Security policy changes, regulatory updates, and compliance-relevant developments.
74 items
Google security layoffs, alleged incident response cover-ups by IBM and AT&T, regulatory fines against Coupang, and flat ICS exposure rates collectively signal organisational security maturity challenges and regulatory pressure intensifying across tech and e-commerce sectors.
A $47 million settlement fund has been approved for approximately 7 million 23andMe customers whose genetic and personal data were compromised starting in April 2023 and subsequently posted on dark web marketplaces. The breach underscores inadequate credential hygiene, delayed breach disclosure, and the growing market for personal genomic data.
Maine's public data breach notification portal was taken offline after attackers published fraudulent breach disclosures on the state website, highlighting inadequate access controls and verification procedures in government reporting systems that citizens rely on for authentic security information.
Juan Andrés Guerrero-Saade argues that decades of uncoordinated security tool accumulation have created an unmanageable, non-standardised technology stack that prevents organisations from effectively directing their own cyber defence strategies. The proposal centres on building an ecology model for cyber security architecture.
Alert fatigue is a systemic operational security problem where SOCs become overwhelmed by alert volume, causing genuine threats to be missed or delayed. This is a control failure that degrades the effectiveness of existing detection infrastructure.
The U.S. Senate Armed Services Committee rejected Senator Kirsten Gillibrand's amendment to establish a dedicated Cyber Force as a distinct military service during fiscal 2027 defense authorization debate. The narrow 14-13 vote reflects ongoing congressional disagreement over optimal cyber defence organisational structures.
Kyushu Electric Power Co. lost a portable drive containing personal data of 10.9 million customers through a physical security incident. The breach highlights the ongoing risk of unencrypted data storage devices in large organisations handling critical infrastructure client information.
CISA has issued a directive requiring federal agencies to patch certain cyber vulnerabilities within 3 days, with a 180-day adoption period. This represents a significant tightening of vulnerability remediation timelines across US government IT infrastructure.
CISA is issuing a binding operational directive requiring federal agencies to prioritise vulnerability remediation based on new assessment criteria, deprioritising certain vulnerabilities whilst elevating others. This represents a significant shift in how the US federal government allocates security resources.
The UK government has issued a formal directive requiring technology companies to deploy built-in or technical controls on smartphones and tablets to detect and block child sexual abuse material (CSAM) within three months. This represents a significant regulatory escalation with substantial technical and privacy implications.
CrowdStrike has published guidance on scaling agentic AI systems safely, proposing three organisational principles rather than disclosing a specific threat or vulnerability.
OpenAI is rolling out Lockdown Mode for ChatGPT to restrict tool usage and mitigate prompt injection attacks that could lead to data exfiltration. The feature addresses a real attack vector but represents defensive hardening rather than remediation of a specific active threat.
The EU has announced a legislative package comprising Chips Act 2.0, Cloud and AI Development Act, open-source strategy, and energy digitalisation roadmap aimed at reducing technological reliance on US and Chinese suppliers. This represents a strategic shift toward supply-chain resilience and domestic capability development.
Cisco Talos published a conference attendance report from Cisco Live U.S. focusing on networking opportunities, AI discussions, and attendee wellness rather than security research findings or threat intelligence.
Shyam Sankar, CTO of Palantir Technologies, is a leading candidate to head the US Cybersecurity and Infrastructure Security Agency. This reflects potential policy shifts toward closer collaboration between federal cybersecurity infrastructure and commercial data analytics platforms.
Brave Software has released Origin, a paid subscription browser that removes cryptocurrency rewards, AI features, and other monetisation mechanisms from the standard Brave browser. This reflects growing user frustration with feature bloat and signals a viable commercial model for stripped-down privacy tools.
The U.S. executive order establishes a federal vetting process allowing up to one month pre-release review of advanced AI models for national security risks before public deployment. This represents a significant shift toward regulatory oversight of frontier AI systems.
The White House has issued a pared-back executive order on AI that establishes confidentiality, cybersecurity, and intellectual property safeguards for federal access to AI models. This represents a policy shift toward managed risk rather than comprehensive regulation, with direct implications for how government agencies will interact with commercial and internal AI systems.
NIST's National Vulnerability Database has fallen critically behind in processing new vulnerabilities, with unprocessed items doubling from 13,000 to 27,000 between February 2024 and end of 2025, according to an inspector general report. This operational failure directly undermines the NVD's utility as the primary source of truth for vulnerability data across the security industry.
A researcher has published working proof-of-concept exploits for multiple Microsoft zero-day vulnerabilities on GitHub, prompting Microsoft to publicly dispute the justification for full disclosure. This escalates the ongoing tension between security researchers and vendors over responsible disclosure timelines.
Cisco Talos advocates moving beyond CVSS scoring for patch prioritisation, recommending EPSS (Exploit Prediction Scoring System) and GCVE (Google Chromium Vulnerability Evaluation) to focus remediation efforts on threats with genuine exploitation risk rather than severity alone.
Anthropic has postponed releasing Mythos-class Claude models to the public following identification of security risks to both public and private software systems. The delay reflects growing tension between deploying advanced AI capabilities and managing their potential misuse.
UK's cyberspying chief has characterised AI as an unstoppable force whilst warning of escalating Russian hostile activity in the grey zone below conventional warfare. The assessment reflects intelligence community concerns that AI amplifies state-sponsored cyber threat capabilities.
Anthropic is preparing to integrate its Mythos model into Claude Code, a restricted model previously flagged for security risks in software development contexts. This marks a shift from controlled deployment to broader availability with unclear safety mitigations.
npm has released staged publishing, a feature requiring 2FA-gated approval before package releases become public, reducing the window for automated supply chain attacks. This represents incremental hardening of package distribution rather than addressing fundamental dependency resolution risks.
CISA has introduced a nomination form allowing researchers, vendors, and industry partners to submit vulnerabilities for inclusion in its Known Exploited Vulnerabilities (KEV) catalog. This democratises the vulnerability reporting process and potentially accelerates the identification of actively exploited bugs.
The FTC has issued warning letters to 12 major technology firms for allegedly failing to comply with the Take It Down Act, which requires platforms to provide accessible removal mechanisms for nonconsensual intimate imagery and process deletion requests within 48 hours. This represents the first significant enforcement action under the statute and signals regulatory intent to hold platforms accountable for abuse prevention infrastructure.
Microsoft's May 2026 Windows 11 security update (KB5089549) fails to install on multiple systems, returning 0x800f0922 errors. This prevents security patch deployment on affected machines, leaving them exposed to unpatched vulnerabilities.
South Korea will use its upcoming local elections as a live test of deepfake regulations to assess whether legislative controls can effectively prevent malicious synthetic media in political contexts. The outcome will inform global policy approaches to synthetic content threats.
SentinelOne Labs researchers examined whether publicly disclosed breach signals and market timing models can be used to predict or capitalise on stock price movements following cyber incidents, exploring the emerging intersection of cybersecurity data and financial markets.
SecurityWeek publishes guidance on implementing security controls in AI data centres without proportional performance degradation. This reflects growing industry recognition that security and throughput constraints can be co-optimised through architectural choices.
Owe Martin Andresen, alleged administrator of Dream Market, was arrested in Germany following a US indictment. The arrest demonstrates coordinated international law enforcement action against established criminal marketplaces that operated for over a decade.
Cisco Talos highlights that responding to state-sponsored intrusions requires fundamentally different IR strategies than ransomware incidents. Organisations using ransomware-focused response playbooks may fail to detect or contain nation-state actors.
Texas is suing Netflix for alleged unauthorised data collection and sharing practices, characterising the conduct as 'surveillance machinery'. The suit also seeks to restrict autoplay defaults on children's accounts, signalling regulatory focus on data practices and child safety.
General Motors agreed to a $12.75 million settlement with California over alleged CCPA violations stemming from the sale of driver data without proper consent. The case highlights how automotive manufacturers are monetising connected vehicle data as a revenue stream while often failing to obtain explicit consumer permission.
General Motors agreed to pay $12 million to California, marking the largest CCPA fine in over five years, for alleged privacy violations involving driver data. This settlement demonstrates regulatory willingness to impose substantial penalties on automotive manufacturers for data handling practices.
The FTC has banned data broker Kochava from selling precise geolocation data without explicit consumer consent, settling charges that the company monetised location information harvested from hundreds of millions of mobile devices. This represents meaningful regulatory intervention in the location data market.
Romance scam victims face fragmented support systems with limited coordination between law enforcement, financial institutions, and government agencies, leaving victims isolated and vulnerable to repeated exploitation. This policy gap demands institutional reform to create unified victim assistance pathways.
Microsoft is restructuring the Windows Insider Program to better address performance and reliability problems in Windows 11. This indicates widespread quality concerns that Microsoft believes require organisational and process changes to resolve.
Microsoft is rolling out native passkey support for Entra-protected resources on Windows devices in late April, enabling phishing-resistant passwordless authentication. This represents a significant step in reducing reliance on password-based authentication across enterprise environments.
Microsoft is expanding user controls in Windows Update to allow deferral and scheduling of restarts, reducing operational disruption. While operationally beneficial, this formalises rather than fundamentally changes the forced-restart model that remains a security and stability concern.
Dutch cosmetics retailer Rituals suffered a data breach affecting its 'My Rituals' membership database, with attackers extracting customer names and addresses. The incident highlights ongoing targeting of loyalty programme databases by threat actors seeking PII for fraud and resale.
NIST will cease assigning severity scores to lower-priority vulnerabilities, unable to keep pace with the volume of submissions. This degrades the utility of the Common Vulnerability Scoring System and creates ambiguity for defenders prioritising patch cycles.
Unmanaged service accounts, API keys, and orphaned credentials represent the largest attack surface in cloud environments, with compromised non-human identities responsible for nearly 7 in 10 cloud breaches in 2024. Organisations typically lack visibility into 40-50 automated credentials per employee that persist after project termination or staff departure.
Qualys analysed one billion CISA KEV (Known Exploited Vulnerabilities) remediation records and found that most critical flaws are actively exploited in the wild before organisations can deploy patches. This exposes a fundamental timing mismatch between vulnerability disclosure and attacker speed.
OpenAI has launched a $100 monthly Pro subscription tier matching Anthropic's Claude pricing, reflecting competitive pressure in the generative AI market. This pricing escalation may influence how organisations evaluate AI tool security postures and dependency risks.
LinkedIn deployed hidden JavaScript code scanning visitor browsers for 6,000+ Chrome extensions and collecting device fingerprinting data without explicit user consent, raising questions about the scope and legitimacy of data collection practices by major platforms.
Google is rolling out the ability for U.S. users to change their primary @gmail.com address or create aliases, improving account flexibility but introducing new vectors for account compromise, impersonation, and social engineering attacks.
Microsoft issued an emergency hotfix (KB5086672) to resolve widespread installation failures from a March 2026 preview update that was already pulled. The incident highlights systemic issues in Microsoft's preview testing and release validation processes.
Organisations are acquiring agentic GRC (Governance, Risk, Compliance) tools to automate workflows, but the transition is failing because teams remain operationally focused rather than adopting risk leadership mindsets required for the technology to deliver value.
Google has committed to migrating its infrastructure to post-quantum cryptography by 2029, signalling that the cryptographically-relevant quantum computer threat window is closing faster than many organisations anticipated. This accelerates industry pressure to inventory and remediate legacy systems before quantum capabilities render current encryption obsolete.
The Alliance for Creativity and Entertainment shut down AnimePlay, a pirated anime streaming platform with 5 million users, through coordinated enforcement action. This represents continued success in disrupting consumer-facing piracy infrastructure but raises questions about replacement rate and user migration patterns.
Microsoft released KB5079391 with improvements to Smart App Control, a machine learning-based application allowlisting feature in Windows 11. This represents iterative hardening of Windows' application execution controls rather than a critical security fix.
Dell and HP have announced quantum-resistant security features integrated into their PC and printer products ahead of NIST's finalised post-quantum cryptography standards. This represents early industry adoption to address the theoretical but long-term threat of cryptanalytically relevant quantum computers.
Google is introducing 'Advanced Flow,' a controlled mechanism for Android power users to sideload APKs from unverified developers with enhanced security guardrails. This represents a strategic shift toward flexible but security-conscious OS design.
Aura, an identity protection company, suffered a data breach exposing ~900,000 marketing contact records (names, emails). The breach is particularly damaging given Aura's core business is protecting customers from identity theft and data exposure.
Microsoft Exchange Online experienced a widespread outage blocking mailbox and calendar access for customers globally. This incident underscores the operational risks of cloud-based email dependencies and the cascading business impact when a single provider experiences infrastructure failures.
Google is implementing API restrictions in Android 17 to prevent non-accessibility apps from abusing the accessibility services API, a common malware technique for achieving privileged operations without proper permissions. This is a preventive security hardening measure rather than a response to active exploitation.
OpenAI is rolling out advertisements on ChatGPT's free and Plus tiers, initially limited to US users, with privacy policy updates creating confusion about global deployment timelines. This monetization shift introduces new attack surface for ad injection and data harvesting concerns.
Organizations migrating from VMware to alternative hypervisors face elevated data security and recovery risks during transition periods. Verified backups and cross-platform recovery capabilities are critical to prevent data loss and maintain business continuity.
The EU court's adviser has ruled that banks must immediately refund phishing victims, even if the victim was negligent. This decision could significantly impact financial institutions' liability policies and cybersecurity measures.
The Trump administration's cyber strategy focuses on strengthening deterrence against adversaries, modernizing federal networks, protecting critical infrastructure, and investing in emerging technologies like AI and post-quantum cryptography.
EC-Council has introduced new AI-related certifications to enhance the U.S. cybersecurity workforce's readiness, reflecting growing demand for AI expertise in security.
EC-Council introduced four new AI certifications and updated its Certified CISO program to help bridge the gap between AI adoption and workforce readiness, particularly in the U.S. where 700,000 workers need reskilling.
CISA's 2025 cybersecurity year-in-review report documents a record 97 zero-day vulnerabilities exploited in the wild and identifies edge device exploitation and ransomware as the top threats to critical infrastructure.
NIST released final guidelines for organizations to transition from classical to post-quantum cryptographic algorithms, establishing timelines and priorities for migration across different use cases.
The EU Cyber Resilience Act's vulnerability reporting obligations take effect, requiring manufacturers of products with digital elements to report actively exploited vulnerabilities within 24 hours.
An expanded international law enforcement operation seized remaining LockBit ransomware infrastructure, arrested additional administrators, and released decryption keys benefiting thousands of victims.
PyPI now requires all newly published packages to include build provenance attestations using Sigstore, marking a major milestone in supply chain security for the Python ecosystem.
Google Cloud began enforcing mandatory multi-factor authentication for all user accounts, completing a phased rollout that started in late 2024 and affecting millions of cloud platform users worldwide.
CISA and NSA published joint guidance addressing security risks of AI system deployment in critical infrastructure, covering supply chain, model integrity, and adversarial attack mitigations.
The US Department of Justice announced federal charges against additional members of the Scattered Spider cybercriminal group responsible for high-profile social engineering attacks against major US corporations.
CISA and FBI publish joint guidance urging software manufacturers to adopt memory-safe programming languages and practices to eliminate buffer overflow vulnerabilities at their source.
CISA has issued an emergency directive ordering federal agencies to mitigate Ivanti Connect Secure vulnerabilities amid widespread exploitation by nation-state actors.