Daily Brief

TikTok has been fined €530 million by Ireland's Data Protection Commission (DPC) for violating GDPR by transferring European user data to China. The fine follows a probe initiated in September 2021, which investigated TikTok's adherence to EU data protection laws regarding transfers to third countries. The DPC's decision mandates that TikTok must halt any data transfer processes to China within six months and ensure their data handling complies with GDPR. The investigation revealed that TikTok incorrectly informed the DPC that no European user data were stored on Chinese servers, a claim later contradicted by the revelation of data storage identified in February 2025. TikTok's Deputy Commissioner criticized the company for not sufficiently protecting European user data from potential exploitation by Chinese authorities under national security laws. TikTok argued that the DPC decision overlooked its Project Clover, an initiative designed to enhance the security of European data. This penalty comes after a previous €345 million fine in September 2023 for mishandling data related to children under GDPR.

The Irish Data Protection Commission (DPC) fined TikTok €530 million for violating GDPR by transferring European user data to China. The fine consists of €485 million for unlawful data transfers under GDPR Article 46(1) and €45 million for lack of transparency per Article 13(1)(f). TikTok must align its data processing practices with EU law within six months to avoid a complete suspension of data transfers to China. The DPC raised concerns about the potential access of Chinese authorities to European data under China’s domestic laws contrasting with EU standards. In violation notices, TikTok had previously claimed European data was not stored in China, but in 2025 they admitted storing some data on Chinese servers. TikTok plans to appeal the fine, arguing that the DPC did not consider the safeguards provided in its Project Clover initiative. The fine is among the largest issued by the DPC, trailing only behind penalties against Amazon and Facebook for data protection violations.

Harrods has become the third major UK retailer to report an attempted cyberattack, following incidents at M&S and Co-op. Neither Harrods, M&S, nor Co-op have announced that ransomware was the cause, though speculation surrounds involvement of Scattered Spider, a ransomware group affiliate. The UK's National Cyber Security Centre (NCSC) is currently assisting the affected retailers, underlining the seriousness of these security breaches. Cybersecurity advisory warnings are in place for UK retailers, with a threat of ongoing ransomware campaigns aimed specifically at this sector. There has been no clear attribution of the cyberattacks to any particular group as of yet, nor has any group claimed responsibility. Retail operations, including online and physical stores, continue to function, although some retailers are experiencing disruptions in service. The incidents have triggered warnings to all organizations to reinforce cyber defenses and follow stringent cybersecurity practices.

LivePerson utilized Tines, an AI and workflow orchestration platform, to automate the monitoring of security advisories and vulnerability responses. This new automated workflow helps in tracking and responding to advisories issued by CISA and enriched with CrowdStrike threat intelligence. Automation reduced the manual ticket creation time from 150 minutes to 60 minutes for 45 vulnerability advisories, enhancing efficiency by 60%. The workflow preserves critical analyst involvement in decision-making, thus maintaining quality control while speeding up the process. Implementation steps include setting up Tines account, importing workflows, configuring actions, and testing with real-world advisories before going live. The case study demonstrates significant time savings and reduction in manual errors, boosting both team morale and operational efficiency.

Microsoft fixed a machine learning model that incorrectly tagged Gmail emails as spam in Exchange Online, identified as EX1064599. The issue began on April 25 at 09:24 UTC, causing legitimate emails to be automatically moved to junk folders. The model misidentification was due to similarities between legitimate emails and those typically used in spam attacks. Microsoft reverted the ML model to its previous version on May 1 at 16:31 UTC, effectively resolving the false positive issue. Users and admins were advised to set custom allow rules to bypass the filtering glitch temporarily. Microsoft is continuing to refine their ML detection processes to minimize future false positives and improve email handling. The company confirmed the problem was resolved after monitoring and did not disclose the affected regions or the number of impacted users. This incident is part of a series of similar email misclassifications by Microsoft’s machine learning models throughout the year.

MintsLoader, a malware loader, uses obfuscated JavaScript and PowerShell to deliver the GhostWeaver remote access trojan. Utilizes evasion tactics like sandbox and virtual machine dodging, domain generation algorithms (DGA), and secure HTTP-based command-and-control communications. Detected in phishing and drive-by download attacks targeting sectors such as industrial, legal, and energy since early 2023. Employs a social engineering tactic known as ClickFix to deceive users into executing malicious scripts, often distributed via spam emails. MintsLoader's main function is to fetch next-stage payloads using a DGA domain, enhancing stealth and complicating detection. GhostWeaver maintains persistent C2 communications, supports additional payload deployment, and uses TLS encryption with an obfuscated self-signed certificate. Related attack campaigns like CLEARFAKE are exploiting similar tactics to deploy malware like Lumma Stealer through deceived user interactions.

Microsoft has announced that all new Microsoft accounts will be set to "passwordless by default," enhancing security against common password attacks. This change follows recent updates to user sign-in and registration flows on both web and mobile platforms, aimed at promoting passwordless and passkey-first authentication options. According to Microsoft executives Joy Chik and Vasu Jakkal, new users will not need to set up a password but will use passwordless methods like biometrics for account access. The company is encouraging the adoption of passkeys, which are viewed as a more secure alternative to traditional passwords, utilizing biometric identifiers such as fingerprints and facial recognition. Once users set up their account, they will be prompted to enroll a passkey, which will become their primary authentication method on subsequent logins. Microsoft claims the new passwordless system has already reduced password use by over 20% in trials and aims to continue decreasing reliance on passwords. Microsoft is a key player in the FIDO Alliance, promoting passkeys as a standard method for passwordless authentication across the industry.

Microsoft has configured new accounts to be passwordless by default, a move aimed at enhancing security and simplifying the user experience. New users are provided with various passwordless sign-in options, removing the need to set up a traditional password. Existing Microsoft account users can also eliminate their passwords by adjusting their account settings. The sign-in process now automatically detects and promotes the most secure method available for the user. Microsoft continues to support the broader shift toward a passwordless environment, mirroring actions by other tech giants including Apple and Google. Passkeys, supported by public/private key cryptography, do not require users to remember their passwords, thereby reducing the risk of phishing attacks. Implemented in Windows 11 and approved for global use by Google, passkeys have been adopted by over 15 billion user accounts. The FIDO Alliance, which backs the technology, is enhancing passkey interoperability and exploring its use in secure payments.

Ryan Kramer, under the alias "NullBulge," accessed and stole 1.1 terabytes of data from Disney's Slack channels using malware disguised as an AI image tool. The malware was distributed via GitHub, deceiving users, including a Disney employee, into granting access to their computers and stored passwords. Kramer used stolen credentials to infiltrate Disney's Slack, downloading confidential data across thousands of internal channels. After failing to coerce cooperation by posing as a Russian hacktivist group threatening to expose the stolen information, NullBulge published the data on BreachForums. The U.S. Department of Justice has charged Kramer with unauthorized computer access and threatening to damage a protected computer, with each count carrying up to five years in prison. The FBI is currently investigating two additional individuals who downloaded Kramer's malware, suggesting broader implications and potential further breaches. Kramer's plea encompasses his role and anticipation of his upcoming initial court appearance in Los Angeles.

House Democrats have initiated investigations into Elon Musk's financial disclosures and security clearances related to his role in a government project that was never officially sanctioned by Congress. Two letters were sent demanding the release of documents confirming Musk fulfilled legal requirements for his role, amid concerns of self-dealing and conflicts of interest. Democrats are skeptical about Musk’s private financial disclosure staying confidential given his significant influence on taxpayer funds and his high-profile position. Additional concerns were raised about Musk's ties with foreign entities and his suitability for a role involving national security, dominating his security clearance scrutiny. The inquiry also covers Musk's activities cutting jobs at the National Highway Traffic Safety Administration, which may constitute a conflict of interest due to ongoing Tesla investigations. Attention was also on Musk's abrupt decision to step down from his government role by May, lining up with the limit of 130 working days for Special Government Employees. Elon Musk and Tesla have faced negative publicities, such as protests and a substantial drop in Tesla's stock price, which have impacted his business operations. Separate concerns were raised about Musk’s department’s alleged mishandling of sensitive data at the National Labor Relations Board, potentially violating federal laws.

Pro-Russia hacktivists continue to target Dutch public and private organizations with DDoS attacks, disrupting accessibility and service provision. The Dutch National Cyber Security Center (NCSC) confirmed that multiple organizations in the Netherlands and other European countries experienced large-scale DDoS attacks. The NCSC revealed that the attacks were carried out by a hacktivist group known as NoName057(16), which claimed the actions were in retaliation for Dutch military aid to Ukraine. The group publicly asserted that its attacks were a response to the Netherlands' financial support to Ukraine, involving €6 billion previously and an additional planned €3.5 billion by 2026. Attacks have significantly impacted various Dutch regions including Groningen and Noord-Holland, affecting the online services of many municipalities and provinces. Despite the disruptions, there were no reported data breaches or internal system compromises within the targeted organizations. The DDoS campaign is part of ongoing activities by NoName057(16), which also runs a crowdsourced DDoS platform called 'DDoSIA', noted for its rapid recruitment and extensive reach in targeting Western organizations.

Artem Aleksandrovych Stryzhak, a 35-year-old Ukrainian national, was extradited from Spain to face charges in the U.S. related to Nefilim ransomware attacks. Arrested in Spain in June 2024, Stryzhak is charged with fraud, extortion, and related activities targeting major companies primarily in the U.S. and several European countries. Starting in June 2021, Stryzhak allegedly joined the Nefilim ransomware operation, receiving 20% of ransom payments from his attacks. Using platforms like Zoominfo, he and his co-conspirators identified potential corporate targets by researching their revenue, size, and contact information. The Nefilim ransomware, active since 2020 and related to Nemty ransomware, encrypts corporate data and demands ransom in bitcoin, threatening to leak data if unpaid. High-profile victims of Nefilim attacks include global enterprises like Toll Group, Orange, and Whirlpool. The indictment was unsealed in Brooklyn federal court, where Stryzhak faces up to five years in prison if convicted.

Ascension Health announced that patient medical data shared with a former business partner was compromised through a cyberattack targeting third-party software. The attack, which occurred on December 5, exposed sensitive personal and clinical information including SSNs, addresses, and medical records. Affected data varied by individual but included names, dates of birth, racial and gender identities, as well as detailed clinical information like physician names and insurance details. Following the breach, Ascension concluded its internal investigation on January 21 and has begun notifying affected patients. Victims were offered two years of credit monitoring services as a preventive measure against identity theft. Ascension is taking steps to enhance their data security measures and processes to prevent future incidents. This incident marks the second major security compromise for Ascension within a year, following a ransomware attack by the Black Basta group in May 2024. While Ascension has not confirmed the source of the breach, it coincides with a known attack on Cleo software, widely speculated to be the entry point.

Amazon has involved security engineers from the inception of the Alexa+ development process to prevent potential misuses and unintended actions by the AI assistant. The security team, including red teams and penetration testers, collaborates closely with product developers to ensure robust safety guardrails are implemented. This integrated approach aids in anticipating and mitigating risks related to system gaming or malfunction, such as unintended purchases or household accidents. Amy Herzog, Amazon CISO, emphasized the importance of balancing functionality with security, particularly when an AI can perform actions on behalf of users across thousands of services. Alexa+ is designed to handle non-deterministic outputs efficiently, thus requiring specific attention to preventing prompt injections—malicious inputs designed to manipulate the AI's actions. The testing emphasizes secure API interactions to manage different AI-assisted activities effectively, ensuring that grouped actions do not lead to unintended consequences. This collaborative strategy between security and development teams at Amazon is noted as somewhat unusual but beneficial for preemptive security enhancement in AI systems.

Harrods has confirmed being the target of a recent cyberattack, joining M&S and Co-op as victims in a series of assaults on UK retailers. The attack led Harrods to restrict access to its digital platforms, although there was no immediate information about data breach or system compromise. Despite system access restrictions, Harrods stores, including the flagship Knightsbridge location, remain open and functioning. Harrods' IT security team quickly initiated countermeasures to protect systems and maintain safe operations, with no current directives for customers to alter their shopping behavior. The nature and severity of the cyberattack remain unclear, as further details regarding data theft or specific system breaches have not been disclosed. This incident follows cyberattacks on Marks & Spencer and Co-op, with M&S suffering significant disruption due to a ransomware attack called DragonForce. Co-op also reported a cyber incident, hinting at a larger network breach than initially communicated, affecting internal communications and requiring heightened security awareness among employees.