IT Security & Privacy

The most dangerous assumption in enterprise security is rarely the one anyone remembers making. It settles quietly into the organization, becoming less a decision than a background condition, until eventually everyone begins treating a moment in time as though it were a durable fact. A system was patched, supplier was assessed, and administrator's access was reviewed. The penetration test found nothing significant and the audit closed without material findings. The evidence exists, neatly timestamped and carefully preserved, carrying all the reassuring weight that documentation has always carried. Then the environment changes around it and almost never dramatically.

Hotels have always occupied an awkward place in the privacy conversation. They are, by necessity, temporary custodians of strangers. Every day, people hand over names, identification, payment details, travel plans, and, for a night or a week, a remarkable amount of trust. The transaction has always depended on a simple understanding that you collect what you need, protect it while you have it, and let it go when you no longer do. Somewhere along the way, some establishments decided that making copies of passports, identity cards, and even both sides of customers' credit cards was simply part of doing business.

The European Commission has taken a step that would have seemed improbable when the Digital Markets Act first came into force. It has told Amazon and Microsoft that it preliminarily believes their cloud businesses (Amazon Web Services and Microsoft Azure) should be designated as gatekeepers under the DMA, even though neither service meets the law's standard quantitative thresholds.

Two privacy determinations released Thursday by the Australian Privacy Commissioner found that health service providers Medmate and Monash IVF interfered with individuals' privacy through their use of third-party tracking pixels. The decisions conclude a year-long investigation by the Office of the Australian Information Commissioner into how the two companies collected information from visitors to websites offering telehealth and fertility services.

The video game industry has become one of the largest and most data-intensive sectors of the digital economy. European privacy regulators are now signaling that the industry's rapid technological evolution must be matched by equally mature approaches to data protection.

The Cybersecurity and Infrastructure Security Agency on Wednesday issued Binding Operational Directive 26-04, requiring federal civilian agencies to prioritize security updates according to risk rather than treating vulnerabilities as a largely uniform backlog of technical debt.

The regulatory reckoning for Coupang has become considerably more expensive. South Korea's Personal Information Protection Commission (PIPC) has imposed penalties totaling $455 million (624.6 billion won) against the e-commerce giant following a data breach that exposed the personal information of roughly 37.5 million users, according to BBC reporting. The sanctions represent the largest privacy-related penalty ever issued in South Korea.