All news with #regulatory action tag

Europol Raises Alarm Over Caller ID Spoofing Crisis

🚨 Europol has issued a Position Paper warning of a rising wave of caller ID spoofing, where criminals falsify numbers to impersonate banks, government bodies or relatives. The agency estimates global losses around €850m annually and reports spoofing now underpins roughly 64% of phone- and SMS-related fraud. Europol calls for harmonized technical standards, stronger cross-border cooperation and regulatory convergence to make spoofing harder to perpetrate and easier to investigate.

Proving Data Sovereignty: Controls, Keys, and Audits

🔒 The article argues that data sovereignty commitments like Project Texas must be supported by auditable, technical evidence rather than marketing promises. It prescribes five concrete, testable controls — brokered zero‑trust access, in‑region HSM keys, immutable WORM logs, continuous validation, and third‑party attestation — plus measurable metrics to prove compliance. A 90‑day blueprint and emerging AI automation are offered to operationalize verification and produce regulator‑ready, reproducible evidence.

UN Cybercrime Treaty Faces Criticism Over Researcher Risks

🔒 Cybersecurity researchers and rights groups warn the UN Convention against Cybercrime, which begins a ratification process in Hanoi this weekend, could criminalize legitimate research and expand intrusive surveillance powers. The Cybersecurity Tech Accord and organizations such as Human Rights Watch say the draft's vague scope, broad criminalization language, and expansive data-access provisions risk arbitrary abuse and could hamper incident response. Some analysts acknowledge improvements around intent-based language but stress that robust national safeguards and explicit protections for security research are still needed.

Canada Fines Cryptomus $176M over AML Oversight in 2025

🔒 FINTRAC has imposed a $176,960,190 penalty on Xeltox Enterprises Ltd., the operator of Cryptomus, after finding widespread failures to file suspicious transaction reports tied to trafficking in child sexual abuse material, fraud, ransomware payments and sanctions evasion. Regulators said the payments platform enabled dozens of Russian‑focused exchanges and cybercrime‑facing services to move illicit proceeds. The action follows investigative reporting showing numerous money service businesses clustered at shared Canadian addresses that appear to be fronts.

Google abandons Privacy Sandbox, ends most cookie efforts

🍪 Google has announced it is discontinuing 11 Privacy Sandbox technologies — effectively ending most of the company’s cookie‑replacement efforts after evaluating low adoption and ecosystem feedback. The decision follows regulatory scrutiny from the UK’s Competition and Market Authority and several U.S. antitrust actions, and came after prior concessions from Google. The company says it will continue to work on privacy improvements for Chrome, Android and the web but will move away from the Privacy Sandbox branding.

Experian Fined €2.7m by Dutch Regulator for GDPR Breach

🔒 Experian Netherlands has been fined €2.7m by the Dutch Data Protection Authority for breaching GDPR requirements after collecting and processing personal data from public and private sources without proper notice or consent. The regulator found Experian compiled extensive databases using information from the Chamber of Commerce and data sold by telecom and energy firms, and that its credit scores influenced contract terms, deposits and denials. Experian acknowledged the violations, will not appeal, has ceased Dutch operations and plans to delete the database by year-end.

AI-Driven Social Engineering Tops ISACA Threats for 2026

⚠️A new ISACA report identifies AI-driven social engineering as the top cyber threat for 2026, cited by 63% of nearly 3,000 IT and security professionals. The 2026 Tech Trends and Priorities report, published 20 October 2025, shows AI concerns outpacing ransomware (54%) and supply chain attacks (35%), while only 13% of organizations feel very prepared to manage generative AI risks. ISACA urges organizations to adopt AI governance, strengthen compliance amid divergent US and EU approaches, and invest in talent, resilience and legacy modernization.

Experian Netherlands fined €2.7M for unlawful data use

🔍 Experian Netherlands was fined EUR 2.7 million by the Dutch Data Protection Authority for collecting and using personal data from multiple public and private sources without properly informing individuals or obtaining consent. The AP found the company aggregated information from the Chamber of Commerce, telecom and energy firms to produce credit assessments that affected interest rates and upfront deposits. Experian acknowledged the violations, will not appeal, has ceased operations in the Netherlands, and pledged to delete its database of personal data before year-end.

IT Leaders Fear Regulatory Patchwork as Gen AI Spreads

⚖️ More than seven in 10 IT leaders list regulatory compliance as a top-three challenge when deploying generative AI, according to a recent Gartner survey. Fewer than 25% are very confident in managing security, governance, and compliance risks. With the EU AI Act already in effect and new state laws in Colorado, Texas, and California on the way, CIOs worry about conflicting rules and rising legal exposure. Experts advise centralized governance, rigorous model testing, and external audits for high-risk use cases.

Capita fined £14M for 2023 breach exposing 6.6M people

🔒 The ICO fined Capita £14 million after a March 2023 cyberattack that exposed personal information for 6.6 million people and hundreds of clients, including 325 pension providers. Attackers—claiming responsibility as Black Basta—gained access via a malicious file, remained in systems for 58 hours, exfiltrated almost 1TB, and deployed ransomware. The fine was reduced from an initial £45 million after Capita accepted liability and implemented remediation measures, including enhanced access controls and customer protections.

Capita Fined £14m Over 2023 Data Breach Failings, Remediated

🔒 The Information Commissioner’s Office (ICO) confirmed Capita will not appeal a £14m penalty for security failings that led to a March 2023 breach affecting nearly seven million people. The fine was reduced from an initial £45m after the ICO considered post-incident remediation, support to affected individuals and engagement with the NCSC. The regulator cited delayed SOC response, absence of a tiered privileged-access model and siloed pen testing that allowed a threat actor linked to Black Basta to escalate privileges and deploy ransomware.

UK and US Sanction Southeast Asian Online Scam Network

🛡️The UK and US have jointly sanctioned a transnational network accused of operating scam centres across Southeast Asia, immediately freezing businesses and UK properties linked to the group. Targets include Prince Group, its chairman Chen Zhi, and proxy firms such as Jin Bei Group, Golden Fortune Resorts World Ltd and crypto platform Byex Exchange. Investigations by the UK FCDO and US OFAC allege victims were lured by fake job adverts, forced to perpetrate online fraud under threat of torture, and that proceeds were laundered via front companies, casinos and crypto services.

UK urges FTSE 350 CEOs to boost cyber readiness now

📣 Senior leaders are being warned to take personal responsibility for cyber resilience as the UK government says organisations cannot rely on state protection alone. The NCSC's 2025 Annual Review recorded 204 "nationally significant" incidents and prompted a ministerial letter to FTSE 350 CEOs urging physical incident plans and supply‑chain checks. The agency also highlighted slow uptake of Cyber Essentials and launched the Cyber Action Toolkit to help small businesses reach minimum standards.

Trump Administration Expands Social Media Visa Surveillance

🔍The Brookings report details the Trump administration’s expanded social media surveillance to identify and punish foreign nationals for public speech. Agencies historically gathered millions of handles, but Secretary of State Marco Rubio has promoted a zero-tolerance “Catch and Revoke” policy that uses AI to flag conduct deemed contrary to national interest. Rubio said about 300 visas—mainly student and visitor visas—were revoked, and a State Department cable now requires student applicants to set accounts public for vetting.

From CISO to Chief Risk Architect: Rethinking Cybersecurity

🔐 The article argues that the traditional CISO role must evolve into a Chief Risk Architect, shifting focus from purely technical controls to enterprise resilience and business continuity. It emphasizes anticipating disruptions, minimizing operational impact, and demonstrating recovery capabilities to regulators, partners, and shareholders. Required skills now include risk quantification, ERM, threat detection, geopolitical awareness, and fluency with regulations like NIS2, DORA and the AI Act. It also stresses reporting to the board or CEO to gain strategic influence and attract future talent.

EU Authorized to Sign UN Cybercrime Convention Agreement

🔐 The Council of Europe has authorized the European Commission and EU member states to sign the United Nations Convention against Cybercrime, adopted by the UN General Assembly in December 2024, which sets common global standards for cybercrime and the cross-border exchange of electronic evidence. The treaty requires harmonization of criminal offenses, including computer fraud, illegal interception and measures targeting online child sexual abuse, grooming and non-consensual dissemination of intimate images, while including explicit safeguards to protect human rights. The Convention will be open for signature from October 25, 2025 until December 31, 2026 and enters into force ninety days after the fortieth ratification; the EU Presidency will prioritize finalizing a Council decision to enable conclusion of the instrument and seek the European Parliament's consent.

Move Beyond the CIA Triad: A Layered Security Model

🔐 The article contends that the Cold War–era CIA triad (confidentiality, integrity, availability) is too narrow for modern threats driven by cloud, AI, and fragile supply chains. It proposes the 3C Model—Core, Complementary, Contextual—to elevate authenticity, accountability, and resilience as foundational pillars rather than afterthoughts. The framework aims to harmonize standards, reduce duplication, and help CISOs speak in terms of survival, trust, and business impact instead of only uptime and technical controls.

Protecting Your Car from Hacking: Practical Guidance 2025

🚗 Modern vehicles increasingly rely on interconnected electronics and external services, creating multiple remote attack vectors — from CAN, LIN and OBD ports to Wi‑Fi, Bluetooth and cellular links. The article notes that attackers now often target manufacturer servers (e.g., Toyota’s 2024 data loss) and references UN R155/R156 and ISO/SAE 21434. It describes vehicle risk categories, practical buyer and setup checks, and step‑by‑step advice if you suspect a compromise.

Reassignment of CISA Staff Raises National Cyber Risks

🔔 The US Department of Homeland Security has reassigned hundreds of cybersecurity personnel from the Cybersecurity and Infrastructure Security Agency to non-cyber roles supporting immigration and border enforcement, reports say. This shift has most impacted CISA’s Capacity Building team, which writes emergency directives and oversees protections for the government’s highest-value assets; refusal to accept new roles reportedly risks termination. Analysts warn that reductions in specialized threat hunting, vulnerability scanning, and coordinated advisories will slow response times and create exploitable gaps. Enterprises are urged to tighten patch cycles, adopt phishing-resistant MFA, review privileges, and rely on sector ISACs and private intel sharing while federal capacity is strained.

UK Upper Tribunal Upholds ICO Claim Against Clearview

🔍 The UK Information Commissioner’s Office (ICO) won an Upper Tribunal ruling that bolsters its authority to enforce the UK GDPR against Clearview AI and increases the likelihood of a previously issued £7.5m penalty being upheld. The tribunal found that Clearview’s scraping and global database usage involved monitoring the behavior of UK residents and is not beyond the reach of UK law even when services are provided to foreign law‑enforcement customers. The UT has directed the First‑Tier Tribunal to reconsider its earlier decision in light of this jurisdictional clarity, though Clearview may still appeal.