[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"tag:compliance":3},{"tag":4,"articles":8,"awareness":425,"events":426,"tips":503,"focus_items":515,"total_count":516},{"slug":5,"name":6,"description":7},"compliance","Compliance","GDPR, NIS2, SEC rules, regulatory frameworks",[9,18,27,36,45,54,63,71,79,88,95,104,111,120,127,135,142,149,158,167,176,183,192,201,209,218,227,235,244,253,262,271,280,288,297,305,313,322,329,337,346,354,362,369,376,385,393,400,407,416],{"id":10,"title":11,"slug":12,"brief":13,"ai_summary":14,"url":15,"image_url":16,"published_at":17},"9102160f-df06-4142-b0ec-6de866b3354b","APD\u002FGBA (Belgium) - 101\u002F2026","apd-gba-belgium-101-2026-b65f39","Belgian DPA fines tech company €176,946.61 for unlawfully retaining contractor's email account after departure.","The Belgian Data Protection Authority (APD\u002FGBA) issued a fine of €176,946.61 against a tech company for maintaining an active email account belonging to an independent contractor after their collaboration ended in May 2023, and for failing to meet transparency obligations under GDPR Articles 12 and 13. The DPA determined that after a grace period of one month, the controller lacked a valid legal basis (Article 6 GDPR) to continue processing the personal data in the mailbox, violating the lawfulness, purpose limitation, and data minimization principles. The authority ordered the company to grant access to the account, delete personal data, provide access logs, and implement measures to ensure future compliance.","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=APD\u002FGBA_(Belgium)_-_101\u002F2026&diff=51698&oldid=0","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F4\u002F44\u002FLogoBE.png","2026-05-20T19:23:41+00:00",{"id":19,"title":20,"slug":21,"brief":22,"ai_summary":23,"url":24,"image_url":25,"published_at":26},"4970c85c-1ffa-42c7-b3d3-e70389ac262e","The Next Cybersecurity Challenge May Be Verifying AI Agents","the-next-cybersecurity-challenge-may-be-verifying-ai-agents-e1b78a","Industry develops verification standards for autonomous AI agents operating in enterprise systems.","As AI agents increasingly execute critical business functions—from reading emails to transferring funds—organizations lack reliable mechanisms to verify agent identity, authorization, and instruction integrity. The article discusses why agent verification is structurally different from traditional authentication, explores the emerging gap in trust frameworks, and highlights early industry responses like Anthropic's Cyber Verification Program and the Agent Trust Protocol (ATP), a proposed cryptographic standard for cross-organizational agent verification.","https:\u002F\u002Fhackread.com\u002Fnext-cybersecurity-challenge-verifying-ai-agents\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fnext-cybersecurity-challenge-verifying-ai-agents-1024x576.jpg","2026-05-15T20:55:22+00:00",{"id":28,"title":29,"slug":30,"brief":31,"ai_summary":32,"url":33,"image_url":34,"published_at":35},"0f823573-53f9-41ad-87e0-2be3520e3a5a","‼️🇪🇸 CA Indosuez Wealth Management allegedly breached: 200K lines of account holder PII exposed...","ca-indosuez-wealth-management-allegedly-breached-200k-lines-of-account-holder-pi-852997","CA Indosuez Wealth Management suffers alleged breach exposing 200K lines of account holder PII.","A threat actor claims to have breached CA Indosuez Wealth Management, the global wealth management division of Crédit Agricole, and leaked approximately 200,000 lines of personally identifiable information from Spanish financial records. The leaked data includes account holder details and sensitive financial information, raising concerns about data protection compliance and customer privacy.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2055307032924762419","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHIXq2R5WwAAi4DS.jpg","2026-05-15T15:19:17+00:00",{"id":37,"title":38,"slug":39,"brief":40,"ai_summary":41,"url":42,"image_url":43,"published_at":44},"f1059724-6fe7-42b2-b8bd-b9277ecf695c","NAIH (Hungary) - NAIH-3344-1\u002F2026","naih-hungary-naih-3344-1-2026-44b52e","Hungarian DPA fines university HUF 1.5M for excessive data processing in dormitory admissions.","The Hungarian Data Protection Authority (NAIH) fined a Hungarian university HUF 1,500,000 for violating GDPR Articles 5, 6, and 13 in its dormitory admissions process. The university processed excessive personal data (residence card details, identification numbers, full authority decisions) without adequate legal basis, failed to provide proper privacy notices, and misleadingly referenced consent as a legal basis when relying on public interest. The DPA ordered the university to cease unlawful processing, delete improperly collected data, update its privacy notice, and demonstrate compliance within 45 days.","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=NAIH_(Hungary)_-_NAIH-3344-1\u002F2026&diff=51650&oldid=0","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F8\u002F85\u002FLogoHU.jpg","2026-05-13T10:31:54+00:00",{"id":46,"title":47,"slug":48,"brief":49,"ai_summary":50,"url":51,"image_url":52,"published_at":53},"2159c6a9-cf2f-47e1-9f23-6e65732d8b41","AP (The Netherlands) - Decision of 11 December 2023 imposing administrative fine on Uber","ap-the-netherlands-decision-of-11-december-2023-imposing-administrative-fine-on--32690e","Dutch DPA fines Uber €10M for lacking transparency and failing data subject rights access.","The Dutch Data Protection Authority (AP) issued a €10,000,000 fine to Uber Technologies Inc. and Uber B.V. on December 11, 2023, for violations of GDPR Articles 12, 13, and 15 involving inadequate transparency in privacy policies and inaccessible mechanisms for data subjects to exercise their rights. The complaint was filed by the French human rights organization Ligue des droits de l'Homme on behalf of 172 Uber drivers, and the DPA upheld the fine after Uber's internal appeal in 2026.","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=AP_(The_Netherlands)_-_Decision_of_11_December_2023_imposing_administrative_fine_on_Uber&diff=51649&oldid=39950","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F1\u002F14\u002FLogoNL.png","2026-05-13T08:53:39+00:00",{"id":55,"title":56,"slug":57,"brief":58,"ai_summary":59,"url":60,"image_url":61,"published_at":62},"1f1f3aea-4061-4f8a-b196-5e5b751a97bc","BVwG - W171 2303402-1\u002F7E","bvwg-w171-2303402-1-7e-be9784","Austrian court upholds DPA order requiring ORF to redesign cookie banner for equal consent options.","Austria's Federal Administrative Court (BVwG) upheld a Data Protection Authority decision ordering the Austrian public broadcaster ORF to redesign its cookie banner to provide equally prominent 'Accept All' and 'Only Necessary' options. The court found that ORF's original design, which used visual emphasis (blue background) on the 'Accept All' button versus less prominent alternatives, violated GDPR Article 4(11) by nudging users toward consent rather than enabling free and genuine choice. The ruling reinforces that cookie banner design must ensure visual equivalence between consent and rejection options to satisfy GDPR transparency and consent requirements.","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=BVwG_-_W171_2303402-1\u002F7E&diff=51648&oldid=51640","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F4\u002F4c\u002FCourts_logo1.png","2026-05-13T08:50:24+00:00",{"id":64,"title":65,"slug":66,"brief":67,"ai_summary":68,"url":69,"image_url":52,"published_at":70},"ee01ee87-90bb-4585-93f8-7eadd13d0369","AP (The Netherlands) - 2025-005323","ap-the-netherlands-2025-005323-ef4179","Dutch DPA finds Yango app unlawfully transferred EEA user data to Russia without proper safeguards","The Dutch Data Protection Authority (DPA), acting as lead authority with Finnish and Norwegian counterparts, determined that Yango (operated by MLU B.V., a Yandex subsidiary) violated GDPR Articles 44 and 46 by transferring personal data from taxi drivers and customers to Russia without appropriate safeguards. The investigation found that encryption keys were stored alongside data in Russian servers until November 2023, and that continued transfers to Russia even after moving encrypted data to AWS Germany were unlawful because Yandex entities had means to identify EEA data subjects.","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=AP_(The_Netherlands)_-_2025-005323&diff=51641&oldid=51626","2026-05-13T08:13:29+00:00",{"id":72,"title":73,"slug":74,"brief":75,"ai_summary":76,"url":77,"image_url":61,"published_at":78},"bad3a42d-8469-4a21-83ac-fd7b74797ca3","CE - N. 433539","ce-n-433539-b9c319","French Supreme Administrative Court strikes down ARCOM copyright enforcement decree for lacking GDPR safeguards on","France's Supreme Administrative Court ruled that ARCOM's copyright enforcement system violated EU law by accessing subscriber identity data linked to IP addresses without sufficient safeguards. The court found the decree unlawful because it failed to require judicial or independent administrative authorization before a third data access request, which could reveal sensitive aspects of individuals' private lives. The court ordered repeal of the offending provisions while permitting data access for initial warnings and serious copyright cases.","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=CE_-_N._433539&diff=51638&oldid=51619","2026-05-13T08:03:55+00:00",{"id":80,"title":81,"slug":82,"brief":83,"ai_summary":84,"url":85,"image_url":86,"published_at":87},"0e29b553-5688-4b73-b6a6-6d23bd633022","AEPD (Spain) - EXP202408867","aepd-spain-exp202408867-c029bf","Spain's AEPD fined sports retailer €120K for data breach affecting 300K+ people","Spain's Data Protection Authority (AEPD) fined DÉCIMAS S.L.U., a sports fashion retailer, €120,000 for violating Article 5(1)(f) GDPR by failing to ensure adequate security of personal data processing. A 2024 data breach exposed over 300,000 data subjects' names, contact information, and ID data; the breach was discovered not by the controller but by Spain's National Cybersecurity Institute (INCIBE) through online advertisements selling the stolen data. The controller's inadequate vulnerability monitoring, lack of early incident detection mechanisms, and post-breach security measures with significant vulnerabilities led to the fine, which was reduced from €200,000 through voluntary payment and liability acknowledgment provisions.","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=AEPD_(Spain)_-_EXP202408867&diff=51635&oldid=51603","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F5\u002F59\u002FLogoES.jpg","2026-05-13T07:57:24+00:00",{"id":89,"title":56,"slug":90,"brief":91,"ai_summary":92,"url":93,"image_url":61,"published_at":94},"fc491a54-59c7-4446-a51c-18d96bea6ceb","bvwg-w171-2303402-1-7e-5d8472","Austrian court upholds DPA order requiring ORF to redesign cookie banner with equivalent consent options.","On 28 October 2024, Austria's Data Protection Authority issued a decision against the Austrian public broadcaster ORF after finding its cookie banner design unlawfully nudged users toward accepting all cookies by visually highlighting the 'Accept All Cookies' button. The court upheld the DPA's order requiring ORF to redesign the banner within six weeks to ensure both consent and rejection options are equivalent in visual design, color, size, contrast, placement, and highlighting, to obtain valid consent under GDPR Article 4(11).","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=BVwG_-_W171_2303402-1\u002F7E&diff=51634&oldid=51631","2026-05-13T07:56:28+00:00",{"id":96,"title":97,"slug":98,"brief":99,"ai_summary":100,"url":101,"image_url":102,"published_at":103},"ef7889e0-9385-4a8b-ab69-5bd4a8ab0838","Microsoft and Adobe Patch Tuesday, May 2026 Security Update Review","microsoft-and-adobe-patch-tuesday-may-2026-security-update-review-044968","Microsoft patches 137 vulnerabilities including 30 critical; Adobe addresses 52 vulnerabilities with 27 critical in May","Microsoft's May 2026 Patch Tuesday addresses 137 vulnerabilities across its ecosystem, including 30 critical and 103 important-severity issues affecting Windows, Edge, .NET, M365 Copilot, Hyper-V, and other components. Notable critical CVEs include remote code execution flaws in Microsoft Word and Windows Netlogon, plus an authentication bypass in the Microsoft SSO Plugin for Jira & Confluence. Adobe simultaneously released 10 security advisories patching 52 vulnerabilities (27 critical) across Premiere Pro, Media Encoder, After Effects, Commerce, Connect, and other products.","https:\u002F\u002Fblog.qualys.com\u002Fvulnerabilities-threat-research\u002F2026\u002F05\u002F12\u002Fmicrosoft-patch-tuesday-may-2026-security-update-review","https:\u002F\u002Fik.imagekit.io\u002Fqualys\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002FMicrosoft-Patch-Tuesday-May-2026.png","2026-05-12T19:50:45+00:00",{"id":105,"title":56,"slug":106,"brief":107,"ai_summary":108,"url":109,"image_url":61,"published_at":110},"184e9fc7-49dd-4f16-8636-a9df47808738","bvwg-w171-2303402-1-7e-45b6bb","Austrian court upholds DPA order requiring ORF to redesign cookie banner with balanced consent options.","Austria's Federal Administrative Court (BVwG) upheld a Data Protection Authority (DPA) order requiring the Austrian public broadcaster ORF to redesign its cookie banner to ensure valid consent under GDPR. The court found that the original design visually highlighted the \"Accept All Cookies\" button with stronger contrast and color, nudging users toward consent in violation of Article 4(11) GDPR. The court rejected ORF's arguments that the DPA exceeded its jurisdiction and that GDPR lacks binding design rules, confirming that consent mechanisms must offer genuinely equivalent visual treatment between acceptance and rejection options.","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=BVwG_-_W171_2303402-1\u002F7E&diff=51630&oldid=0","2026-05-12T15:55:12+00:00",{"id":112,"title":113,"slug":114,"brief":115,"ai_summary":116,"url":117,"image_url":118,"published_at":119},"cecfcee3-2746-4f33-8155-baed4d98ceb4","‼️🇧🇷 MBet allegedly breached exposing 200,000+ KYC documents and 300,000+ PII records from the...","mbet-allegedly-breached-exposing-200-000-kyc-documents-and-300-000-pii-records-f-6d778f","MBet Brazilian betting platform allegedly breached exposing 200K+ KYC docs and 300K+ PII records","A threat actor claims to have breached MBet, a Brazilian online casino and sports betting platform, in May 2026, exposing over 200,000 KYC (Know Your Customer) documents and 300,000+ personally identifiable information records. The breach impacts customer verification data and sensitive personal information from the platform. This represents a significant exposure of financial compliance and customer identity data.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2054223616854638939","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHIIRYMfWoAE7O-h.jpg","2026-05-12T15:34:10+00:00",{"id":121,"title":65,"slug":122,"brief":123,"ai_summary":124,"url":125,"image_url":52,"published_at":126},"c64e82a3-1432-484d-9fe8-777729103e89","ap-the-netherlands-2025-005323-7249c9","Netherlands DPA finds GDPR violations in data transfers to Russia via inadequate safeguards","The Dutch Data Protection Authority (DPA) found violations of GDPR Articles 44, 46, 5(1)(a), and (2) against controllers transferring personal data of Norwegian and Finnish subjects to Russia through Yandex entities. The violations stem from storing encryption keys on the same servers as personal data (pre-November 2023) and continuing data transfers to Russia despite relocating storage to AWS Germany. The DPA determined that standard contractual clauses were insufficient given Russian authorities' ability to compel data access and the lack of independent supervisory oversight in Russia.","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=AP_(The_Netherlands)_-_2025-005323&diff=51626&oldid=51623","2026-05-12T14:33:15+00:00",{"id":128,"title":129,"slug":130,"brief":131,"ai_summary":132,"url":133,"image_url":61,"published_at":134},"6952a7d8-dfb6-4000-81ce-df9f1801aa6c","OLG Stuttgart - 4 U 353\u002F24","olg-stuttgart-4-u-353-24-1da7a8","German appeals court partially upholds GDPR data subject rights against social media company tracking via third-party","In OLG Stuttgart case 4 U 353\u002F24, a German appellate court partially upheld a data subject's GDPR claims against a social media platform operator whose 'Business Tools' tracked users across third-party websites without sufficient legal basis. The court found the data processing unlawful, upheld the right to restrict processing and access personal data, but dismissed claims for injunctive relief and erasure. The decision establishes that joint controllers bear the burden of proving consent and cannot rely on inadequate 'self-help tools' to satisfy transparency obligations.","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=OLG_Stuttgart_-_4_U_353\u002F24&diff=51625&oldid=51624","2026-05-12T14:31:42+00:00",{"id":136,"title":65,"slug":137,"brief":138,"ai_summary":139,"url":140,"image_url":52,"published_at":141},"d1f10ee3-0084-4bf0-9eea-a46813775f68","ap-the-netherlands-2025-005323-1ecc1d","Netherlands DPA fines Yandex €100M for unlawful data transfers to Russia without adequate safeguards.","The Dutch Data Protection Authority (DPA) issued a €100 million GDPR fine against Yandex.Taxi LLC and Yandex LLC for transferring personal data of Norwegian and Finnish citizens to Russia without demonstrating adequate safeguards. Despite initial storage in AWS Germany, data was forwarded to Russia, and the DPA found that Russian authorities could compel disclosure under local law, while Russia's supervisory authority lacks independence. The DPA also prohibited MLU B.V. from transferring user data via the Yango app to Russia.","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=AP_(The_Netherlands)_-_2025-005323&diff=51623&oldid=51622","2026-05-12T10:48:42+00:00",{"id":143,"title":65,"slug":144,"brief":145,"ai_summary":146,"url":147,"image_url":52,"published_at":148},"bfd7f49d-f382-4aed-98d8-8bc93080f945","ap-the-netherlands-2025-005323-a401f2","Dutch DPA fines Yango €100M for unlawful data transfers to Russia without safeguards.","The Dutch Data Protection Authority (AP) fined MLU B.V. (Yango taxi app operator) €100 million for transferring personal data of users in Finland and Norway to Russia without implementing appropriate safeguards as required by GDPR. The investigation, initiated jointly with Finnish and Norwegian DPAs in December 2023, found that Yango continued operating and transferring sensitive customer and driver data (location, banking, IDs) to Russian entities despite claims of service cessation. Although data storage moved to AWS in Germany after 2023, unlawful transfers based on standard contractual clauses persisted.","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=AP_(The_Netherlands)_-_2025-005323&diff=51622&oldid=0","2026-05-12T10:22:39+00:00",{"id":150,"title":151,"slug":152,"brief":153,"ai_summary":154,"url":155,"image_url":156,"published_at":157},"207b151f-57c7-4f65-9448-704e07e3afa1","GM agrees to $12.75M California settlement over sale of drivers’ data","gm-agrees-to-12-75m-california-settlement-over-sale-of-drivers-data-350f52","GM settles $12.75M California CCPA violation over illegal sale of drivers' location and behavior data.","California Attorney General Rob Bonta announced a $12.75 million settlement with General Motors for violating the California Consumer Privacy Act by illegally collecting and selling Californians' driving and location data to data brokers Verisk Analytics and LexisNexis between 2020 and 2024. The data was collected through GM's OnStar subsidiary and Smart Driver system without proper consumer notification or consent. As part of the settlement, GM must stop selling driving data for five years, delete retained data within 180 days, and strengthen its privacy compliance program.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Flegal\u002Fgm-agrees-to-1275m-california-settlement-over-sale-of-drivers-data\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F11\u002FGM.jpg","2026-05-11T22:40:34+00:00",{"id":159,"title":160,"slug":161,"brief":162,"ai_summary":163,"url":164,"image_url":165,"published_at":166},"a5b8e771-0da4-401a-b528-68d221694510","Why Changing Passwords Doesn’t End an Active Directory Breach","why-changing-passwords-doesn-t-end-an-active-directory-breach-ecea65","Password resets alone don't remove attackers from AD; cached credentials and Kerberos tickets enable persistence.","Resetting a compromised password in Active Directory and hybrid Entra ID environments doesn't immediately revoke all authentication paths, allowing attackers to maintain access through cached credentials, active Kerberos tickets, forged Golden\u002FSilver Tickets, or persistent ACL permissions. The article explains three post-reset credential states and attack techniques including pass-the-hash, Kerberoasting, and ticket forgery that bypass simple password changes. Effective remediation requires invalidating active sessions, purging tickets, reviewing permissions, and addressing underlying persistence mechanisms beyond credential resets.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fwhy-changing-passwords-doesnt-end-an-active-directory-breach\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fposts\u002F2026\u002F05\u002F04\u002Fwhy-changing-passwords-doesnt-end-an-active-directory-breach.png","2026-05-11T13:53:56+00:00",{"id":168,"title":169,"slug":170,"brief":171,"ai_summary":172,"url":173,"image_url":174,"published_at":175},"e891bd68-96e2-48b5-9f87-d63e7d2fc29a","Your Purple Team Isn't Purple — It's Just Red and Blue in the Same Room","your-purple-team-isn-t-purple-it-s-just-red-and-blue-in-the-same-room-85028d","Purple team security model fails due to process friction, tool fragmentation, and inability to match AI-powered","This operational analysis argues that traditional purple teaming—the collaborative security practice where red teams simulate attacks and blue teams validate defenses—has remained largely aspirational due to human bottlenecks, fragmented tool ecosystems, and organizational friction. The article highlights a critical gap: attackers now exploit CVEs in ~10 hours (2026), with AI-assisted compromise occurring in 73 seconds, while defenders navigate multi-day approval chains and manual handoffs between teams. Without automation and orchestration, purple teaming cannot operationalize fast enough to match adversary velocity.","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Fyour-purple-team-isnt-purple-its-just.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEi0dlupn761jekig7BbPagwo6DtccMFQV8oESHiCBIs04DdhvoVtfwhe7OVEh8VvyFpa-VFo9GKWL8tx2ZKTSn3qA7iAFCvTfoevjyPFYNb3eAmpp4pkWk3mcQd_AulszHJoxUa6z_k_Nr_KB9Ny_hoZWy1VVA-U9BV2nPvESGGqPE5r4_AbNlid_BK-M8\u002Fs1600\u002Fpicus.jpg","2026-05-11T11:30:00+00:00",{"id":177,"title":81,"slug":178,"brief":179,"ai_summary":180,"url":181,"image_url":86,"published_at":182},"02c81be3-c3bf-4dda-a6d0-fa56a99c8272","aepd-spain-exp202408867-84e691","AEPD fines Spanish sports retailer €120K for data breach affecting 300K+ customers","Spain's data protection authority (AEPD) fined DÉCIMAS S.L.U., a sports fashion retailer, €120,000 for violating GDPR Article 5(1)(f) by failing to ensure adequate security of personal data. A data breach in 2024 affected over 300,000 individuals' names, contact information, and ID data; the breach was discovered by Spain's National Cybersecurity Institute (INCIBE) through an online advertisement selling the stolen data, not by the controller itself. The company received a 40% fine reduction for voluntary payment and acknowledged liability; the original penalty was €200,000.","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=AEPD_(Spain)_-_EXP202408867&diff=51603&oldid=0","2026-05-08T09:35:43+00:00",{"id":184,"title":185,"slug":186,"brief":187,"ai_summary":188,"url":189,"image_url":190,"published_at":191},"789eb05c-da34-43fc-8c73-7c899114d26e","Google Chrome Accused of Silently Installing 4GB AI Model on User Devices","google-chrome-accused-of-silently-installing-4gb-ai-model-on-user-devices-1ae03f","Google Chrome silently installs 4GB Gemini Nano AI model without user consent.","Cybersecurity researcher Alexander Hanff discovered that Google Chrome automatically downloads a 4GB Gemini Nano AI model onto user devices without notification or explicit consent, triggered when hardware meets certain specifications. Hanff argues the silent installation violates the EU ePrivacy Directive and GDPR Article 5(3), and calculated that deploying to 30% of Chrome users would consume 240 GWh of electricity. Google added a toggle in Chrome Settings to disable the feature, but the model reinstalls on browser restart if manually deleted.","https:\u002F\u002Fhackread.com\u002Fgoogle-chrome-installing-4gb-ai-model-user-devices\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fgoogle-chrome-installing-4gb-ai-model-user-devices.jpg","2026-05-07T12:00:00+00:00",{"id":193,"title":194,"slug":195,"brief":196,"ai_summary":197,"url":198,"image_url":199,"published_at":200},"7ef257a4-2643-466d-83b1-d04ba4d460ae","Before the Breach, There Was a Test Environment","before-the-breach-there-was-a-test-environment-149dd9","QA and test environments pose production-grade security risks through misconfigurations and excessive permissions.","This article argues that security breaches typically originate in test and QA environments rather than production systems, where temporary infrastructure decisions become permanent security liabilities. The piece highlights how cloud acceleration has blurred boundaries between development and production, making QA teams critical security control points whose infrastructure choices—such as public Jenkins servers or over-permissioned S3 buckets—can expose organizations to attackers. The author advocates for treating QA environments with production-level discipline through Cloud Security Posture Management (CSPM), configuration scanning, and entitlement management from the outset.","https:\u002F\u002Fblog.qualys.com\u002Fqualys-insights\u002F2026\u002F05\u002F06\u002Fbefore-the-breach-there-was-a-test-environment-qa-cloud-security","https:\u002F\u002Fik.imagekit.io\u002Fqualys\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002FBlog-Images-1080x1080.Cloud_.Agent_.2025.Updates-14.png","2026-05-06T16:00:00+00:00",{"id":202,"title":203,"slug":204,"brief":205,"ai_summary":206,"url":207,"image_url":61,"published_at":208},"c1dcf3d5-b424-4282-9b38-eca8f97819fa","BVwG - W298 2323263-1\u002F11E","bvwg-w298-2323263-1-11e-396aa1","Austrian court rules company violated GDPR by recording client conversation without prior informed consent.","An Austrian court (BVwG) upheld a decision by the Austrian DPA that a company violated GDPR by recording client conversations without proper prior consent. The company's representative recorded audio during a meeting that captured personal data (names, email addresses, social media accounts, education details), but only informed the data subjects of the recording clause after the recording had already begun, via contractual documents presented during the meeting. The court rejected arguments based on consent (Article 6(1)(a) and Article 7 GDPR) and legitimate interest (Article 6(1)(f) GDPR), finding the company also breached information obligations under Article 13 GDPR and that secret audio recordings are generally unlawful except in exceptional circumstances.","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=BVwG_-_W298_2323263-1\u002F11E&diff=51570&oldid=51562","2026-05-05T15:06:52+00:00",{"id":210,"title":211,"slug":212,"brief":213,"ai_summary":214,"url":215,"image_url":216,"published_at":217},"07f734ab-048a-4d32-9089-77716b3ad3ca","FTC to ban data broker Kochava from selling Americans’ location data","ftc-to-ban-data-broker-kochava-from-selling-americans-location-data-a02c9d","FTC bans data broker Kochava from selling location data without explicit consumer consent.","The FTC has settled a lawsuit against Idaho-based data broker Kochava and its subsidiary Collective Data Solutions, prohibiting them from selling precise geolocation data collected from hundreds of millions of mobile devices without affirmative express consumer consent. The settlement, filed in U.S. District Court for the District of Idaho, requires the companies to establish sensitive location data programs, implement supplier assessment protocols, allow consumer data disclosure requests, and report third-party misuse incidents. This enforcement action follows similar FTC bans against other data brokers including InMarket Media, Outlogic, Gravy Analytics, and Mobilewalla in 2024.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fftc-to-ban-data-broker-kochava-from-selling-americans-location-data\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2024\u002F04\u002F08\u002FLocation_tracking.jpg","2026-05-05T14:39:53+00:00",{"id":219,"title":220,"slug":221,"brief":222,"ai_summary":223,"url":224,"image_url":225,"published_at":226},"46fe9542-1334-4841-a472-8839c297a3f8","The EOL Blind Spot in Your CVE Feed: What SCA Tools Don't Check.","the-eol-blind-spot-in-your-cve-feed-what-sca-tools-don-t-check-f3a792","SCA tools miss vulnerabilities in EOL software; 5.4M EOL package versions lack CVE coverage.","HeroDevs reports that software composition analysis (SCA) tools systematically fail to detect vulnerabilities in end-of-life (EOL) open source software because CVE maintainers don't investigate EOL versions. Analysis of 12M+ package versions across npm, PyPI, Maven, NuGet, and other registries reveals 5.4M are EOL, yet only ~7,000 are tracked by endoflife.date—the industry's primary EOL reference. The gap creates a false security confidence: approximately 80% of CVEs affecting supported versions also affect unmapped EOL versions, with HeroDevs confirming 81,000+ EOL versions with known unpatched CVEs.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fthe-eol-blind-spot-in-your-cve-feed-what-sca-tools-dont-check\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fposts\u002F2026\u002F04\u002F30\u002Fherodevs-package.jpg","2026-05-05T14:00:10+00:00",{"id":228,"title":229,"slug":230,"brief":231,"ai_summary":232,"url":233,"image_url":61,"published_at":234},"8b0819b1-9cb4-4277-81d3-bf8e232fb477","TS - 1590\u002F2026","ts-1590-2026-fe9b6a","Spanish Supreme Court upholds GDPR data minimisation ruling against penitentiary authority over excessive medical data","Spain's Supreme Court affirmed a Data Protection Authority reprimand against the Secretaría General de Instituciones Penitenciarias for violating GDPR Article 5(1)(c) by demanding employees provide medical diagnoses alongside medical notes to justify short-term sick leave. The court clarified that data processing under GDPR occurs at the moment of requesting data, not solely upon collection, establishing that controllers must comply with data minimisation principles even when data is merely requested but not received. The ruling rejected the penitentiary authority's argument that demanding additional clinical information was necessary to prevent fraud and absenteeism, finding a medical note sufficient.","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=TS_-_1590\u002F2026&diff=51560&oldid=51559","2026-05-05T09:09:25+00:00",{"id":236,"title":237,"slug":238,"brief":239,"ai_summary":240,"url":241,"image_url":242,"published_at":243},"176d7a82-a6a1-4a6b-86b2-12574d9ef33f","LinkedIn locks your GDPR rights behind a paywall","linkedin-locks-your-gdpr-rights-behind-a-paywall-7fa734","LinkedIn paywalls GDPR Article 15 access to profile visitor data despite monetizing it.","noyb has filed a complaint with the Austrian Data Protection Authority against LinkedIn for refusing to provide free access to profile visitor data under GDPR Article 15, despite making the same data available to paying Premium members. LinkedIn claims data protection concerns justify withholding the information from access requests, but lawyers argue this contradiction is indefensible—the company cannot both sell data and deny it on privacy grounds.","https:\u002F\u002Fnoyb.eu\u002Fen\u002Flinkedin-locks-your-gdpr-rights-behind-paywall","https:\u002F\u002Fnoyb.eu\u002Fsites\u002Fdefault\u002Ffiles\u002Fstyles\u002Ffacebook\u002Fpublic\u002F2026-05\u002Flinkedin_header1.png?h=19fb9a6b&itok=wBMo1b5n","2026-05-05T05:00:00+00:00",{"id":245,"title":246,"slug":247,"brief":248,"ai_summary":249,"url":250,"image_url":251,"published_at":252},"b5dfaec2-a44a-4675-a562-8796b40dfa5e","Disneyland Now Uses Face Recognition on Visitors","disneyland-now-uses-face-recognition-on-visitors-fb6441","Disney deploys face recognition at Disneyland; NSA tests Anthropic's Mythos AI tool; Scattered Spider member arrested.","Disney announced optional face recognition entry systems at Disneyland and Disney California Adventure parks, converting facial images to numerical values retained for 30 days. The NSA gained early access to Anthropic's Mythos Preview AI model to identify software vulnerabilities in Microsoft products, despite DOD's supply chain ban on Anthropic. A 19-year-old Finnish resident was arrested as an alleged Scattered Spider ransomware group member linked to breaches of MGM Resorts, Caesars Entertainment, and retail chains.","https:\u002F\u002Fwww.wired.com\u002Fstory\u002Fsecurity-news-this-week-disneyland-now-uses-face-recognition-on-visitors\u002F","https:\u002F\u002Fmedia.wired.com\u002Fphotos\u002F69f53066ed110137695d66cd\u002Fmaster\u002Fpass\u002Fsecurity_disney_getty.jpg","2026-05-02T10:30:00+00:00",{"id":254,"title":255,"slug":256,"brief":257,"ai_summary":258,"url":259,"image_url":260,"published_at":261},"2d6a9291-7780-402d-84ec-1c0a7a2e94ae","‼️🇨🇦 Questrade, a Canadian financial services company offering online investing and trading pla...","questrade-a-canadian-financial-services-company-offering-online-investing-and-tr-8c1b3f","Questrade breach exposes 186,515 investor records offered for sale by ijpys.","Canadian fintech company Questrade has suffered a data breach affecting 186,515 investor records, which are now being offered for sale by threat actor ijpys. The breach impacts a major online investing and trading platform and raises concerns for affected customers' financial and personal data security. This incident likely triggers regulatory scrutiny under Canadian privacy laws and PIPEDA.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2050257087276409267","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHHP58-wWoAAakTY.jpg","2026-05-01T16:52:36+00:00",{"id":263,"title":264,"slug":265,"brief":266,"ai_summary":267,"url":268,"image_url":269,"published_at":270},"bb53307f-1f4d-469b-9b95-af6195826854","Tietosuojavaltuutetun toimisto (Finland) - TSV\u002F5875\u002F2024","tietosuojavaltuutetun-toimisto-finland-tsv-5875-2024-2bf867","Finland DPA reprimands insurance company for e-invoice system lacking check digit verification, exposing customer data","Finland's Data Protection Authority (Tietosuojavaltuutetun toimisto) issued a formal reprimand to an insurance company for violations of GDPR Articles 5(1)(f) and 25(1) after its e-invoice system allowed unauthorized access to customer data due to missing check digit verification on reference numbers. From April 2013 to January 2024, customer A could access customer B's invoices, personal details, and payment information after entering a wrong reference number—a breach that affected approximately 130 invoices and remained undetected for over a decade. The DPA found that the controller failed to implement adequate technical safeguards \"by design and by default\" and emphasized that the violation could have been prevented with proper input validation.","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_TSV\u002F5875\u002F2024&diff=51552&oldid=51551","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F8\u002F87\u002FLogoFI.png","2026-04-30T11:56:51+00:00",{"id":272,"title":273,"slug":274,"brief":275,"ai_summary":276,"url":277,"image_url":278,"published_at":279},"8f837ff0-95bb-4cd1-b379-71a584c069d6","No action taken against PimEyes: noyb lawsuit against Hamburg DPA","no-action-taken-against-pimeyes-noyb-lawsuit-against-hamburg-dpa-7b8c34","noyb sues Hamburg DPA for inaction against PimEyes facial recognition engine collecting billions of biometric data.","Privacy advocate noyb has filed a lawsuit against the Hamburg Data Protection Authority, alleging the DPA refuses to enforce GDPR against PimEyes, a facial recognition search engine that systematically collects and sells access to billions of biometric images without consent. Although the Hamburg DPA itself acknowledges PimEyes' practices are unlawful, it claims it cannot act because the company appears to be based outside the EU (citing Dubai, after the company previously claimed locations in Poland, Seychelles, and Belize). noyb argues the DPA has other enforcement tools available—such as freezing European funds or compelling service providers to delete data—and that the five-year inaction signals weak GDPR enforcement.","https:\u002F\u002Fnoyb.eu\u002Fen\u002Fno-action-taken-against-pimeyes-noyb-lawsuit-against-hamburg-dpa","https:\u002F\u002Fnoyb.eu\u002Fsites\u002Fdefault\u002Ffiles\u002Fstyles\u002Ffacebook\u002Fpublic\u002F2026-04\u002Fheader_pimeyes.png?h=19fb9a6b&itok=CDGrDlqr","2026-04-30T07:00:00+00:00",{"id":281,"title":282,"slug":283,"brief":284,"ai_summary":285,"url":286,"image_url":86,"published_at":287},"8dbfd238-ca18-4151-8545-812c23747a2f","AEPD (Spain) - EXP202404507","aepd-spain-exp202404507-8e4e0a","Spanish DPA fines bank €400K for CCTV access via shared credentials violating GDPR Article 32.","Spain's AEPD (Data Protection Authority) imposed a €400,000 fine on Unicaja Banco for failing to implement proper access controls on its CCTV surveillance system. Staff at a contracted security firm accessed video footage through a single shared username and password, preventing individual attribution of actions and violating GDPR Article 32's requirement for appropriate technical and organizational security measures. The DPA rejected the bank's argument that responsibility lay solely with the processor, holding the controller ultimately accountable for ensuring these protections were implemented and supervised.","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=AEPD_(Spain)_-_EXP202404507&diff=51547&oldid=51500","2026-04-29T14:12:51+00:00",{"id":289,"title":290,"slug":291,"brief":292,"ai_summary":293,"url":294,"image_url":295,"published_at":296},"3b4be084-48a3-4181-a019-4aa26c18c826","Garante per la protezione dei dati personali (Italy) - 10241537","garante-per-la-protezione-dei-dati-personali-italy-10241537-6bd079","Italian DPA fines Poste Italiane and PostePay €12.5M for unlawful malware detection data collection.","Italy's Data Protection Authority (Garante) fined Poste Italiane €6.6M and PostePay €5.9M for multiple GDPR violations related to their Bancoposta and PostePay mobile apps. The violations stemmed from unlawful collection of device data for malware detection via ThreatMetrix without proper user consent, inadequate transparency, missing data protection impact assessments, and improper processor agreements. Users who refused data access permissions faced app functionality restrictions, effectively coercing consent.","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_10241537&diff=51546&oldid=51525","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002Fe\u002Fec\u002FLogoIT.png","2026-04-29T14:04:24+00:00",{"id":298,"title":299,"slug":300,"brief":301,"ai_summary":302,"url":303,"image_url":16,"published_at":304},"2af49dab-7138-448c-85ea-1757f837ab77","APD\u002FGBA (Belgium) - 86\u002F2026","apd-gba-belgium-86-2026-167f7e","Belgian DPA fines employer €8,500 for unlawfully retaining former employee email and accessing private communications.","The Belgian Data Protection Authority (APD\u002FGBA) issued a decision against an employer that systematically retained former employees' email addresses and mailboxes for up to three years, accessing private communications without legal basis. The DPA found violations of GDPR Articles 5(1)(a), 6(1), 12, 17, 24, and 25, and rejected the employer's claims of consent and legitimate interest. The DPA imposed an €8,500 fine and ordered immediate deletion of the data with proof of compliance within 30 days.","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=APD\u002FGBA_(Belgium)_-_86\u002F2026&diff=51538&oldid=51529","2026-04-29T10:12:32+00:00",{"id":306,"title":307,"slug":308,"brief":309,"ai_summary":310,"url":311,"image_url":61,"published_at":312},"79e3b026-33e0-43c0-a26b-b75d0b8707ba","CE - 482872","ce-482872-d12d45","French court upholds €40M GDPR fine against Criteo for cookie consent violations.","France's Council of State confirmed a €40 million fine issued by CNIL against advertising company Criteo for multiple GDPR breaches. The violations included placing tracking cookies without user consent, failing to inform users about data processing purposes, ignoring data erasure requests, and lacking joint controller agreements with partners. The court rejected Criteo's appeal, finding the company processed personal data through large-scale collection and cross-referencing, and could not rely on legitimate interest to retain data of users who requested deletion.","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=CE_-_482872&diff=51532&oldid=51322","2026-04-29T09:31:59+00:00",{"id":314,"title":315,"slug":316,"brief":317,"ai_summary":318,"url":319,"image_url":320,"published_at":321},"672ab09e-e917-4c7c-884b-3d59d7cdfe99","CNIL (France) - SAN-2025-014","cnil-france-san-2025-014-970bb2","CNIL fines Mobius Solutions €1M for data retention, unauthorized processing, and record-keeping failures.","France's CNIL issued a €1,000,000 fine to Mobius Solutions Ltd on December 11, 2025, for violations stemming from a Deezer data breach affecting ~46.9 million users globally. The processor failed to delete user data after contract termination, used retained data for its own system development contrary to contractual terms, and failed to maintain processing records—breaching GDPR Articles 28, 29, and 30.","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=CNIL_(France)_-_SAN-2025-014&diff=51531&oldid=50410","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002Fthumb\u002F0\u002F0f\u002FLogoFR.png\u002F1200px-LogoFR.png","2026-04-29T09:31:04+00:00",{"id":323,"title":290,"slug":324,"brief":325,"ai_summary":326,"url":327,"image_url":295,"published_at":328},"3f6edb43-2a7d-4b29-bf37-becd5c97a0dd","garante-per-la-protezione-dei-dati-personali-italy-10241537-e7a4ad","Italian DPA fines Poste Italiane and PostePay €12.5M for unlawful malware detection data processing.","Italy's Data Protection Authority (Garante) issued a €12.5 million fine to Poste Italiane and PostePay for processing personal data without adequate consent to detect malware on users' devices via their Bancoposta and PostePay applications. The DPA found violations of GDPR Articles 5, 6, 13, 25, 32, 35 and the e-Privacy Directive, citing inadequate legal basis, unfair consent mechanics (blocking app access if users rejected permission), and failure to properly balance legitimate interests against user rights. The investigation was triggered by user complaints in 2024 regarding coercive authorization requests for device data access.","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_10241537&diff=51525&oldid=51524","2026-04-29T08:28:09+00:00",{"id":330,"title":331,"slug":332,"brief":333,"ai_summary":334,"url":335,"image_url":86,"published_at":336},"f461f366-e1bd-43c0-bef0-77b2a1fcb39c","AEPD (Spain) - EXP202406208","aepd-spain-exp202406208-33c3be","Spain's AEPD fined EVO Banco €240K for API vulnerability causing 1.27M data breach.","Spain's data protection authority (AEPD) fined EVO Banco (now Bankinter) €240,000 for a March 2024 data breach affecting approximately 1.27 million individuals caused by an API vulnerability introduced during system migration. The bank failed to implement adequate access controls, data encryption, and integrity safeguards required under GDPR Article 5(1)(f), and initially refused to notify affected individuals. The fine was reduced 40% through voluntary payment and liability acknowledgment.","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=AEPD_(Spain)_-_EXP202406208&diff=51523&oldid=51509","2026-04-29T07:39:32+00:00",{"id":338,"title":339,"slug":340,"brief":341,"ai_summary":342,"url":343,"image_url":344,"published_at":345},"cf57305e-4828-4ef8-b82f-fc53ff60b3fe","Cyber Insurance Data Gives CISOs New Ammo for Budget Talks","cyber-insurance-data-gives-cisos-new-ammo-for-budget-talks-f4b3ac","Cyber insurance data links security failures to financial losses, helping CISOs justify budgets to boards.","Resilience released analysis of its manufacturing cyber insurance claims (2021–2026) showing ransomware accounts for 90% of losses despite only 12% of claims. The report identifies MFA misconfiguration as the top financial loss driver (26%), followed by software vulnerability exploits (13%), and recommends CISOs use this data to translate technical risk into business terms for board budget discussions.","https:\u002F\u002Fwww.securityweek.com\u002Fcyber-insurance-data-gives-cisos-new-ammo-for-budget-talks\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2023\u002F03\u002FCyber-Insurance.jpg","2026-04-28T18:32:11+00:00",{"id":347,"title":348,"slug":349,"brief":350,"ai_summary":351,"url":352,"image_url":320,"published_at":353},"a436553e-767a-4e67-b136-ba4798876591","CNIL (France) - SAN-2025-011","cnil-france-san-2025-011-c6e23c","CNIL fines American Express Carte France €1.5M for cookie consent violations.","France's CNIL data protection authority fined American Express Carte France €1.5 million for placing optional cookies without user consent on its website and failing to delete them when users withdrew consent. The investigation also found that the company recorded customer service calls beyond necessary scope, but no fine was imposed for that violation after the controller demonstrated the issue stemmed from misconfiguration rather than intent. The case involved breaches of Article 5(3) of the ePrivacy Directive (transposed into French law) and the GDPR's data minimization principle.","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=CNIL_(France)_-_SAN-2025-011&diff=51514&oldid=50157","2026-04-28T13:48:29+00:00",{"id":355,"title":356,"slug":357,"brief":358,"ai_summary":359,"url":360,"image_url":61,"published_at":361},"510e39e0-96b1-448a-83a6-dd7cd3c773af","VG Wiesbaden - 6 K 996\u002F22.WI","vg-wiesbaden-6-k-996-22-wi-873c96","German court rules payment service illegally processed sensitive health and sexual data without lawful basis.","VG Wiesbaden court found that Paydirekt GmbH violated GDPR Articles 5(1), 9(1), and 25(1) by processing sensitive data about items purchased from online pharmacies and sex shops without proper legal basis. The court ruled that storing transaction details on health-related and sexual items cannot be justified by legitimate interests in fraud prevention or payment cancellation reduction, and that less restrictive alternatives exist. Although the case became moot when Paydirekt entered liquidation, the court determined the appeal would have succeeded and ordered the DPA to cover costs.","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=VG_Wiesbaden_-_6_K_996\u002F22.WI&diff=51512&oldid=50423","2026-04-28T13:38:20+00:00",{"id":363,"title":331,"slug":364,"brief":365,"ai_summary":366,"url":367,"image_url":86,"published_at":368},"1df2c398-f490-4d34-b22e-969cb2da0ad0","aepd-spain-exp202406208-efafeb","Spain's AEPD fines EVO Banco €240K for API vulnerability exposing 1.27M customers' data.","Spain's data protection authority (AEPD) fined EVO Banco S.A. (now Bankinter) €240,000 for a March 2024 data breach affecting approximately 1.27 million individuals. The breach stemmed from an API vulnerability introduced during system migration that allowed 1.2 million successful unauthorized access attempts; the bank failed to implement adequate access controls and data encryption, violating GDPR Article 5(1)(f). The fine was initially €400,000 but reduced to €240,000 after the bank made voluntary payment and acknowledged liability under Spanish administrative law.","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=AEPD_(Spain)_-_EXP202406208&diff=51509&oldid=51367","2026-04-28T09:32:02+00:00",{"id":370,"title":290,"slug":371,"brief":372,"ai_summary":373,"url":374,"image_url":295,"published_at":375},"83d61d3e-6d2d-43ae-ad34-40c1c436a54f","garante-per-la-protezione-dei-dati-personali-italy-10241537-4bde14","Italian DPA fines Italian Post and PostePay for unlawful device data access via Bancaposta and PostePay apps.","Italy's Data Protection Authority (Garante) found multiple GDPR violations by Italian Post and PostePay for requiring users of their Bancaposta and PostePay banking apps to authorize device data access for malware detection, with app blocking as a penalty for refusal. The DPA identified breaches of Articles 5, 6, 13, 25, 28, and 35 GDPR, as well as the e-Privacy Directive, citing unlawful processing, lack of transparency about ThreatMetrix use, inadequate data processor oversight, missing data protection impact assessments, and retention periods exceeding declared limits by 4 months.","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_10241537&diff=51506&oldid=51501","2026-04-28T07:46:23+00:00",{"id":377,"title":378,"slug":379,"brief":380,"ai_summary":381,"url":382,"image_url":383,"published_at":384},"be919f0a-1fee-4a67-a5ea-02f7d0d1da9a","82 Chrome Extensions Found Selling User Data, 6.5 Million Users Affected","82-chrome-extensions-found-selling-user-data-6-5-million-users-affected-58b095","82 Chrome extensions found selling user data to third parties, affecting 6.5M users.","LayerX Security identified 82 Chrome extensions that explicitly reserve the right to collect and sell user data, affecting at least 6.5 million users. The extensions include 24 media-related tools linked to the Quality Viewership Initiative that track streaming activity across Netflix, Hulu, Disney+, and Prime Video, plus 12 ad-blocking tools with over 5.5 million combined users. As of the report, 75 of the 82 malicious extensions remain active on the Chrome Web Store despite the disclosed but concerning data monetization practices.","https:\u002F\u002Fhackread.com\u002F82-chrome-extensions-selling-user-data\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F04\u002F82-chrome-extensions-selling-user-data.jpg","2026-04-27T19:56:23+00:00",{"id":386,"title":387,"slug":388,"brief":389,"ai_summary":390,"url":391,"image_url":295,"published_at":392},"6aaab0e8-119d-4921-a10f-ee84f784e265","Garante per la protezione dei dati personali (Italy) - 9870014","garante-per-la-protezione-dei-dati-personali-italy-9870014-261cad","Italian DPA fines Ediscom €300K for GDPR violations in marketing data collection.","The Italian Data Protection Authority (Garante) fined Ediscom S.p.A. €300,000 for multiple GDPR violations in its marketing business, which involved collecting and processing personal data from over 21 million contacts via SMS, email, and automated calls. Violations included use of dark patterns to manipulate consent, excessive data collection without proper legal basis, failure to provide privacy policies, and requesting personal data of third parties without valid consent. The DPA found breaches of Articles 5, 6, 7, 13, 14, 24, and 25 GDPR across both directly collected data and data acquired from third-party databases.","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9870014&diff=51504&oldid=32328","2026-04-27T18:34:03+00:00",{"id":394,"title":290,"slug":395,"brief":396,"ai_summary":397,"url":398,"image_url":295,"published_at":399},"98b12c65-1396-43a7-a92c-a424dbb8bca0","garante-per-la-protezione-dei-dati-personali-italy-10241537-4acad8","Italian DPA fines Poste Italiane and PostePay €12.5M for GDPR violations in device data collection.","Italy's Data Protection Authority (Garante) issued a €12.5M fine against Poste Italiane S.p.a. (€6.624M) and PostePay S.p.a. (€5.877M) for multiple GDPR breaches related to unauthorized collection of personal data from user devices via the ThreatMetrix application. The violations included unlawful access to device data, inadequate legal basis under Article 6, failure to provide transparent information about data processing and third-party sub-processors, improper data processor agreements, and excessive data retention beyond declared periods.","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_10241537&diff=51501&oldid=0","2026-04-27T15:05:01+00:00",{"id":401,"title":282,"slug":402,"brief":403,"ai_summary":404,"url":405,"image_url":86,"published_at":406},"0a11a80a-5a2c-455b-9054-a6d41c1996eb","aepd-spain-exp202404507-4e20da","Spanish DPA fines bank €400K for CCTV system shared credentials violating GDPR Article 32.","Spain's AEPD issued a €400,000 fine (reduced from €500,000 via voluntary payment) to UNICAJA BANCO for failing to implement proper access controls on its CCTV surveillance system. Multiple employees accessed recorded footage using a single shared username and password, preventing individual attribution and audit trails. The controller remained responsible despite contractual requirements with its processor, as it failed to operationalize and supervise the technical and organizational measures required under GDPR Article 32.","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=AEPD_(Spain)_-_EXP202404507&diff=51500&oldid=0","2026-04-27T12:19:43+00:00",{"id":408,"title":409,"slug":410,"brief":411,"ai_summary":412,"url":413,"image_url":414,"published_at":415},"20bcd03e-2b76-4e2b-8488-2436769a1c4c","US Launches Sweeping Crackdown on Southeast Asia Cyberscams and Sanctions Cambodian Senator","us-launches-sweeping-crackdown-on-southeast-asia-cyberscams-and-sanctions-cambod-b29920","US launches crackdown on Southeast Asian cyberscam operations, sanctions Cambodian senator and 28 others.","The U.S. Attorney's Office, Department of Justice, FBI, and Secret Service announced a coordinated crackdown on Southeast Asian cyberscam operations operating from Cambodia and Myanmar. The initiative includes Treasury Department sanctions against Cambodian Senator Kok An and 28 associates, criminal charges against two Chinese nationals, and asset freezes totaling hundreds of millions of dollars. The operation targets scam networks that have defrauded Americans of billions annually and are linked to human trafficking and forced labor.","https:\u002F\u002Fwww.securityweek.com\u002Fus-launches-sweeping-crackdown-on-southeast-asia-cyberscams-and-sanctions-cambodian-senator\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2026\u002F03\u002Fscam-fraud.jpeg","2026-04-27T09:39:33+00:00",{"id":417,"title":418,"slug":419,"brief":420,"ai_summary":421,"url":422,"image_url":423,"published_at":424},"beac35bb-8381-4935-a95c-598094ed20bc","Microsoft to roll out Entra passkeys on Windows in late April","microsoft-to-roll-out-entra-passkeys-on-windows-in-late-april-2341f7","Microsoft rolls out Entra passkeys on Windows in late April for phishing-resistant authentication.","Microsoft will begin rolling out passkey support for Microsoft Entra-protected resources from Windows devices in late April 2026, with general availability expected by mid-June. The feature enables phishing-resistant passwordless authentication using Windows Hello methods (face, fingerprint, or PIN) and supports corporate, personal, and shared devices. Passkeys are cryptographically bound to devices and never transmitted over the network, protecting against credential theft and phishing attacks.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fmicrosoft\u002Fmicrosoft-to-roll-out-entra-passkeys-on-windows-in-late-april\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F03\u002F12\u002FHacking_login.jpg","2026-04-24T18:13:55+00:00",[],[427,440,454,463,473,482,491],{"id":428,"title":429,"slug":430,"description":431,"url":432,"start_date":433,"end_date":432,"location":434,"is_virtual":435,"category":436,"tags":437},"d59b6e80-c622-4646-98f2-f1f97f9e11b6","Patch Tuesday Support Group – May 2026","patch-tuesday-support-group-may-2026","This webinar provides a comprehensive overview of the latest Microsoft May Patch Tuesday security updates. IT professionals and security teams receive detailed guidance on critical patches, vulnerabilities addressed, and deployment best practices. The session ensures organizations understand and can effectively manage the latest security updates to maintain system security and compliance.",null,"2026-05-17","Virtual",true,"webinar",[438,439,5],"endpoint","vulnerability-management",{"id":441,"title":442,"slug":443,"description":444,"url":445,"start_date":446,"end_date":447,"location":448,"is_virtual":449,"category":450,"tags":451},"e995086e-1e8d-40e6-a41d-d8be776deb80","SIA GovSummit 2026","sia-govsummit-2026","SIA's annual public policy and government security technology conference bringing together government security leaders with private industry technologists. The summit features top-quality information sharing and education on security topics affecting federal, state, and local agencies. Free attendance for government attendees with paid options for industry participants.","https:\u002F\u002Fgovsummit.securityindustry.org\u002F","2026-05-20","2026-05-21","Washington, DC, United States",false,"conference",[452,5,453],"governance","risk",{"id":455,"title":456,"slug":457,"description":458,"url":432,"start_date":459,"end_date":460,"location":461,"is_virtual":449,"category":450,"tags":462},"43b6601e-1bdb-4260-9a74-040f3a426671","IT GRC Kongress 2026","it-grc-kongress-2026","A specialized conference on IT governance, risk, and compliance held in Hamburg. The event is designed for CISOs, compliance officers, and IT leaders focused on managing security governance and regulatory requirements.","2026-05-26","2026-05-27","Hamburg, Germany",[452,5,453],{"id":464,"title":465,"slug":466,"description":467,"url":468,"start_date":469,"end_date":470,"location":471,"is_virtual":449,"category":450,"tags":472},"a7b054da-528f-4c4f-b950-039342a53169","Gartner Security & Risk Management Summit 2026","gartner-security-risk-management-summit-2026","A premium event for senior security decision-makers featuring one-to-one analyst meetings delivering vendor-neutral guidance on security strategy, risk management, and technology investments. This summit justifies its premium price through exclusive access to Gartner's latest research and personalized advice for CISOs and security executives.","https:\u002F\u002Fwww.gartner.com\u002Fevents","2026-06-01","2026-06-03","United States",[452,453,5],{"id":474,"title":475,"slug":476,"description":477,"url":478,"start_date":479,"end_date":432,"location":434,"is_virtual":435,"category":436,"tags":480},"d3910f31-8e37-4604-aa5c-98508d49faf0","Designing Secure and Effective Corporate ID Credentials","designing-secure-and-effective-corporate-id-credentials","An in-depth webinar exploring SIA's Corporate Credential Design Guide, a vendor-neutral resource for designing secure, interoperable corporate identity credentials. Led by members of the SIA Credential Design Working Group, this session covers best practices for credential design, implementation and management.","https:\u002F\u002Fwww.securityindustry.org\u002Fsiaevents\u002Fdesigning-secure-and-effective-corporate-id-credentials\u002F","2026-06-04",[481,5],"identity",{"id":483,"title":484,"slug":485,"description":486,"url":432,"start_date":487,"end_date":488,"location":489,"is_virtual":449,"category":450,"tags":490},"515d4b7f-59fb-4c13-bdcd-f8c034c44b05","IT Security Summit Berlin","it-security-summit-berlin","A comprehensive IT security summit in Berlin with both in-person and online options covering enterprise security strategies. The event attracts CISOs, IT leaders, and security professionals discussing governance and risk management.","2026-06-15","2026-06-19","Berlin, Germany",[452,5,453],{"id":492,"title":493,"slug":494,"description":495,"url":496,"start_date":497,"end_date":498,"location":471,"is_virtual":449,"category":499,"tags":500},"327e6bab-f550-46c6-ab41-f5d3661f9ed0","SANS Cyber Defense Initiative 2026","sans-cyber-defense-initiative-2026","SANS Cyber Defense Initiative is a rare event where ROI is measurable through GIAC certifications, hands-on capability uplift, and benchmarked NetWars performance. Designed for defensive teams seeking validated training and industry-recognized credentials alongside practical skills development.","https:\u002F\u002Fwww.sans.org\u002Fcyber-aces\u002Fevents","2026-12-14","2026-12-19","workshop",[501,502,5],"blue-team","incident-response",[504],{"id":505,"title":506,"body":507,"tags":508,"author_name":512,"updated_at":513,"created_at":514},"a93a00d5-6ca2-4219-86a8-4056d5ca8cf7","ISO 27001 practical guide for SMEs. Worth knowing about.","ISO published a practical guide for SMEs implementing ISO\u002FIEC 27001:2022. If you are at a small or mid-size company and think ISO 27001 is only for large enterprises, this guide is for you.\n\n**What it covers:**\n- How to set up an Information Security Management System (ISMS) with limited resources\n- Clause-by-clause walkthrough of ISO 27001 tailored for smaller organizations\n- Real examples and case studies from SMEs\n- How to integrate security into daily business processes without a dedicated security team\n- FAQ on certification: what it costs, how long it takes, and whether you need a consultant\n\n**Why this matters for SMEs:**\n- Customers and partners increasingly require ISO 27001 as a baseline\n- The guide shows you can do this without a massive budget or a team of consultants\n- Implementing even part of the framework significantly reduces your risk exposure\n- It builds a security culture that scales with your company\n\n**Practical steps:**\n1. Check out the guide from ISO: [iso.org\u002Fpublication\u002FPUB100484.html](https:\u002F\u002Fwww.iso.org\u002Fpublication\u002FPUB100484.html)\n2. Start with Clause 4 (Context) and Clause 6 (Planning). These set the foundation.\n3. Use the risk assessment template approach from the guide rather than buying expensive GRC tools\n4. Focus on the Annex A controls that actually apply to your business. You do not need all 93.\n5. Consider certification only after you have been running the ISMS for 6+ months\n\nSurprisingly readable for an ISO document.",[509,5,510,511],"iso-27001","sme","frameworks","Marcus Lenngren","2026-04-04T15:35:33.077564+00:00","2026-04-04T13:26:39.798236+00:00",[],58]