and mandates a new program to ensure correct MFK labeling on future uploads.

🔁 ICE has reinstated a $2m contract with Israeli-founded vendor Paragon Solutions, now owned by US private equity, enabling delivery of hardware and perpetual license software to the agency. The agreement, originally signed on 27 September 2024 and suspended after a White House review on 8 October 2024, was cleared to resume work on 30 August. Paragon has been linked to the Graphite spyware used against European journalists and implicated in Italian government investigations, raising procurement and national security concerns.