news

The U.S. Cybersecurity and Infrastructure Security Agency’s CIRCIA cyber incident reporting rule remains unfinished after more than 4 years of statutory, regulatory and industry debate, leaving critical infrastructure operators preparing for mandatory reports of covered cyber incidents within 72 hours and ransom payments within 24 hours once the final rule takes effect. CISA’s Spring 2025…

The EU Cyber Resilience Act will make software and connected-product manufacturers report actively exploited vulnerabilities and severe product security incidents from September 11, 2026, giving software makers a binding notification regime before the broader product security rules apply on December 11, 2027. The law, Regulation (EU) 2024/2847, applies to hardware and software products with digital…

CMMC 2.0 is now a contract requirement for many U.S. defense contractors after the Department of Defense finalized the DFARS rule that lets contracting officers put Cybersecurity Maturity Model Certification requirements directly into solicitations, contracts, task orders and delivery orders starting November 10, 2025. The rule changes CMMC from a long-running compliance planning issue into…

California’s new CCPA cybersecurity audit rules took effect on January 1, 2026, giving covered businesses a phased path toward annual cybersecurity audits and executive certifications that begin in 2028. The California Privacy Protection Agency finalized the rules in 2025 after a multi-year rulemaking process, making cybersecurity audits a central privacy compliance duty for companies that…

The U.S. Department of Health and Human Services is preparing a sweeping overhaul of the HIPAA Security Rule, with a final rule expected in May 2026, marking the most significant update to healthcare cybersecurity requirements in over two decades and introducing mandatory controls for protecting electronic protected health information.Why HIPAA Security Rule Changes Target May…

Anthropic accidentally exposed internal source code for Claude Code on March 31, 2026, after a public npm release shipped a debugging source map that let outsiders reconstruct the tool’s readable TypeScript codebase. Anthropic said the incident came from human error in the release process, not a hack, and said no customer data, credentials, or model weights…

What Happened in the BreachOn January 31 2026 the ransomware group Incransom (also known as INC Ransom) allegedly breached systems belonging to Hawk Law Group, a personal injury law firm based in Augusta, Georgia. Threat‑intelligence monitoring site Ransomware.live listed Hawk Law Group as a victim of Incransom with an estimated attack date of January 31…

Romania’s national oil pipeline operator Conpet said a cyberattack hit its corporate IT infrastructure on February 3, 2026, while the Qilin ransomware group alleged it stole nearly 1TB of data and published sample files to support the claim.What Happened in the BreachConpet disclosed that a cyber incident affected its business IT environment and left its…

What Happened in the BreachIn early February 2026, the Everest ransomware collective published a post on its dark‑web leak site claiming to have stolen 1.4 terabytes of internal documents and client information from Iron Mountain, a U.S.‑based enterprise information‑management company. The gang said it had exfiltrated internal files and personal documents belonging to Iron Mountain’s clients…

What Happened in the BreachA newly disclosed pair of critical vulnerabilities in Ivanti’s Endpoint Manager Mobile (EPMM) platform enabled attackers to gain unauthorised access to mobile‑device management servers used by the Netherlands’ Autoriteit Persoonsgegevens (AP) and the Council for the Judiciary (Rvdr), exposing staff contact data. In a letter to parliament, State Secretary for Justice and…