All news with #regulatory action tag

Amazon to Pay $2.5 Billion Over Prime Enrollment Practices

⚖️ The FTC announced a $2.5 billion settlement with Amazon over allegations it used dark patterns to trick millions into enrolling in and retaining Prime subscriptions. The agreement includes a $1 billion civil penalty and $1.5 billion in refunds for an estimated 35 million affected consumers. The FTC said Amazon's checkout and cancellation designs obscured opt-outs, failed to disclose automatic renewals, and relied on an internal cancellation flow nicknamed "Iliad" that deterred cancellations. Internal documents, the agency added, showed employees discussing the problematic practices.

Microsoft to Provide Free Windows 10 Security Updates in EEA

🛡️ Microsoft will provide no-cost Extended Security Updates (ESU) for Windows 10 consumer users across the European Economic Area (EEA). The company adjusted enrollment so consumers can access critical patches without tying updates to Windows Backup or Microsoft Rewards, following pressure from Euroconsumers. Microsoft says the change aims to support customers transitioning to Windows 11 before Windows 10 reaches end of support on October 14, 2025.

Global Harms of Restrictive Cloud Licensing: One Year

⚖️ A year after Google Cloud filed a formal complaint with the European Commission, restrictive cloud licensing by Microsoft remains entrenched and, according to recent disclosures, appears to be intensifying. Microsoft has described efforts to drive customers to Azure as a core growth pillar, while new licensing changes due at the end of September further restrict managed service providers from hosting workloads on competing clouds. Regulators such as the U.K.'s CMA have found these policies harm customers, competition, innovation, and cybersecurity, and multiple global authorities are now scrutinizing the practices.

Former Meta Lobbyist Named to Ireland's DPC, Concerns

⚖️ The Irish government has appointed Niamh Sweeney as a member of the Data Protection Commission, the authority that leads EU oversight of major technology companies. The appointment has drawn strong criticism from privacy organization Noyb, which highlights Sweeney’s previous role as a lobbyist for Meta. Critics, including Max Schrems, argue this raises questions about impartiality and potential regulatory capture. As recently as December, the DPC fined Meta €251 million for breaches of GDPR, a fact cited by opponents of the appointment.

Unit 42 Earns NCSC Enhanced Level Incident Response

🔒 Palo Alto Networks' Unit 42 has been added to the UK's NCSC Cyber Incident Response scheme at the Enhanced Level, demonstrating certified capability to manage the most complex and impactful cyber incidents. The assurance verifies structured, government-benchmarked processes, strong investigative expertise, and a customer-focused retainer model tailored to regulatory and operational needs. This recognition underscores Unit 42's role in helping organisations reduce dwell time, contain threats faster, and strengthen long-term resilience.

AWS OSPAR 2025 Report: 170 Services Covered Under OSPAR v2.0

🔒 AWS has completed its annual OSPAR 2025 audit cycle under the newly enhanced OSPAR v2.0 guidelines, becoming the first global cloud provider in Singapore to receive the report. The certification covers 170 services in the AWS Asia Pacific (Singapore) Region, including seven newly scoped services such as Amazon DynamoDB Accelerator (DAX) and AWS Payment Cryptography. Customers can retrieve the full report through AWS Artifact to support due diligence and compliance.

OIG: CISA Wasted Millions and Mismanaged Incentives

🔍 The DHS Office of Inspector General (OIG) audit found that CISA misused federal funds and undermined its mission by broadly administering the Cyber Incentive program. The review identified 240 recipients in non-cyber support roles, poor record-keeping in OCHCO, and $1.4m in undocumented back pay among more than $138m disbursed since 2020. Payments typically ranged from $21,000 to $25,000 annually per person, more than 40% of staff received incentives, and the OIG issued eight recommendations to tighten eligibility, tracking, governance and recovery procedures; CISA has concurred with all recommendations.

Cyberattack Victim Notification Framework: Recommendations

🔔 This report analyzes the persistent difficulty organizations face when notifying victims of cyber incidents and proposes a practical roadmap to improve outcomes. It introduces the CSRB's native-notification concept and outlines nearer-term, narrower changes that could increase both delivery and trust. The authors recommend that cloud service providers adopt better notification practices, support secure middleware for cross-platform delivery, and strengthen post-notification victim assistance.

Senator Wyden Urges FTC Probe of Microsoft's Security

🚨 U.S. Senator Ron Wyden requested that the FTC investigate Microsoft for what he describes as “gross cybersecurity negligence” after product weaknesses tied to Kerberos and legacy RC4 usage contributed to ransomware incidents, including the May 2024 Ascension Health breach that exposed data for 5.6 million patients. Wyden says his office alerted Microsoft in July 2024 and urged setting stronger ciphers like AES as defaults; he criticized an October Microsoft blog as too technical to warn corporate decision-makers. Microsoft replied that RC4 accounts for under 0.1% of traffic, that full removal risks breaking legacy systems, and that deprecation is on its roadmap.

Stark Industries Rebrands to Evade EU Sanctions, Persists

🔁 In May 2025 the EU sanctioned Moldova-based PQ Hosting and its owners, the Neculiti brothers, for alleged links to Kremlin hybrid warfare. Recorded Future and KrebsOnSecurity reporting show Stark Industries quickly rebranded to the[.]hosting under Dutch WorkTitans BV on 24 June 2025 while key address space and assets moved to PQ Hosting Plus S.R.L. Netherlands-based MIRhosting appears to host and manage the new entities, suggesting the sanctions achieved little lasting disruption.

CISA Publishes Strategic Roadmap for the CVE Program

🔒 CISA has published a strategic focus document, “CVE Quality for a Cyber Secure Future,” signaling federal support for the Common Vulnerabilities and Exposures (CVE) program and a shift from a growth-focused expansion to a defined Quality Era. The agency reaffirmed that the program should remain public and vendor‑neutral while evaluating potential mechanisms for diversified funding and taking a more active leadership role. The roadmap prioritizes automation, strengthened CNA services and CNAs of Last Resort, expanded API support, improved CVE.org capabilities, minimum data-quality standards and federated enrichment approaches such as Vulnrichment.

Wyden Urges FTC Probe of Microsoft After Ascension Hack

🛡️ US Senator Ron Wyden has asked the Federal Trade Commission to investigate Microsoft following the 2024 ransomware attack on healthcare operator Ascension, which exposed data for 5.6 million patients after a contractor clicked a malicious Bing search result. Wyden says default Microsoft settings and support for the outdated RC4 standard enabled a Kerberoasting technique that granted administrative access. He notes Microsoft was warned in July 2024 and posted a blog in October announcing a planned update, but nearly a year later no update has been issued nor direct customer outreach made. The letter frames Microsoft’s control over default configurations as a systemic national security risk.

Senator Wyden Urges FTC Probe of Microsoft Ransomware Lapses

🔍 Senator Ron Wyden has asked the Federal Trade Commission to investigate Microsoft for what he describes as "gross cybersecurity negligence" that he says facilitated ransomware attacks on U.S. critical infrastructure, including healthcare. Wyden's four-page letter to FTC Chair Andrew Ferguson cites the 2024 Ascension breach attributed to Black Basta and details an attack chain that began when a contractor clicked a malicious link after using Microsoft's Bing search. The senator highlights exploitation of insecure default Kerberos settings and legacy RC4 support enabling Kerberoasting, and criticizes Microsoft for not enforcing stronger defaults and minimum password requirements while noting the company's published mitigations and planned deprecations.

Senator Wyden Urges FTC Probe into Microsoft's Security

🚨 Senator Ron Wyden has asked the FTC to investigate Microsoft for what he calls "gross cybersecurity negligence," arguing insecure defaults enabled widespread ransomware attacks. He cites the February 2024 Ascension Health breach that exposed 5.6 million patient records and describes how a single click enabled lateral movement via Kerberoasting and lingering RC4 support. Wyden criticizes Microsoft for building a >$20 billion security business of add-on protections while leaving core products vulnerable and says promised fixes and plain-language guidance were inadequate. The letter warns this pattern poses national-security and industry-wide risks.

Managed SOCs: Practical Path to Stronger IT Security

🔒 Companies face rapidly evolving threats and tightening regulation, and many — especially SMEs — lack the staff and budget to build an effective in‑house Security Operations Center. A Managed SOC delivers continuous 24/7 monitoring, rapid deployment and specialized analysts without the multi‑million euro investment or hiring of 10–20 experts. Choose providers with proven detection and response experience, recognized certifications such as ISO 27001, strong data protection practices and a focus on integrating existing tools. Internal readiness — defined escalation paths, fast decision-making and employee awareness — remains essential for any managed service to be effective.

States Target Businesses Over Global Privacy Control Signals

🔔 The California Privacy Protection Agency and the attorneys general of California, Colorado and Connecticut announced a coordinated enforcement sweep targeting businesses that fail to detect or honor Global Privacy Control (GPC) opt-out signals. Regulators will contact firms believed not to be processing consumers’ opt-out requests and urge immediate remediation. Legal advisers recommend technical steps — from reliable GPC signal recognition to consent management platform integration, routine testing and monitoring, and clear privacy notice updates — to reduce enforcement risk.

CISA Leads CVE Program: Mandate, Mission, Momentum

🔒CISA reaffirms federal leadership of the CVE Program, arguing that a neutral, government steward is essential to preserve trust and national security. The agency ties the program to operational initiatives such as the Known Exploited Vulnerabilities (KEV) Catalog and warns that privatization or fragmentation would erode reliability and increase risk. CISA outlines a shift from a 'Growth Era' to a 'Quality Era' focused on improving completeness, accuracy, timeliness, governance, and sustainable infrastructure, and invites practitioners, industry, and international partners to help shape the program's future.

CISA Outlines Strategic Vision for CVE Program Quality

🛡️ CISA released "CISA Strategic Focus: CVE Quality for a Cyber Secure Future," a roadmap that shifts the CVE Program from its Growth Era to a Quality Era emphasizing trust, responsiveness, and improved vulnerability data. The plan highlights expanded community partnerships, potential diversified government sponsorship, technological modernization, and stronger transparency and communications. It also prioritizes data quality improvements, including standardized enrichment approaches such as Vulnrichment and expanded Authorized Data Publisher capabilities.

US Sanctions Southeast Asian Cyber Scam Networks, $10B Theft

🚨 The U.S. Department of the Treasury has designated multiple cyber fraud networks in Burma and Cambodia that stole more than $10 billion from Americans, according to OFAC. The operations are linked to forced labor, human trafficking, and violent coercion and ran diverse scams from romance baiting to fake cryptocurrency schemes. The sanctions freeze U.S.-based assets and bar transactions with Americans, tightening these actors' access to international finance and platforms.

AI in Government: Power, Policy, and Potential Misuse

🔍 Just months after Elon Musk’s retreat from his informal role guiding the Department of Government Efficiency (DOGE), the authors argue that DOGE’s AI agenda has largely consolidated political power rather than delivered public benefit. Promised efficiency gains and automation have produced few savings, while actions such as firing inspectors, weakening transparency and deploying an “AI Deregulation Decision Tool” have amplified partisan risk. The essay contrasts these outcomes with constructive alternatives—public disclosures, enforceable ethical frameworks, independent oversight and targeted uses like automated translation, benefits triage and case backlog reduction—to show how AI could serve the public interest if governed differently.