Bitcoin Depot 8-K cybersecurity incident disclosure
Bitcoin Depot Inc. filed Form 8-K Item 1.05 disclosing a material cybersecurity incident discovered on March 23, 2026. An unauthorized party accessed company IT systems and transferred approximately 50.903 Bitcoin (valued at $3.665 million) from company-controlled wallets without authorization. The company engaged cybersecurity experts and law enforcement, contained the incident to its corporate environment, and has not identified evidence of customer PII exfiltration. Investigation and remediation efforts remain ongoing.
Bitcoin Depot Cybersecurity Incident Disclosure (Form 8-K Item 1.05)
Bitcoin Depot filed a Form 8-K Item 1.05 disclosure with the SEC reporting a material cybersecurity incident. The filing describes the nature of the incident, the date of discovery, and its scope. As a publicly traded company, Bitcoin Depot is subject to SEC cybersecurity disclosure rules requiring prompt reporting of material cyber events.
CVE-2026-1340 Ivanti EPMM Code Injection Vulnerability Added to KEV Catalog
CISA added CVE-2026-1340, an Ivanti Endpoint Manager Mobile (EPMM) code injection vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The vulnerability poses significant risk as a frequent attack vector for malicious cyber actors targeting federal enterprises. Federal Civilian Executive Branch agencies are required to remediate vulnerabilities identified in the KEV Catalog pursuant to BOD 22-01.
Northamptonshire Police FOI Complaint Upheld - Fresh Response Ordered
The ICO issued a Decision Notice finding Northamptonshire Police partially non-compliant with Freedom of Information Act obligations. The police must issue a fresh response to Q5 of the complainant's request regarding Developed Vetting information, either confirming/denying whether information is held and disclosing it or issuing a compliant refusal notice under section 17. The ICO dismissed the challenge regarding Q4 where section 21 exemption was correctly applied.
Staffordshire Police FOI Request - Fresh Response Ordered
The ICO upheld a complaint against Staffordshire Police under the Freedom of Information Act 2000. The ICO found that the force failed to conduct adequate searches for information requested by a complainant who sought specific correspondence. The ICO has ordered Staffordshire Police to issue a fresh response following proper searches aimed at identifying all information within scope.
UK Export Finance EIR Commercial Interests Exemption Decision
The Information Commissioner's Office issued a Decision Notice in case IC-403066-Y4P3 regarding a complaint against UK Export Finance. The complainant requested information about project financing, and UK Export Finance withheld certain information citing regulation 12(5)(a) of the Environmental Information Regulations. The ICO determined that UK Export Finance correctly applied the commercial interests exemption, and no further action is required.
Cheltenham Borough Council - Information Not Held (EIR 12(4)(a))
The ICO issued a Decision Notice finding that Cheltenham Borough Council did not act incorrectly in refusing an Environmental Information Regulations request for details about a potential loan for the Minster Exchange development project. The Commissioner determined that on the balance of probabilities, the requested information is not held by the council, allowing it to rely on regulation 12(4)(a) to refuse the request.
Hackney Council EIR Procedural Breaches Decision
The ICO issued a Decision Notice against London Borough of Hackney Council finding breaches of the Environmental Information Regulations. The Council failed to issue proper refusal notices under regulation 14(2) and failed to conduct internal reviews under regulation 11(2) when handling a request about the Future Shoreditch Area Action Plan. While the Council's reliance on regulation 12(4)(b) to refuse the request was upheld as valid, procedural failures constitute regulatory breaches.
London Borough of Redbridge - Councillor Property FOIA Decision
The ICO issued a Decision Notice regarding a Freedom of Information complaint against the London Borough of Redbridge. The ICO upheld the council's refusal to disclose addresses of rental properties owned by a former councillor under section 44(1)(a) (statutory prohibition). However, the ICO determined the council incorrectly withheld related correspondence under section 40(2) (personal data), meaning that material must now be disclosed.
London Borough of Waltham Forest - FOIA Section 10 Breach
The ICO upheld a complaint against London Borough of Waltham Forest for failing to respond to a Freedom of Information request within the statutory 20-working-day timeframe, in breach of section 10 of FOIA. The authority must now provide a substantive response to the request and comply with its statutory obligations.
Carmarthenshire Council, EIR 5(2) breach, statutory response failure
Carmarthenshire Council, EIR 5(2) breach, statutory response failure
DAERA Fish Kill Protocol Withheld - Internal Review Timeliness Breach
The ICO issued a decision finding that DAERA was entitled to withhold a fish kill protocol under EIR 12(5)(g) (environmental protection) and EIR 13 (personal data). However, the ICO found that DAERA breached EIR 11(4) by not completing its internal review within the required timeframe. No further steps were required.
Cabinet Office FOI Complaint Not Upheld - No Information Held
The Information Commissioner's Office investigated a Freedom of Information complaint against the Cabinet Office regarding a request for information about 'smashed gangs'. The Cabinet Office stated it did not hold information within scope of the request. The ICO upheld this position, finding no further steps required as the Cabinet Office's response complied with its obligations.
Met Police NCND Deceased Nazi, Security Exemption Upheld
The ICO issued a Decision Notice upholding the Metropolitan Police Service's refusal to confirm or deny holding information about a deceased Nazi sympathiser under FOIA section 23(5) (security bodies). The ICO found the MPS correctly applied the neither-confirm-nor-deny response, protecting sensitive national security and law enforcement information from disclosure.
Department for the Economy - EIR 14 Procedural Breach Finding
The ICO issued a Decision Notice finding that the Department for the Economy breached regulation 14(3) of the Environmental Information Regulations by failing to specify the exception(s) applied in its initial refusal notice. The Department was entitled to withhold commercial interests information under EIR 12(5)(e). No remedial steps are required.
HMT Labour Together FOIA Request Not Upheld
The ICO issued a decision notice finding that HM Treasury (HMT) did not violate FOIA by stating it does not hold information about meetings between HMT officials and Labour Together. However, the ICO found that HMT breached section 10(1) of FOIA by failing to respond to the request within the statutory 20 working days, as clarification was not sought until 16 January 2025 for a request made on 7 November 2024. The ICO requires no remedial steps to be taken.
FOI complaint - Council breached section 17
The ICO issued a Decision Notice against Blackburn with Darwen Borough Council finding a breach of FOIA section 17 for failing to issue a timely refusal notice within 20 working days. The council was entitled to withhold information under section 40(2) but failed proper procedure. No further steps required.
Cheshire East Council, procurement bids withheld, FOI 43(2) not upheld
Cheshire East Council, procurement bids withheld, FOI 43(2) not upheld
BBC FOI Request for Celebrity Salaries Not Upheld
The Information Commissioner's Office issued a decision notice finding in favour of the BBC regarding a Freedom of Information Act request for celebrity salaries from the 2025 series of The Celebrity Traitors. The ICO determined that any salary information held by the BBC would be exempt from disclosure as it was held for journalism, art, or literature purposes. The ICO upheld the BBC's position and requires no remedial action.
Brent EIR Complaint Dismissed Over Bobby Moore Bridge
The Information Commissioner's Office dismissed a complaint against London Borough of Brent regarding an Environmental Information Regulations request. The complainant sought information about the awarding of an advertising contract concerning the Bobby Moore Bridge. The ICO found that the council was entitled to withhold the information under regulation 12(4)(e) (internal communications exception) and that the public interest favoured maintaining the exception. No further action is required from the council.
EIR Complaint Against Croydon Council Upheld
ICO has upheld a complaint under the Environmental Information Regulations against London Borough of Croydon. The Council failed to respond to an information request within the statutory 20 working day period. The ICO requires the Council to provide a response to the complainant within 30 calendar days of the decision.
Windows privilege escalation, NT AUTHORITYSYSTEM access, unpatched
Windows privilege escalation, NT AUTHORITYSYSTEM access, unpatched
Apache Cassandra Multiple Vulnerabilities - Privilege Escalation, Information Disclosure, DoS
CERT-Bund issued a security advisory warning of multiple vulnerabilities in Apache Cassandra database systems with a CVSS Base Score of 8.8. The flaws affect versions prior to 4.1.11, 5.0.7, and 4.0.20 across Linux, Windows, and UNIX platforms. Attackers can exploit these vulnerabilities to achieve privilege escalation, disclose information, and execute denial-of-service attacks.
DROP Audits Preliminary Comment Period - Data Broker Regulations
The California Privacy Protection Agency (CPPA) announced preliminary rulemaking activities regarding Delete Request and Opt-out Platform (DROP) audits for data brokers under CalPrivacy. The agency is accepting preliminary written comments through May 7, 2026 at 5:00 PM PT to inform potential future regulations. Comments received are public records and may be included in future rulemaking packages.
Chile's LPDP Impacts Mergers and Acquisitions Analysis
Deloitte Legal analyzed Chile's Ley 21.719 on Personal Data Protection (LPDP), effective Dec. 1, 2026, and its implications for M&A transactions. The LPDP introduces maximum fines of 20,000 UTM (approximately USD 1.6 million) and establishes the Personal Data Protection Agency with investigative and corrective powers. The analysis draws parallels to GDPR's structural impact on European capital markets, noting that inadequate data handling in target companies can reduce acquisition prices by hundreds of millions of dollars.
CFM Resolution 2.454/2026 AI Governance Standards for Brazilian Medicine
CFM 2.454/2026 establishes AI governance for Brazil healthcare
Buenos Aires Decree 97/26 Promotes AI in Public Sector
Marval, O'Farrell & Mairal analyzed Buenos Aires Decree 97/26, which promotes AI adoption across the public sector of the Ciudad Autónoma de Buenos Aires. The decree positions AI as a strategic tool for administrative efficiency, public service delivery, and digital transformation, citing existing implementations in education including teacher training programs and student access initiatives.
HPE Aruba Private 5G Core - Security Policy Bypass Vulnerability
CERT-FR issued a security advisory warning of a vulnerability (CVE-2026-23818) in HPE Aruba Networking Private 5G Core versions prior to 1.25.3.1. The flaw allows attackers to bypass security policies. Organizations using the affected product must apply patches referenced in HPE security bulletin HPESBNW05032.
Multiples vulnérabilités dans OpenSSL - Avis CERT-FR 2026-AVI-0403
CERT-FR issued an advisory alerting organizations to multiple critical vulnerabilities in OpenSSL affecting versions 1.0.2 through 3.6.x. Seven CVEs were identified including CVE-2026-28386 through CVE-2026-28390 and CVE-2026-31789-CVE-2026-31790. The vulnerabilities enable remote code execution, denial of service, and data confidentiality breaches. Organizations running affected OpenSSL versions must apply vendor patches immediately.
Multiple Vulnerabilities in Microsoft Products
CERT-FR issued an advisory warning of 14 unpatched vulnerabilities across Microsoft products, spanning CVEs from CVE-2026-33936 through CVE-2026-35177, disclosed between March 29 and April 8, 2026. The vulnerabilities affect multiple Microsoft products and could allow remote code execution, privilege escalation, or information disclosure. Affected organizations are advised to consult Microsoft Security Response Center bulletins and apply available patches immediately.
Vulnerability in Moxa Products - Privilege Escalation and Remote DoS
CERT-FR issued a security advisory (CERTFR-2026-AVI-0405) alerting organizations to multiple vulnerabilities affecting 15 series of Moxa industrial computing and networking devices running Windows 7, 10, or 11. The vulnerabilities allow privilege escalation, remote denial of service, data integrity compromise, confidentiality breaches, and security policy bypass. Affected products include BXP-A100, BXP-A101, BXP-C100, DA-680, DA-681C, DA-682C, DA-720, DA-820C, DA-820E, DRP-A100, DRP-C100, EXPC-F2120W, EXPC-F2150W, MC-1100, and MC-1200 series.
Multiples vulnérabilités dans les produits Mozilla
CERT-FR published security advisory CERTFR-2026-AVI-0404 alerting to multiple remote code execution vulnerabilities in Mozilla Firefox, Firefox ESR, and Thunderbird. Firefox ESR versions before 115.34.1 and 140.9.1, Firefox before 149.0.2, and Thunderbird versions before 140.9.1 and 149.0.2 are affected. Five CVEs are referenced including CVE-2026-5731 through CVE-2026-5735.
SingCERT Security Bulletin: Critical Vulnerabilities Week of 8 April 2026
The Cyber Security Agency of Singapore (CSA) through SingCERT issued its weekly Security Bulletin for 8 April 2026, summarizing critical and high-severity vulnerabilities from NIST's National Vulnerability Database (NVD). The bulletin catalogs multiple CVEs with CVSS scores of 10.0, affecting Microsoft Azure services, ChurchCRM, Dgraph, SandboxJS, Juju, and Samsung Exynos processors. Organizations are advised to review affected products and apply available patches.
CISA ICS-CERT STIX Threat Data - ICS and Enterprise Attack Patterns
CISA published a STIX bundle (AA26-097A) containing structured threat intelligence data with attack patterns for Industrial Control Systems (ICS) and enterprise environments. The bundle includes MITRE ATT&CK mapped techniques covering initial access, command and control, data manipulation, and impact vectors relevant to both ICS and enterprise networks.
Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure
CISA, FBI, NSA, EPA, DOE, and US Cyber Command issued a joint cybersecurity advisory on April 7, 2026 warning that Iranian-affiliated APT actors are conducting active exploitation targeting internet-facing OT devices including Rockwell Automation/Allen-Bradley programmable logic controllers (PLCs) across U.S. critical infrastructure. The advisory covers Water and Wastewater Systems and Energy sectors, providing TTPs, IOCs, and specific mitigations including removing PLCs from direct internet exposure and monitoring OT-specific ports.
Iranian APT Actors Exploit Rockwell PLCs Across US Critical Infrastructure
CISA, FBI, NSA, EPA, DOE, and US Cyber Command issued a joint advisory warning that Iran-affiliated APT actors are conducting active exploitation of internet-facing Rockwell Automation/Allen-Bradley programmable logic controllers across U.S. critical infrastructure. The advisory documents malicious interactions with PLC project files and manipulation of HMI and SCADA displays causing operational disruptions and financial losses in Water, Energy, and Government Services sectors. Agencies recommend immediate review of provided IOCs and implementation of specific mitigations including network isolation of OT devices.
Critical CVSS 8.8 Vulnerabilities Expose SQL Credentials in Mitsubishi Electric GENESIS64 and ICONICS Suite
CISA ICS-CERT issued advisory ICSA-26-097-01 disclosing two critical vulnerabilities (CVE-2025-14815, CVE-2025-14816) with CVSS 8.8 score in Mitsubishi Electric GENESIS64 and ICONICS Suite products affecting versions 10.97.3 and below. The vulnerabilities stem from cleartext storage of SQL Server credentials in local SQLite cache files, potentially allowing local attackers to obtain plaintext credentials and access, tamper with, or destroy data.
STIX XML Indicators of Compromise for Threat Intelligence
CISA ICS-CERT published STIX XML indicators of compromise (IOCs) for threat intelligence purposes. The advisory includes structured XML data containing malicious indicators that organizations can use to detect and identify potential cyber threats targeting industrial control systems and critical infrastructure. These IOCs are designed for integration with security monitoring tools, SIEM systems, and threat intelligence platforms.
CNPD Attends IAPP Global Summit 2026 Washington DC
The Luxembourg data protection authority (CNPD) announced its participation in the IAPP Global Summit 2026 held in Washington, DC from March 30 to April 2, 2026. CNPD President Tine A. Larsen represented Luxembourg at the gathering, which convened 42 data protection authorities, US privacy officials, federal representatives, Congressional members, and FTC commissioners. The summit addressed data protection priorities, the US legislative agenda, and international cooperation frameworks.
Multiple vulnerabilities in GLPI - RCE, SQL injection, XSS
CERT-FR issued a security advisory alerting organizations to multiple critical vulnerabilities in GLPI, an IT asset management and helpdesk software. The vulnerabilities affect GLPI versions 11.0.x prior to 11.0.6 and versions prior to 10.0.24, enabling remote code execution, SQL injection, and cross-site scripting attacks. Five CVEs are referenced: CVE-2026-25932, CVE-2026-26026, CVE-2026-26027, CVE-2026-26263, and CVE-2026-29047. Organizations using affected GLPI versions should apply vendor-provided patches immediately.
FortiClientEMS Vulnerability CVE-2026-35616 Actively Exploited
CERT-FR issued advisory CERTFR-2026-AVI-0400 warning of active exploitation of CVE-2026-35616 in Fortinet FortiClientEMS. The vulnerability allows remote code execution, privilege escalation, and security policy bypass on affected versions 7.4.x through 7.4.5. Organizations running vulnerable FortiClientEMS deployments are urged to apply patches immediately.
Multiples vulnérabilités dans Google Android - Déni de service
CERT-FR issued security advisory CERTFR-2026-AVI-0399 alerting to multiple vulnerabilities in Google Android. The vulnerabilities affect Android versions prior to 14, 15, 16, and 16-qpr2, and could allow attackers to cause denial of service conditions. The advisory references CVE-2025-48651 and CVE-2026-0049, with patches released by Google on April 6, 2026.
Samsung Android Multiple Critical Vulnerabilities CVSS 9.8
CERT-Bund issued a critical security advisory regarding multiple vulnerabilities in Samsung Android OS versions prior to SMR-APR-2026. The vulnerabilities carry a CVSS Base Score of 9.8 (critical) and enable remote attackers to escalate privileges, bypass security measures, disclose information, and manipulate files. Organizations and consumers using affected Samsung Android devices face immediate risk of exploitation.
CUPS Vulnerability Allows Code Execution with Administrator Rights
CERT-Bund issued a security advisory regarding a vulnerability in CUPS (Common Unix Printing System) that allows local attackers to execute arbitrary code with administrator privileges. The vulnerability has a CVSS Base Score of 5.2 (medium) and affects multiple operating systems including Linux, UNIX, and Windows. Organizations using CUPS should assess their exposure and apply available patches or workarounds.
Google Android Multiple Vulnerabilities CVSS 7.3
CERT-Bund issued a security advisory warning of multiple vulnerabilities in Google Android with a CVSS Base Score of 7.3 (high severity) and Temporal Score of 6.4 (medium). The vulnerabilities affect Android devices with security patch levels prior to April 1, 2026 and April 5, 2026. Remote attackers can exploit these flaws to conduct unspecified attacks and denial of service attacks against affected devices.
Red Hat Enterprise Linux crun Privilege Escalation Vulnerability, CVSS 7.8
CERT-Bund issued a security advisory regarding a high-severity vulnerability (CVSS 7.8) in Red Hat Enterprise Linux's crun container runtime. The flaw allows local attackers to escalate privileges on affected systems. Versions prior to RHEL 9 and RHEL 10 are affected. System administrators should apply available mitigations or updates immediately.
Avahi DoS Vulnerability Advisory - CVSS 5.5 Medium Severity
CERT-Bund issued advisory WID-SEC-2026-0975 regarding a denial of service vulnerability in Avahi, an open-source network service discovery implementation for Linux/UNIX systems. The vulnerability (CVSS Base Score 5.5, Temporal Score 5.0) allows a local attacker to crash the Avahi service, impacting system availability. Affected products include Open Source avahi versions prior to 0.9-rc4. Organizations running vulnerable Avahi installations should apply patches immediately.
Keycloak Information Disclosure Vulnerability (CVSS 3.7)
CERT-Bund issued a security advisory (WID-SEC-2026-0970) reporting an information disclosure vulnerability in Keycloak, an open-source identity and access management platform. The vulnerability carries a CVSS Base Score of 3.7 (low severity) and allows remote anonymous attackers to potentially expose sensitive information. Affected systems include Keycloak deployments running on Linux and UNIX operating systems.
IBM Maximo Asset Management DoS Vulnerability - CVSS 5.3
CERT-Bund published security advisory WID-SEC-2026-0965 disclosing a Denial of Service vulnerability in IBM Maximo Asset Management versions prior to 7.6.1.3 IF037. The vulnerability carries a CVSS Base Score of 5.3 (medium) and a Temporal Score of 4.6. Remote anonymous attackers can exploit this flaw to conduct DoS attacks against affected installations running on Linux, UNIX, or Windows systems.
RHEL fontforge Remote Code Execution Vulnerability - CVSS 8.8
CERT-Bund issued a security advisory regarding a critical vulnerability (CVSS 8.8) in Red Hat Enterprise Linux's fontforge component affecting versions prior to RHEL 10, RHEL 9, and RHEL Extended Update Support 9.6. The vulnerability allows remote, unauthenticated attackers to execute arbitrary code on affected systems. Organizations running affected RHEL distributions should apply available mitigations or patches immediately.
FasterXML Jackson Vulnerability - Security Bypass (CVSS 7.5)
CERT-Bund issued a security advisory regarding a vulnerability in FasterXML Jackson versions 3.0.0 through 3.1.0. The vulnerability, with a CVSS Base Score of 7.5, allows remote anonymous attackers to bypass security measures in the JSON processing library. Affected platforms include Linux, Windows, UNIX, and other operating systems running Java applications that utilize the library.