All news with #regulatory action tag

U.S. Treasury Sanctions North Korean Bankers, IT Scammers

⚖️ The U.S. Treasury's OFAC imposed sanctions on two North Korean financial institutions and eight individuals accused of laundering cryptocurrency stolen in cyberattacks and operating fraudulent IT worker schemes. Designated entities include Ryujong Credit Bank and Korea Mangyongdae Computer Technology Company (KMCTC), plus named bankers linked to ransomware proceeds. The actions block property under U.S. jurisdiction and warn financial institutions of secondary sanctions and enforcement risk for transacting with the listed parties.

CrowdStrike: Rise in Physical Attacks on Privileged Users

🔒 CrowdStrike's 2025 analysis documents a sharp rise in physical attacks and kidnappings tied to cyber intrusions, concentrated in Europe. The report cites the January 2025 kidnapping of a Ledger co‑founder and records 17 similar incidents in Europe from January through September 2025, 13 of them in France. Consultants warn attackers increasingly pair cyber operations with real‑world violence, driving organizations to strengthen physical and executive security and adjust incident response playbooks.

Data Breach at Major Swedish Supplier Exposes 1.5M Records

🔒 Miljödata, an IT systems supplier for roughly 80% of Sweden's municipalities, disclosed an August 25 cyberattack that exposed personal data tied to 1.5 million people and included a 1.5 BTC extortion demand. The incident disrupted services across multiple regions and prompted immediate involvement from CERT‑SE, police and the Swedish Authority for Privacy Protection (IMY). Investigations will prioritize Miljödata's security and municipal data handling, with special attention to children's data and protected identities.

4th Circuit Lowers Proof Threshold in Data Breach Suits

🔒 In October the 4th U.S. Circuit Court of Appeals ruled that listing stolen consumer data on the dark web can be sufficient to let plaintiffs proceed in data-breach lawsuits. The panel determined that dark-web publication — paywalled or not — increases the risk of fraud and is therefore materially different from mere theft. CISOs should monitor dark-web exposure and preserve evidence of publicization to assess legal and financial risk.

Clearview AI Faces Criminal Complaint in Austria Over GDPR

🔍 Clearview AI has been hit with a criminal complaint filed in Austria by the European Center for Digital Rights (noyb), alleging that the company ignored decisions by several EU data protection authorities. The complaint invokes GDPR provisions allowing criminal sanctions under Article 84 and seeks prosecution of executives, potentially including jail time and personal liability when traveling to Europe. The action follows fines and bans from multiple DPAs and ongoing appeals, notably only in the UK.

Spam text operator fined £200,000 for targeting debtors

⚠️ The UK Information Commissioner’s Office fined sole trader Bharat Singh Chand £200,000 after he sent 966,449 unsolicited spam texts promoting fake debt relief and purported energy-saving grants between December 2023 and July 2024. Many recipients were already in financial hardship and were induced to reply, then contacted by callers posing as 'The Debt Relief Team'. The campaign used a SIM farm, false business names and unregistered numbers, generated 19,138 complaints, and Chand has appealed.

Greens Urge Immediate National Cybersecurity Offensive

⚠️ The Greens are calling for a rapid, pre-Christmas security offensive to counteract sabotage, espionage and cyberattacks, saying the federal government is moving too slowly to act. Parliamentary deputies Konstantin von Notz and Irene Mihalic welcome recognition of the threat by Chancellor Friedrich Merz and Interior Minister Alexander Dobrindt but demand immediate, concrete measures and activation of the National Security Council. They also press for a major intelligence service reform and criticize weaknesses in the draft bill to transpose NIS-2 obligations, warning exemptions and gaps would undermine resilience across public administration, municipalities and critical infrastructure.

Python Foundation Rejects $1.5M NSF Grant Over DEI Terms

🛡️ The Python Software Foundation (PSF) withdrew a $1.5 million proposal to the U.S. National Science Foundation after the approved award included conditions that would bar all PSF programs from activities that 'advance or promote diversity, equity, and inclusion.' The funding, under NSF’s Safety, Security, and Privacy of Open Source Ecosystems program, was intended to support automated malware-detection tools for PyPI and to be ported to other package ecosystems. PSF leaders said DEI is central to their mission, creating an unacceptable conflict that led the board to unanimously decline the grant and ask the community for donations and membership support.

ACCC Sues Microsoft Over Copilot Subscription Practices

📝 The Australian Competition and Consumer Commission (ACCC) has sued Microsoft, alleging it misled 2.7 million Australian Microsoft 365 subscribers when integrating Copilot by obscuring the option to remain on existing plans at the same price. The ACCC says renewal communications presented the AI‑enabled tiers as the apparent way to keep service active while the choice to stay was only visible via the cancellation flow. The complaint alleges breaches of multiple Australian Consumer Law provisions and seeks civil penalties, injunctions, and consumer compensation. Microsoft says it is reviewing the ACCC's claim and will cooperate with the regulator.

Sanctions Undermine Nation-State Cyber Ecosystems Globally

🔒 A new RUSI report published on 28 October finds cyber-related sanctions seldom fully disrupt state-backed attacks by themselves but can "toxify" networks, forcing intermediaries and collaborators to distance themselves from named actors. The study highlights the US as the most effective practitioner due to long-standing legal frameworks and coordinated use of diplomatic, legal and technical tools, while the EU and UK face operational and coordination limits. RUSI urges clearer strategic goals, cross-domain integration and targeted action against enablers like exchanges and service providers to boost impact.

How evolving regulations are redefining CISO responsibility

⚖️ CISOs are increasingly exposed to personal and even criminal liability as regulators such as the SEC, DOJ and international authorities press executives to disclose accurate cyber risk and incident information. Rising IoT/OT device vulnerabilities — with vulnerability-based breaches up 34% year over year and accounting for roughly 20% of breaches — are driving mandates like Executive Order 14028, NIS2 and the Cyber Resilience Act. Organizations are updating governance, improving asset inventories and adopting device intelligence tools like SomosID to correlate inventories, SBOM data and vulnerabilities, helping to support compliance and reduce executive exposure.

Support for Dobrindt's Active Cyber Defense Plan in Germany

🛡️ Federal Interior Minister Alexander Dobrindt's proposal for active cyber defense has drawn cross-party, cautious approval as he prepares a legal amendment to counter attacks originating from servers abroad. A ministry spokesperson says the measures would allow intervening steps to stop or mitigate attacks by manipulating or disrupting the IT systems or data traffic used, and stressed this is not about hackback or broad retaliatory strikes. Greens signaled conditional support if the approach follows rule-of-law principles, CDU security figures praised a more proactive stance, and Dobrindt expects to present the amendment to cabinet next year.

Europol Raises Alarm Over Caller ID Spoofing Crisis

🚨 Europol has issued a Position Paper warning of a rising wave of caller ID spoofing, where criminals falsify numbers to impersonate banks, government bodies or relatives. The agency estimates global losses around €850m annually and reports spoofing now underpins roughly 64% of phone- and SMS-related fraud. Europol calls for harmonized technical standards, stronger cross-border cooperation and regulatory convergence to make spoofing harder to perpetrate and easier to investigate.

Proving Data Sovereignty: Controls, Keys, and Audits

🔒 The article argues that data sovereignty commitments like Project Texas must be supported by auditable, technical evidence rather than marketing promises. It prescribes five concrete, testable controls — brokered zero‑trust access, in‑region HSM keys, immutable WORM logs, continuous validation, and third‑party attestation — plus measurable metrics to prove compliance. A 90‑day blueprint and emerging AI automation are offered to operationalize verification and produce regulator‑ready, reproducible evidence.

UN Cybercrime Treaty Faces Criticism Over Researcher Risks

🔒 Cybersecurity researchers and rights groups warn the UN Convention against Cybercrime, which begins a ratification process in Hanoi this weekend, could criminalize legitimate research and expand intrusive surveillance powers. The Cybersecurity Tech Accord and organizations such as Human Rights Watch say the draft's vague scope, broad criminalization language, and expansive data-access provisions risk arbitrary abuse and could hamper incident response. Some analysts acknowledge improvements around intent-based language but stress that robust national safeguards and explicit protections for security research are still needed.

Canada Fines Cryptomus $176M over AML Oversight in 2025

🔒 FINTRAC has imposed a $176,960,190 penalty on Xeltox Enterprises Ltd., the operator of Cryptomus, after finding widespread failures to file suspicious transaction reports tied to trafficking in child sexual abuse material, fraud, ransomware payments and sanctions evasion. Regulators said the payments platform enabled dozens of Russian‑focused exchanges and cybercrime‑facing services to move illicit proceeds. The action follows investigative reporting showing numerous money service businesses clustered at shared Canadian addresses that appear to be fronts.

Google abandons Privacy Sandbox, ends most cookie efforts

🍪 Google has announced it is discontinuing 11 Privacy Sandbox technologies — effectively ending most of the company’s cookie‑replacement efforts after evaluating low adoption and ecosystem feedback. The decision follows regulatory scrutiny from the UK’s Competition and Market Authority and several U.S. antitrust actions, and came after prior concessions from Google. The company says it will continue to work on privacy improvements for Chrome, Android and the web but will move away from the Privacy Sandbox branding.

Experian Fined €2.7m by Dutch Regulator for GDPR Breach

🔒 Experian Netherlands has been fined €2.7m by the Dutch Data Protection Authority for breaching GDPR requirements after collecting and processing personal data from public and private sources without proper notice or consent. The regulator found Experian compiled extensive databases using information from the Chamber of Commerce and data sold by telecom and energy firms, and that its credit scores influenced contract terms, deposits and denials. Experian acknowledged the violations, will not appeal, has ceased Dutch operations and plans to delete the database by year-end.

AI-Driven Social Engineering Tops ISACA Threats for 2026

⚠️A new ISACA report identifies AI-driven social engineering as the top cyber threat for 2026, cited by 63% of nearly 3,000 IT and security professionals. The 2026 Tech Trends and Priorities report, published 20 October 2025, shows AI concerns outpacing ransomware (54%) and supply chain attacks (35%), while only 13% of organizations feel very prepared to manage generative AI risks. ISACA urges organizations to adopt AI governance, strengthen compliance amid divergent US and EU approaches, and invest in talent, resilience and legacy modernization.

Experian Netherlands fined €2.7M for unlawful data use

🔍 Experian Netherlands was fined EUR 2.7 million by the Dutch Data Protection Authority for collecting and using personal data from multiple public and private sources without properly informing individuals or obtaining consent. The AP found the company aggregated information from the Chamber of Commerce, telecom and energy firms to produce credit assessments that affected interest rates and upfront deposits. Experian acknowledged the violations, will not appeal, has ceased operations in the Netherlands, and pledged to delete its database of personal data before year-end.