All news with #regulatory action tag

Czech Agency Warns Against Chinese Tech in Critical Sectors

⚠️ The Czech National Cyber and Information Security Agency (NUKIB) is urging operators of critical infrastructure to avoid using Chinese technology or transferring user data to servers in China, citing a reassessed High risk of significant disruption. NUKIB confirmed malicious activity by Chinese cyber-actors, including an APT31 campaign against the Ministry of Foreign Affairs, and warned that Chinese law can permit state access to data held by domestic providers. The guidance is not an outright legal ban, but entities covered by the Czech Cybersecurity Act must include the threat in their risk analyses and adopt appropriate mitigations.

FTC Probes Gmail Spam Filtering Of GOP Fundraising Emails

📧 The FTC chairman sent a letter to Google’s CEO asking why Gmail flagged Republican fundraising messages as spam while allegedly allowing similar Democratic messages through. Email-intelligence firms report that WinRed has triggered far more spamtraps than ActBlue, driven by aggressive list and delivery practices that degrade sender reputation. Blocklists and reputation signals, not political content, explain many filtering outcomes, experts say. The dispute highlights both operational deliverability risks for campaigns and potential regulatory overreach.

EU Fines Google €2.95B for Anti-Competitive Adtech

⚖️The European Commission has fined Google €2.95 billion ($3.5 billion) for abusing its dominance in the digital advertising technology market and favoring its adtech services over competitors. The regulator ordered Google to stop anti-competitive "self-preferencing" practices and to take measures to mitigate conflicts of interest in adtech. Google said the decision is wrong and plans to appeal, warning the changes could harm thousands of European businesses. Separately, France's CNIL fined Google €325 million for placing ads in Gmail without proper consent and violating cookie rules.

FTC Action: Robot Toys Collected Children's Location Data Illegally

🔒 The FTC and DOJ have acted against Chinese toy maker Apitor Technology after its robot toys and companion Android app transmitted precise geolocation data about children without parental notice or consent. The company integrated a third-party SDK, JPush, which collected street-level location sufficient to identify homes and routines. Apitor agreed to a settlement with a suspended $500,000 penalty, a permanent ban on collecting sensitive kids’ data without parental consent, and obligations to delete illegally gathered records and submit to monitoring.

France Fines Google €325M for Cookie Consent Breaches

⚖ The French data protection authority CNIL has fined Google €325 million for placing advertising cookies and showing ads in Gmail's 'Promotions' and 'Social' tabs without valid user consent after investigations in 2022–2023. CNIL found Google failed to inform new account holders that accepting advertising cookies was required to access services, breaching Article L.34-5 and the French Data Protection Act (Article 82). The authority said the cookie-related practices affected over 74 million accounts (53 million individuals saw the ads), described the conduct as negligent and cited prior sanctions; it also fined Shein €150 million the same day for separate cookie violations.

Fifteen Nations Agree Joint Guidance on SBOM Adoption

🔐 A coalition of 21 agencies from 15 countries, led by CISA and the NSA, published joint guidance titled A Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity on September 3. The document defines SBOM concepts, clarifies roles for producers, choosers and operators, and urges cross-border adoption. It promotes harmonized technical implementations and integration of SBOMs into security workflows to reduce complexity and improve supply chain risk management.

France Fines Google €325M and Shein €150M Over Cookies

⚖️ The French data protection authority, CNIL, has fined Google €325 million ($379 million) and Shein €150 million ($175 million) for placing advertising cookies without valid consent. CNIL found users were nudged to accept personalized ad cookies during Google account creation and that information remained unclear even after an opt-out option was added in October 2023. The regulator also said targeted ads placed inside Gmail's Promotions and Social tabs required explicit consent under the CPCE. Shein has updated systems and plans to appeal; Google must comply within six months or face €100,000-per-day penalties.

Pressure Grows on CISOs to Conceal Security Incidents

🔒 A growing majority of CISOs report being pressured to hide breaches, with a Bitdefender survey finding 69% instructed to keep incidents confidential, up from 42% two years earlier. Security leaders say attackers increasingly prioritize stealthy data theft rather than disruptive encryption, making breaches less visible to the public. Regulatory regimes such as GDPR, NIS2 and DORA complicate disclosure decisions, while experts warn that concealment multiplies legal, financial and reputational risk and recommend robust, transparent incident response plans.

Court Upholds EU-US Data Privacy Framework Agreement

⚖️ The European Court of Justice's General Court has dismissed a legal challenge seeking to annul the EU-US Data Privacy Framework (DPF), finding that, at the time of adoption, US law ensured an adequate level of protection for personal data transferred from the EU. Negotiated in July 2023, the DPF now stands as the main mechanism for transatlantic data flows, providing immediate relief to the European Commission and many businesses. Critics including Max Schrems and advocacy group NOYB have signalled likely appeals, meaning the ruling may not be the final word and legal uncertainty could continue.

US Sues Toy Maker Over Kids' Geolocation Data Leak

🔒 The U.S. Department of Justice has sued toy maker Apitor after an FTC referral, alleging it allowed a Chinese third party to collect precise geolocation data from children without notifying parents or obtaining consent required under COPPA. Apitor's Android app for robot toys uses the JPush SDK, which reportedly collected location data for any purpose, including targeted advertising. Under a proposed settlement, Apitor must secure third-party COPPA compliance, notify parents, delete collected personal information, limit retention, and faces a $500,000 penalty that is currently suspended amid claimed financial hardship.

Disney to Pay $10M Over YouTube Kids' Data Violations

⚖️ The FTC secured a $10 million settlement with Disney after finding the company mislabeled children’s content on YouTube, enabling collection of kids' personal data without parental notice or consent. The complaint says Disney applied channel-level tags that caused many videos to be marked as 'Not Made for Kids' instead of Made for Kids, circumventing COPPA protections. The settlement imposes a civil penalty, requires parental notice prior to data collection, and mandates a new program to ensure correct MFK labeling on future uploads.

CISA, NSA and Partners Release SBOM Shared Vision Guidance

🔐 CISA, in partnership with the NSA and 19 international agencies, released joint guidance titled A Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity. The guidance defines an SBOM as a formal record of software components and supply chain relationships and explains how SBOMs provide essential visibility into dependencies. It outlines benefits for producers, purchasers, operators, and national security organizations and urges adoption of aligned technical approaches, standardized metadata, and automation to improve vulnerability management and strengthen global software supply chain resilience.

International Partners Release Shared SBOM Vision Statement

🔒 CISA, the NSA, and 19 international partners published a joint guide outlining the benefits of adopting software bills of materials (SBOM) to increase software component and supply chain transparency. The guide advises software producers, purchasers, and operators to integrate SBOM generation, analysis, and sharing into security processes to better identify and mitigate component risks. It calls for international alignment of SBOM technical approaches to reduce complexity, improve interoperability, and advance secure-by-design software.

Shadow AI Discovery: Visibility, Governance, and Risk

🔍 Employees are driving AI adoption from the ground up, often using unsanctioned tools and personal accounts that bypass corporate controls. Harmonic Security found that 45.4% of sensitive AI interactions come from personal email, underscoring a growing Shadow AI Economy. Rather than broad blocking, security and governance teams should prioritize continuous discovery and an AI asset inventory to apply role- and data-sensitive controls that protect sensitive workflows while enabling productivity.

BSI Urges Users to Assess Outage Risks in Digital Products

🔒 The German Federal Office for Information Security (BSI) recommends that consumers consider potential outage risks when selecting digital products and services. Users should evaluate how manufacturers handle security incidents, what happens to personal or family data, and whether vendors have a solid security reputation or trustworthy seals. The BSI also advises checking published information about incidents, remediation measures and contact options. Given the end of free Windows 10 updates from October 14, the agency urges timely upgrades or migration to alternatives such as macOS or Linux to help preserve confidentiality, integrity and availability.

U.S. Sanctions Network Supporting North Korean IT Workers

🔒 The U.S. Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned two individuals and two companies tied to a North Korean IT worker network that embeds personnel in foreign firms using stolen or fabricated identities and "laptop farms" to disguise locations. Designations include Russian national Vitaliy Sergeyevich Andreyev and DPRK consular official Kim Ung Sun, plus Chinese front Shenyang Geumpungri Network Technology Co., Ltd and DPRK-linked Korea Sinjin Trading Corporation. Blockchain intelligence firm Chainalysis identified Andreyev’s Bitcoin wallet as a laundering conduit, tied to nearly $600,000 in conversions. The sanctions freeze U.S.-based assets, bar American persons from transacting with the designees, and signal heightened targeting of infrastructure and crypto facilitators who help the DPRK monetize overseas IT labor.

UK Signals Possible Reversal of iPhone Backdoor Mandate

🔍 The US Director of National Intelligence reports that the UK government is dropping a proposed mandate requiring a backdoor into the Apple iPhone, a development attributed in early accounts to reporting by Tulsi Gabbard. If accurate, the announcement would mark a significant retreat from proposals that would compel vendors to weaken device security. The decision is described as provisional and underscores continuing tensions between privacy advocates, technology vendors, and law enforcement over access to encrypted communications.

August 2025 security roundup with Tony Anscombe highlights

🔒 In the August 2025 edition, ESET Chief Security Evangelist Tony Anscombe highlights major global developments that affect defenders and users alike. Key items include WhatsApp's takedown of 6.8 million scam-linked accounts in H1 2025, the UK government's reversal on an Apple cloud decryption demand, attacks on water facilities in Norway and Poland, and Nigeria's deportation of over 100 foreign nationals tied to a large cybercrime syndicate. He also notes auctions of active police and government email credentials on criminal forums and underscores lessons for resilience, encryption policy, and international cooperation.

US Treasury Sanctions DPRK IT-Worker Revenue Network

🛡️ The U.S. Treasury's Office of Foreign Assets Control (OFAC) announced sanctions on two individuals and two entities tied to a DPRK remote IT-worker revenue scheme that funneled illicit funds to weapons programs. Targets include Vitaliy Andreyev, Kim Ung Sun, Shenyang Geumpungri Network Technology Co., Ltd, and Korea Sinjin Trading Corporation. Treasury says nearly $600,000 in crypto-derived transfers were converted to U.S. dollars and that front companies generated over $1 million in profits. Officials also highlighted the group's use of AI tools to fabricate résumés, secure employment, exfiltrate data, and enable extortion.

German Government to Propose Stronger Cyber Defense Bill

🛡️ The federal government plans to present a draft bill by year-end aimed at strengthening cyber defense across Germany. The proposal would expand cyber-defense powers for security agencies and deepen cooperation between civilian and military bodies, with joint exercises planned between the Interior Ministry and the Ministry of Defence. It also calls for the development of a Cyber-Dome, an automated system to detect and respond to online attacks, as Interior Minister Alexander Dobrindt warned of daily cyberattacks and rising hybrid threats.