Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for French Regulator Fin ...

 Regulations

France's data protection authority discovered that when visitors clicked the button to reject cookies on Vanity Fair (vanityfair[.]fr), the website continued placing tracking technologies on their devices and reading existing cookies without consent, a violation that now costs publisher Les Publications Condé   show more ...

Nast €750,000 in fines six years after privacy advocate NOYB first filed complaints against the media company. The November 20 sanction by CNIL's restricted committee marks the latest enforcement action in France's aggressive campaign to enforce cookie consent requirements under the ePrivacy Directive. NOYB, the European privacy advocacy organization led by Max Schrems, filed the original public complaint in December 2019 concerning cookies placed on user devices by the Vanity Fair France website. After multiple investigations and discussions with CNIL, Condé Nast received a formal compliance order in September 2021, with proceedings closed in July 2022 based on assurances of corrective action. Repeated Violations Despite Compliance Order CNIL conducted follow-up online investigations in July and November 2023, then again in February 2025, discovering that the publisher had failed to implement compliant cookie practices despite the earlier compliance order. The restricted committee found Les Publications Condé Nast violated obligations under Article 82 of France's Data Protection Act across multiple dimensions. Investigators discovered cookies requiring consent were placed on visitors' devices as soon as they arrived on vanityfair.fr, even before users interacted with the information banner to express a choice. This automatic placement violated fundamental consent requirements mandating that tracking technologies only be deployed after users provide explicit permission. The website lacked clarity in information provided to users about cookie purposes. Some cookies appeared categorized as "strictly necessary" and therefore exempt from consent obligations, but useful information about their actual purposes remained unavailable to visitors. This misclassification potentially allowed the publisher to deploy tracking technologies under false pretenses. Most significantly, consent refusal and withdrawal mechanisms proved completely ineffective. When users clicked the "Refuse All" button in the banner or attempted to withdraw previously granted consent, new cookies subject to consent requirements were nevertheless placed on their devices while existing cookies continued being read. Escalating French Enforcement Actions The fine amount takes into account that Condé Nast had already been issued a formal notice in 2021 but failed to correct its practices, along with the number of people affected and various breaches of rules protecting users regarding cookies. The CNIL fine represents another in a series of NOYB-related enforcement actions, with the French authority previously fining Criteo €40 million in 2023 and Google €325 million earlier in 2025. Spain's AEPD issued a €100,000 fine against Euskaltel in related NOYB litigation. Also read: Google Slapped with $381 Million Fine in France Over Gmail Ads, Cookie Consent Missteps According to reports, Condé Nast acknowledged violations in its defense but cited technical errors, blamed the Internet Advertising Bureau's Transparency and Consent Framework for misleading information, and stated the cookies in question fall under the functionality category. The company claimed good faith and cooperative efforts while arguing against public disclosure of the sanction. The Cookie Consent Conundrum French enforcement demonstrates the ePrivacy Directive's teeth in protecting user privacy. CNIL maintains material jurisdiction to investigate and sanction cookie operations affecting French users, with the GDPR's one-stop-shop mechanism not applying since cookie enforcement falls under separate ePrivacy rules transposed into French law. The authority has intensified actions against dark patterns in consent mechanisms, particularly practices making cookie acceptance easier than refusal. Previous CNIL decisions against Google and Facebook established that websites offering immediate "Accept All" buttons must provide equivalent simple mechanisms for refusing cookies, with multiple clicks to refuse constituting non-compliance. The six-year timeline from initial complaint to final sanction illustrates both the persistence required in privacy enforcement and the extended timeframes companies exploit while maintaining non-compliant practices generating advertising revenue through unauthorized user tracking.

image for Cyberattacks Against ...

 Cyber News

A new round of cyberattacks against the US has raised concerns about hidden attempts to access urban infrastructure systems, according to an update from the Center for Countering Disinformation. Investigators found that the attackers relied on SocGholish and RomCom, two tools widely used in cybercrime. While these   show more ...

tools are not new, their deployment in this case suggests a deliberate effort to imitate criminal activity and make attribution significantly harder. Security analysts say this approach has become more common in cyberattacks against the US, where Russian special services attempt to blur the line between criminal campaigns and state-backed operations. By doing so, they complicate forensic analysis and slow the response of US intelligence agencies, buying themselves more time inside targeted networks. Cyberattacks Against the US Engineering Firm The breached engineering company works closely with contractors that operate water supply networks, transportation systems, and emergency response services. During the intrusion, hackers reportedly accessed information about internal workflows and critical access points linked to these sectors. This type of information is valuable for anyone looking to understand how US infrastructure is managed, maintained, and defended. Even without causing immediate disruption, gaining insight into these processes can help adversaries identify weak spots or plan future interference. The breach also shows how third-party contractors continue to be an attractive entry point for attackers studying the broader ecosystem of American infrastructure. Use of SocGholish–RomCom Chain Raises Attribution Concerns The use of the SocGholish–RomCom chain is notable because it is frequently associated with financially motivated cybercrime. In this case, however, analysts say its deployment looks more like a cover than a coincidence. By leaning on familiar criminal tools, Russian-linked groups can: Disguise the true nature of the operation Blend in with regular cybercrime traffic Delay the time it takes to trace the activity Force investigators to sift through layers of misleading indicators This tactic has effectively created a “fog” around cyberattacks against the US, making it harder to quickly determine whether an incident is routine criminal activity or something more coordinated. Possible Motives Targeting an engineering firm suggests the attackers were not simply looking for data to sell. Analysts believe the motive was reconnaissance, specifically, understanding how infrastructure systems are structured and how contractors manage their access privileges. Such information could be used in the future to exploit vulnerabilities or carry out sabotage. Experts also point out that even an incomplete attack offers useful insights into how American cybersecurity teams respond, how fast they contain threats, and what defensive tools they rely on. The report also comes as international partners continue stepping up their own cybersecurity efforts. The Netherlands recently committed €10 million to join the UK’s cyber program supporting Ukraine, citing growing digital threats. Canada, meanwhile, expanded its sanctions to include more than 100 vessels from Russia’s “shadow fleet” and several organizations connected to the country’s cyber infrastructure. The move is part of a wider effort to limit the networks and resources that support Russian cyber operations.

 Feed

Cybersecurity researchers have shed light on a cross-tenant blind spot that allows attackers to bypass Microsoft Defender for Office 365 protections via the guest access feature in Teams. "When users operate as guests in another tenant, their protections are determined entirely by that hosting environment, not by their home organization," Ontinue security researcher Rhys Downing said in a report

 Feed

As IT environments become increasingly distributed and organizations adopt hybrid and remote work at scale, traditional perimeter-based security models and on-premises Privileged Access Management (PAM) solutions no longer suffice. IT administrators, contractors and third-party vendors now require secure access to critical systems from any location and on any device, without compromising

 Feed

Cybersecurity researchers have discovered vulnerable code in legacy Python packages that could potentially pave the way for a supply chain compromise on the Python Package Index (PyPI) via a domain takeover attack. Software supply chain security company ReversingLabs said it found the "vulnerability" in bootstrap files provided by a build and deployment automation tool named "zc.buildout." "The

 Feed

The North Korean threat actors behind the Contagious Interview campaign have continued to flood the npm registry with 197 more malicious packages since last month. According to Socket, these packages have been downloaded over 31,000 times, and are designed to deliver a variant of OtterCookie that brings together the features of BeaverTail and prior versions of OtterCookie. Some of the

2025-11
Aggregator history
Friday, November 28
SAT
SUN
MON
TUE
WED
THU
FRI
NovemberDecemberJanuary