All news with #regulatory action tag

🛡️ Germany plans to adopt a more offensive cyber posture, saying it will "strike back, also abroad," and aim to disrupt attackers and destroy their infrastructure. The Interior Ministry proposes joint operational responsibility for the Federal Criminal Police Office (BKA) and intelligence services and is creating a new defense center against hybrid threats. Minister Alexander Dobrindt said he will introduce laws in the first half of the year to expand intelligence powers for information gathering and operational action.

📈 The number of organisations reporting GDPR breaches rose 22% in 2025 to a daily average of 443, according to DLA Piper, making this the first year since 2018 that notifications topped 400. Germany, the Netherlands and Poland recorded the most reports, and analysts pointed to geopolitical unrest and emerging AI-enabled threats as contributors. Annual GDPR fines remained stable at €1.2bn, with Ireland issuing the largest share, including a €530m penalty for TikTok over international data transfers.

🔐 Bruce Schneier and a broad group of security scientists warn that internet voting is fundamentally insecure and that no known or foreseeable technology can make it safe for public elections. They criticize persistent claims from vendors and advocates—specifically naming Bradley Tusk and the Mobile Voting Foundation—for promoting misleading assurances. The letter calls on election officials and policymakers to reject online voting and stick with proven, auditable processes.

🌐 The open-source Global Cybersecurity Vulnerability Enumeration (GCVE) has launched as a community-driven, European-headquartered alternative to the US-led CVE program. Hosted by CIRCL at db.gcve.eu, the initiative aggregates vulnerability data from more than 25 public sources and empowers GCVE Numbering Authorities (GNAs) to allocate identifiers independently. Backers say the model reduces single points of failure, strengthens digital sovereignty by combining open-source software with European-controlled infrastructure, and—if kept compatible with existing conventions—could speed and diversify vulnerability disclosure without causing tracking misalignment.

🔒 The European Commission has proposed a comprehensive cybersecurity package that would require the removal of high-risk suppliers from sensitive telecommunications networks and give Brussels authority to coordinate EU-wide risk assessments. The measure aims to strengthen defenses against state-backed actors and cybercrime targeting critical infrastructure while addressing uneven uptake of the 2020 5G Security Toolbox. The proposal also expands ENISA's remit to issue early threat alerts, centralize incident reporting, streamline voluntary certification, and support joint assessments across 18 critical sectors, with member states required to transpose changes within one year of approval.

🔍 Elliptic reports that Tudou Guarantee, a Telegram-based guarantee marketplace, has effectively ceased processing transactions through its public Telegram groups after rapid growth and is estimated to have handled over $12 billion, ranking it among the largest illicit marketplaces. Some operations, notably gambling services, remain active, so Elliptic says this may be a staged shutdown or a strategic pivot. The pause in public activity coincides with law enforcement moves tied to the arrest and extradition of Prince Group CEO Chen Zhi.

🔓 Nicholas Moore, 24, pleaded guilty to hacking the U.S. Supreme Court's restricted electronic filing system and breaching AmeriCorps and VA accounts. Prosecutors say Moore used stolen credentials to access the Court's system at least 25 times between August and October 2023, sometimes logging in multiple times per day, and posted screenshots and victims' data to an Instagram account, @ihackedthegovernment. He also accessed an AmeriCorps account seven times and a VA My HealtheVet account five times, viewing sensitive personal and health information. Moore admitted to one count of computer fraud.

🔒 Feras Khalil Ahmad Albashiti (known online as "r1z") pleaded guilty to selling access credentials to the networks of at least 50 companies. Extradited from Georgia in July 2024, he admitted selling access to an undercover law enforcement officer for cryptocurrency on May 19, 2023. He faces up to 10 years in prison and fines; sentencing is set for May 11, 2026.

🔒 The Canadian Investment Regulatory Organization (CIRO) confirmed a data breach that affected roughly 750,000 Canadian investors. The threat was identified on August 11 and disclosed on August 18, with an extensive forensic analysis completed January 14. Compromised records vary by person and may include dates of birth, phone numbers, income details, social insurance numbers, government IDs, account numbers, and statements. CIRO said it does not store login credentials and will offer two years of free credit monitoring to impacted investors.

📍 The Federal Trade Commission has finalized an order prohibiting General Motors and its OnStar unit from collecting, using, or sharing consumers' precise geolocation and driving-behavior data without express consent. The FTC said GM harvested location data every three seconds through the discontinued Smart Driver feature and sold it to third parties, including consumer reporting agencies, which could affect insurance outcomes. Under the order GM is barred from sharing such data with consumer reporting agencies for five years, must obtain express consent for collection and sharing for 20 years, and must give U.S. customers access, deletion rights, and the ability to disable precise location tracking.

🛡️ International law enforcement, together with Microsoft, dismantled the RedVDS cybercrime service after seizing servers hosted in Germany. Authorities from Germany, the United States and the United Kingdom, confirmed by the ZIT and the State Criminal Police Office of Brandenburg, say the platform enabled large-scale phishing and boss‑scam frauds. Microsoft reports $40 million in US losses over seven months and highlights prolific phishing volumes from rented virtual machines. No arrests have been reported; suspects are believed to be located in an unspecified Middle Eastern country.

🛡️ Ransomware groups are increasingly threatening victims with regulatory complaints in addition to data leaks, citing alleged violations of rules such as GDPR. Security vendors including Akamai report the tactic has grown over the past two years and is used by gangs like Anubis and Ransomhub to pressure high-compliance sectors such as healthcare. Experts warn AI accelerates the process by quickly identifying 'material' issues and producing legally framed complaints, tightening deadlines and raising stakes for victims.

🔒 The French data protection authority, CNIL, fined Free Mobile and parent company Free a combined €42 million for insufficient protection of customer data after an October 2024 breach that exposed information of nearly 23 million subscribers. CNIL cited weak VPN authentication, poor detection of abnormal activity, delayed notifications, and excessive data retention. The companies must complete security fixes and perform mandated data clean-up within required deadlines.

🔐 The G7 Cyber Expert Group has published a recommended roadmap asking financial firms and public entities to complete transition to post-quantum cryptography (PQC) by 2034 to anticipate future quantum-enabled threats. The non-prescriptive guidance outlines six phased activities from awareness and inventory to migration, testing and validation, with overlapping timelines beginning in 2025. It stresses a risk- and standards-based approach, crypto agility and cross-jurisdiction collaboration to reduce fragmentation and enhance interoperability.

🛡️ The White House’s March 2025 Executive Order and Congress’s State and Local Cybersecurity Grant Program (SLCGP) together create a framework for strengthening defenses at state, local and tribal levels. The proposed PILLAR Act would extend and reinforce funding, oversight and scope. Success requires restoring disbursements, aligning with NIST standards, and building local capacity through partnerships and workforce development.

⚠️ The White House renominated seasoned Coast Guard and Energy Department cyber official Sean Plankey to lead CISA, a step that eases an urgent leadership gap but does not resolve broader legislative gridlock. Experts cite both executive deprioritization and congressional dysfunction—blocked confirmations, holds, and delayed reports—as drivers of a hollowed-out agency. Quick Senate confirmation, reauthorization of CISA 2015, and restored grant funding are needed to begin rebuilding capacity.

🔒 The Amsterdam Court of Appeal sentenced a 44‑year‑old Dutch national to seven years in prison for breaching IT systems at the ports of Rotterdam, Barendrecht and Antwerp to facilitate drug trafficking. The court found he gained access after employees introduced USB sticks containing malware, enabling installation of a remote access tool, data exfiltration and interception. An appeal arguing unlawful interception of Sky ECC communications was rejected, as the defence failed to substantiate procedural violations. He was acquitted on one large cocaine import charge but upheld on hacking, facilitating the importation of 210 kg of cocaine, and attempted extortion.

⚖️California privacy regulators have taken enforcement action under the Delete Act, penalizing a marketing firm and a global analytics provider for trading in sensitive consumer profiles without proper registration. The agency fined Rickenbacher Data LLC (operating as Datamasters) $45,000 and ordered it to stop selling and delete California data. Separately, S&P Global was fined $62,600 for failing to register as a data broker. Officials highlighted risks from lists linked to medical conditions, race, age, political views and spending.

⚠️ Ireland's Passport Office has recalled 12,904 passports issued between 23 December 2025 and 6 January 2026 after a software update caused a printing defect that may omit the IRL issuing-state code in the passport's machine-readable zone (MRZ). Affected holders are asked to return passport books (and cards where applicable) for free replacement, with new documents issued in approximately 10 working days. The Department issued a global alert via the International Civil Aviation Organization and advises travellers to contact the Passport Office for guidance.

🔒 CISA has retired 10 Emergency Directives issued between 2019 and 2024 that were intended to protect Federal Civilian Executive Branch (FCEB) agencies from high-risk vulnerabilities. The directives covered DNS tampering, multiple Windows Patch Tuesday flaws, SolarWinds, Microsoft Exchange, Pulse Connect Secure, Print Spooler, VMware, and a nation-state compromise of Microsoft corporate email. CISA said the required actions were completed or are now enforced through BOD 22-01, and emphasized continued advancement of Secure by Design principles across federal systems.