Fraser Sampson Raises Concerns on Police Biometrics Oversight
Professor Fraser Sampson, the Independent Commissioner for Biometrics and Surveillance Cameras, submitted a formal response to the Department for Digital, Culture, Media & Sport consultation 'Data: a new direction'. He raised serious concerns about proposals to absorb oversight of police biometric and surveillance camera powers into the Information Commissioner's Office. The consultation questions regarding these transfers appear on page 142 of the 146-page document.
Fraser Sampson Appointed Biometrics and Surveillance Camera Commissioner
The Home Secretary has appointed Fraser Sampson as the government's new independent Biometrics and Surveillance Camera Commissioner, effective 1 March 2021. This appointment consolidates the previously separate Biometrics Commissioner and Surveillance Camera Commissioner roles into a single position. The Commissioner will promote compliance with the Surveillance Camera Code and rules on police use of DNA profiles and fingerprints under the Protection of Freedoms Act 2012.
Best Practice Guidance 'Facing the Camera' on Police Use of Live Facial Recognition
The UK Surveillance Camera Commissioner has issued best practice guidance titled 'Facing the Camera' for police forces in England and Wales on the lawful deployment of Live Facial Recognition technology. This is the first guidance issued since the Court of Appeal overturned South Wales Police's use of LFR in the Bridges v South Wales Police case. The guidance helps forces understand how to deploy LFR in compliance with current legal requirements while balancing civil liberties.
Surveillance Camera Code of Practice Amendments Laid in Parliament
The Surveillance Camera Commissioner laid an updated Surveillance Camera Code of Practice before Parliament on 16 November 2021 pursuant to Section 31(3) of the Protection of Freedoms Act 2012. Subject to parliamentary approval, the updated code is due to come into effect on 12 January 2022.
DCMS Consultation on Biometric Data and Surveillance Reform
DCMS launched a consultation on reforms to the UK data protection regime. The consultation proposes legislative changes to streamline police collection, use, and retention of biometric data, and suggests merging the Biometrics Commissioner and Surveillance Camera Commissioner functions under the Information Commissioner's Office for simplified oversight.
NDG Briefing on Data Use and Access Bill
The National Data Guardian published a briefing on the Data (Use and Access) Bill as part of their statutory duty to advise on matters affecting health and care data. The document outlines NDG's views on the bill, highlighting provisions they support while identifying areas requiring further consideration. The briefing was shared with the Department of Health and Social Care and Department for Science, Innovation and Technology before being published for transparency and parliamentary support.
Co-Designed Communications on Health and Care Data Expectations
The National Data Guardian published research testing whether co-designed communications can help people understand and expect specific uses of their health and care data. Working with NHS Screening Quality Assurance Service and Population Health Management programmes, the research found that well-designed materials can successfully inform people and set accurate expectations about data use, including safeguards. The findings provide practical insights for health and care organisations on communicating transparently about data use to reduce surprise.
NDG Statement on Patient Data Reflective Practice Safeguards
The National Data Guardian published a position statement on 27 November 2025 clarifying when regulated health and social care professionals in England may access confidential patient information for reflective practice purposes. The statement establishes safeguards and limits for data access, explains the application of Caldicott Principles, and underpins NHS England guidance on using information for reflective practice published the same day.
NDG 2024-25 Work Report, Priorities Through March 2027
The National Data Guardian (NDG) published its 2024-25 annual report covering activities from April 2024 to March 2025. The report accounts for the work of Dr Nicola Byrne and her office in advising on health and social care data use. The NDG also outlines priority work areas through the conclusion of Dr Byrne's term on 31 March 2027.
Survey Findings on Barriers to Direct Care Information Sharing
The National Data Guardian (NDG) published a survey report on barriers to health and care professionals sharing information to support direct care. Commissioned in late 2019, the online survey aimed to understand perceived obstacles to appropriate information sharing. The report includes four recommendations for educational initiatives to improve direct care information sharing practices.
International Survey of Public Opinion on AI Safety
The Centre for Data Ethics and Innovation commissioned Deltapoll to conduct international research on public opinion towards AI safety ahead of the UK's AI Safety Summit 2023. Respondents from nine countries expressed widespread support for AI safety testing, with 76% agreement in the UK and Singapore, and 62% in the UK supporting government-backed AI safety institutes.
Public Attitudes to Data and AI: Tracker Survey Wave 3
The CDEI and Department for Science, Innovation and Technology published Wave 3 of the Public Attitudes Tracker Survey, monitoring how UK public attitudes towards data and AI vary over time. The survey includes an infographic of key findings and weighted data tables. No compliance obligations or regulatory requirements are created by this publication.
CDEI Rebranded as Responsible Technology Adoption Unit
The UK Centre for Data Ethics and Innovation (CDEI) has been renamed the Responsible Technology Adoption Unit (RTA). The name change reflects the directorate's evolving role in supporting responsible AI adoption across public and private sectors under the Department for Science, Innovation and Technology.
Ethics, Transparency and Accountability Framework for Automated Decision-Making
The UK Centre for Data Ethics and Innovation, alongside the Department for Science, Innovation and Technology, Cabinet Office, and Office for Artificial Intelligence, published a 7-point Ethics, Transparency and Accountability Framework for Automated Decision-Making. The framework provides guidance for public sector organisations on using automated or algorithmic decision-making systems safely, sustainably and ethically. An accompanying Risk Potential Assessment Form helps teams evaluate possible risks of automated or algorithmic decisions.
Fairness Innovation Challenge: Up to £400,000 for AI Bias Solutions
The UK Department for Science, Innovation and Technology, through the Centre for Data Ethics and Innovation, has launched the Fairness Innovation Challenge offering up to £400,000 in government investment to UK companies. The competition will fund up to three solutions with individual awards of up to £130,000 each, focusing on innovative approaches to tackle bias and discrimination in AI systems, with initial focus on healthcare and other real-world use cases. Submissions close on 13 December 2024.
Advisory on Risks Associated with Frontier AI Models
The Cyber Security Agency of Singapore (CSA) has published an advisory warning organisations about cybersecurity risks associated with frontier AI models. These advanced AI systems can reportedly reduce the time to identify vulnerabilities and engineer exploits from months to hours. While no misuse has been observed, CSA outlines immediate and long-term mitigation measures for organisations to strengthen their security posture.
Multiple Microsoft CVEs Allow Code Execution, Elevation
CERT-FR issued advisory CERTFR-2026-AVI-0445 notifying of 22 Microsoft security vulnerabilities affecting products including Microsoft Defender, Microsoft Dynamics 365, Microsoft HPC Pack, Microsoft Power Apps, Microsoft SharePoint (multiple versions), Microsoft SQL Server (2016-2025), and Microsoft Visual Studio. Affected systems risk data confidentiality breaches, security policy bypass, remote code execution, denial of service, and privilege elevation. Microsoft has released patches and updates to address these vulnerabilities.
Multiples vulnérabilités dans Tenable Identity Exposure versions antérieures à 3.77.17
CERT-FR has published a security advisory regarding 18 vulnerabilities discovered in Tenable Identity Exposure, affecting versions prior to 3.77.17. The vulnerabilities include privilege escalation, remote denial of service, data confidentiality breaches, data integrity compromise, and security policy bypass. Affected organizations are advised to consult the vendor security bulletin and apply available patches.
Python CPython Remote Denial of Service Vulnerability
CERT-FR issued a security advisory regarding a remote denial of service vulnerability in Python CPython. The vulnerability (CVE-2026-5713) affects CPython versions without the latest security patch. Organizations using affected Python installations are at risk of remote denial of service attacks.
Adobe Product Vulnerabilities Allow Remote Code Execution, DoS, Security Bypass
CERT-FR issued advisory CERTFR-2026-AVI-0438 warning of multiple critical vulnerabilities in Adobe products. Affected products include Acrobat 2024, Acrobat DC, Acrobat Reader DC, ColdFusion 2023, and ColdFusion 2025 on Windows and macOS. The vulnerabilities allow remote code execution, remote denial of service, and security policy bypass. ANSSI references Adobe security bulletins APSB26-38 and APSB26-44.
Multiples vulnérabilités dans Ivanti Neurons (XSS et contournement de sécurité)
CERT-FR a publié un avis de sécurité concernant deux vulnérabilités (CVE-2026-4913 et CVE-2026-4914) dans Ivanti Neurons for ITSM versions antérieures à 2025.4. Les failles permettent une injection de code indirecte à distance (XSS) et un contournement de la politique de sécurité. Les organisations utilisant ce logiciel doivent vérifier leur version et appliquer les correctifs disponibles via le bulletin de sécurité Ivanti du 14 avril 2026.
Multiple Fortinet Vulnerabilities Allow Code Execution
CERT-FR published advisory CERTFR-2026-AVI-0440 covering 29 vulnerabilities across multiple Fortinet product lines, including FortiOS, FortiAnalyzer, FortiManager, FortiProxy, FortiSandbox, FortiClientEMS, and others. Affected products span versions 7.x through 7.6.x and earlier, exposing systems to risks including remote code execution, data confidentiality and integrity breaches, SSRF, XSS, SQL injection, denial of service, and privilege escalation. Fortinet published corresponding security bulletins FG-IR-26-100 through FG-IR-26-127 between April 14-15, 2026.
Multiple Microsoft Office Vulnerabilities Allow Remote Code Execution, Data Breach
CERT-FR published security advisory CERTFR-2026-AVI-0441 alerting organizations to 12 critical vulnerabilities in Microsoft Office products including Excel, PowerPoint, Office 2016/2019/LTSC 2021/2024, and Office Online Server. The vulnerabilities allow remote code execution and data confidentiality breaches. Users are advised to apply Microsoft's security patches immediately.
Multiple Windows Vulnerabilities Enable Code Execution, Privilege Escalation
CERT-FR issued advisory CERTFR-2026-AVI-0442 alerting to 51 vulnerabilities in Microsoft Windows. Affected CVEs include CVE-2023-20585, CVE-2026-0390, and multiple others from CVE-2026-26151 through CVE-2026-27914. The vulnerabilities enable remote code execution and privilege escalation. Microsoft released security bulletins on April 14, 2026. Organizations running affected Windows systems are advised to apply patches immediately.
Multiple .NET Vulnerabilities Allow DoS and Security Bypass
CERT-FR issued advisory CERTFR-2026-AVI-0443 alerting that six vulnerabilities (CVE-2026-23666, CVE-2026-26171, CVE-2026-32178, CVE-2026-32203, CVE-2026-32226, CVE-2026-33116) were discovered in Microsoft .NET affecting versions 8.0, 9.0, and 10.0 on Linux, Mac OS, and Windows, as well as multiple .NET Framework versions. These vulnerabilities allow remote attackers to cause denial of service and bypass security policies. Affected organizations should apply patches per Microsoft security bulletins.
Multiple Azure Vulnerabilities Allow Privilege Escalation
CERT-FR issued advisory CERTFR-2026-AVI-0444 alerting organizations to multiple privilege escalation vulnerabilities in Microsoft Azure. Five CVEs (CVE-2026-32167, CVE-2026-32168, CVE-2026-32171, CVE-2026-32176, CVE-2026-32192) were disclosed in Microsoft Azure security bulletins on April 14, 2026. Affected systems include Azure Logic Apps and Azure Monitor Agent versions prior to 1.35.9 and 1.41.0. Organizations are advised to consult Microsoft security bulletins for patch availability.
Newsletter N. 546: Eni Fine 96K Euro, FAQ, Email Access, FaceBoarding
Garante per la protezione dei dati personali published Newsletter No. 546 covering multiple decisions. The authority fined Eni 96,000 euros for GDPR violations related to workplace email access and data protection practices. The newsletter also addresses employee email access after employment termination, the FaceBoarding biometric system at Milano Linate airport being non-compliant with GDPR, and approval of the AscoltaMi service for the Ministry of Education and Merit (MIM).
CISA Adds CVE-2009-0238 and CVE-2026-32201 to Known Exploited Vulnerabilities Catalog
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. CVE-2009-0238 is a Microsoft Office Remote Code Execution vulnerability and CVE-2026-32201 is a Microsoft SharePoint Server Improper Input Validation vulnerability. These vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Federal Civilian Executive Branch (FCEB) agencies are required to remediate these vulnerabilities pursuant to Binding Operational Directive 22-01.
Composer Multiple Vulnerabilities Allow Remote Code Execution
CERT-Bund published security advisory WID-SEC-2026-1128 disclosing multiple vulnerabilities in Open Source Composer (versions below 2.9.6 and 2.2.27 LTS) that allow remote attackers to execute arbitrary code. The CVSS Base Score is 8.8 (high) and the Temporal Score is 7.7 (high). Mitigation measures are available.
Synology DiskStation Manager Multiple Vulnerabilities CVSS 8.0
CERT-Bund published security advisory WID-SEC-2026-1125 disclosing multiple vulnerabilities in Synology DiskStation Manager (DSM) with a CVSS Base Score of 8.0 (high) and Temporal Score of 7.0 (high). Remote exploitation is confirmed. Affected versions include DSM <7.3.2-86009-2, <7.2.2-72806-7, and <7.2.1-69057-10. The vulnerabilities allow attackers to bypass security measures, manipulate data, disclose confidential information, or cause denial of service.
Dell PowerProtect Data Domain OS Critical Vulnerabilities
CERT-Bund issued security advisory WID-SEC-2026-1118 warning of multiple critical vulnerabilities in Dell PowerProtect Data Domain OS with CVSS Base Score 8.8 (High). Affected versions include OS builds prior to 8.7.0.0, 8.7.0.1, 8.3.1.30, 7.13.1.70, 8.6.0.0, 8.3.1.20, and 7.13.1.60. Remote attackers can exploit these flaws to execute arbitrary code with root privileges, escalate privileges to administrator level, bypass security controls, manipulate data, or disclose confidential information.
Keycloak Cross-Site Scripting Vulnerability CVSS 6.9 (Medium)
CERT-Bund has published a security advisory regarding a Cross-Site Scripting (XSS) vulnerability in Keycloak, an open-source identity and access management platform. The vulnerability has a CVSS Base Score of 6.9 (Medium) and CVSS Temporal Score of 6.3 (Medium). A remote, authenticated attacker can exploit this vulnerability to conduct XSS attacks. Affected systems run Keycloak on Linux and UNIX operating systems.
Adobe ColdFusion Critical Flaws Allow Code Execution
CERT-Bund published security advisory WID-SEC-2026-1110 alerting to multiple critical vulnerabilities in Adobe ColdFusion 2023 (prior to Update 19) and Adobe ColdFusion 2025 (prior to Update 7). The vulnerabilities carry a CVSS Base Score of 9.3 (critical) and temporal score of 8.1 (high). An unauthenticated remote attacker can exploit these flaws to execute arbitrary code, bypass security controls, disclose information, and conduct denial of service attacks. Mitigation measures are available.
WID-SEC-2026-1103: Critical Microsoft SQL Server Vulnerabilities Allow Code Execution and Privilege Elevation
CERT-Bund issued security advisory WID-SEC-2026-1103 warning of multiple critical vulnerabilities in Microsoft SQL Server 2016, 2017, 2019, and 2022. The flaws carry a CVSS Base Score of 8.8 (high) and a Temporal Score of 7.7 (high). Attackers can exploit these vulnerabilities remotely to execute arbitrary code and escalate privileges. Mitigations are available.
Critical Microsoft Windows Multiple Vulnerabilities CVSS 9.8
CERT-Bund issued advisory WID-SEC-2026-1104 detailing critical multiple vulnerabilities in Microsoft Windows products with a CVSS Base Score of 9.8 (critical) and Temporal Score of 8.5 (high). Affected products include Windows Server 2012 through 2025 and Windows 10 versions 1607 through 22H2 and Windows 11 versions 23H2 through 26H1, along with Microsoft Windows Admin Center. An attacker could exploit these vulnerabilities to achieve remote code execution, privilege escalation, information disclosure, security feature bypass, and denial of service attacks.
Adobe Acrobat DC, Reader Multiple Vulnerabilities, CVSS 8.6
Adobe Acrobat DC, Reader Multiple Vulnerabilities, CVSS 8.6
CVE-2009-0238: Microsoft Excel Remote Code Execution Vulnerability
CISA added CVE-2009-0238 to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability affects Microsoft Office Excel versions 2000 SP3 through 2007 SP1, Excel Viewer 2003, Compatibility Pack for Office 2007 formats, and Excel for Mac 2004 and 2008. The vulnerability allows remote code execution via crafted Excel documents and was actively exploited in February 2009 by Trojan.Mdropper.AC. CISA's SSVC assessment rates exploitation as active with total technical impact.
Microsoft SharePoint Spoofing Vulnerability, CVSS 6.5 Medium
CISA added CVE-2026-32201 to the Known Exploited Vulnerabilities catalog on April 14, 2026. The vulnerability is an improper input validation flaw in Microsoft Office SharePoint (versions prior to 16.0.5548.1003, 16.0.10417.20114, and 16.0.19725.20210) that allows unauthorized attackers to perform spoofing over a network. SSVC analysis rates exploitation as 'active' and 'automatable' with partial technical impact. A vendor patch is available via Microsoft Update Guide.
California Cybersecurity Audit Rule: Class Action Discovery and Privilege Implications
The California Privacy Protection Agency's cybersecurity audit rule took effect Jan. 1, 2026, requiring covered businesses to conduct annual audits covering 18 technical and organizational components and submit written certification to the agency. The rule, the first of its kind among state data privacy laws of general applicability, may generate substantial compliance efforts and create discoverable evidence in data breach class action litigation.
Nicholas H. Safford & Co., Inc. Data Breach Notice to Consumers
The Vermont Attorney General posted a data breach notice from Nicholas H. Safford & Co., Inc. informing consumers of a security incident involving personal information. The company published the notice as required under Vermont's security breach notification law. Consumers are advised to review the full notice for details on the compromised data and recommended protective actions.
Legend Senior Living Data Breach Notice to Vermont Consumers
Legend Senior Living, LLC filed a data breach notice with the Vermont Attorney General's Office on April 10, 2026, informing Vermont consumers of a security incident involving personal information. The notice, published on the AG's Security Breach Notices page, provides affected consumers with details about the breach and recommended protective measures. No specific breach date, type of data compromised, or number of affected individuals was stated in the source document.
David Evans Enterprises Data Breach Notice to Consumers
The Vermont Attorney General's Office posted a data breach notice regarding David Evans Enterprises, Inc. on April 10, 2026. The notice informs Vermont consumers about a security incident involving unauthorized access to personal information. Affected consumers should review the full notice for specific details about the breach and recommended protective measures.
Buena Vista Management Services Data Breach Notice to Consumers
The Vermont Attorney General's Office published a data breach notice from Buena Vista Management Services, LLC on April 10, 2026, informing consumers of a security incident involving unauthorized access to personal information. The notice advises affected Vermont consumers of the breach and provides information regarding the nature of the incident. This notification fulfills the company's obligations under Vermont's data breach notification law.
OneDigital Investment Advisors data breach notice posted 8th Apr
OneDigital Investment Advisors data breach notice posted 8th Apr
Adrian Jules LTD Data Breach Notice to Consumers
Adrian Jules LTD filed a data breach notice with the Vermont Attorney General's Office on April 8, 2026. The notice informs consumers about a security incident involving unauthorized access to personal information. The company is providing details about the breach and recommended actions for affected individuals.
SDI Management LLC Data Breach Notice to Consumers
The Vermont Attorney General posted a data breach notification from SDI Management LLC on April 9, 2026. The notice alerts consumers that their personal information may have been compromised in a security incident. Affected consumers should review the full notice for information about the breach and recommended protective steps.
TruView BSI, LLC Data Breach Notice to Consumers
TruView BSI, LLC submitted a data breach notification to the Vermont Attorney General's Office on April 8, 2026. The notice advises Vermont consumers who may be affected by the breach to review the attached PDF for details on the incident and recommended next steps.
Microsoft April 2026 Patches Address Multiple Vulnerabilities
CSA Singapore issued an alert on 15 April 2026 notifying that Microsoft released security patches addressing multiple vulnerabilities across its software products. The alert lists 11 vulnerabilities with CVSS base scores ranging from 7.5 to 9.8, including critical remote code execution vulnerabilities affecting Windows IKE extensions, Go compiler, SWIG, Remote Desktop Client, Microsoft Office, TCP/IP, and Active Directory. CSA recommends organizations apply the patches immediately.
EDPB DPIA Template Public Consultation
The European Data Protection Board (EDPB) has opened a public consultation on its Data Protection Impact Assessment (DPIA) Template, running from 14 April 2026 until 9 June 2026. The template aims to provide a harmonized approach for DPIAs across EU member states. After the consultation closes, DPAs will begin adopting this template as their unique or 'meta-template'.
CPython Multiple Vulnerabilities Allow Security Bypass and Data Manipulation
CERT-Bund issued security advisory WID-SEC-2026-1087 disclosing multiple vulnerabilities in CPython versions prior to 3.15.0. The vulnerabilities carry a CVSS Base Score of 7.4 (high) and enable remote attackers to bypass security mechanisms and manipulate data. Affected platforms include Linux, UNIX, Windows, and Fedora Linux.
Kubernetes CSI Driver SMB File Manipulation Vulnerability CVE CVSS 6.5
CERT-Bund issued a security advisory regarding a vulnerability in Open Source Kubernetes CSI Driver for SMB versions prior to 1.20.1. The flaw, with a CVSS Base Score of 6.5 (medium), allows a remote authenticated attacker to manipulate files. Organizations running affected Kubernetes deployments on Linux and UNIX systems should apply mitigations or update to version 1.20.1 or later.
ABB 800xA CI868 and Symphony Melody PM877 Denial of Service Vulnerability
CERT-Bund issued a security advisory regarding a denial of service vulnerability in ABB industrial control systems 800xA and Symphony Melody. The vulnerability (CVSS Base Score 6.5) affects the CI868 module for AC800M and PM877 for Symphony Melody Plus MR when specific version thresholds are met. An attacker from an adjacent network could exploit this vulnerability to cause service disruption. Mitigation measures are available from ABB.
Siemens Industrial Edge Management Security Bypass Vulnerability
CERT-Bund issued a security advisory warning of a vulnerability in Siemens Industrial Edge Management (CVSS Base Score 4.7/medium) that allows a remote, anonymous attacker to bypass security measures. Affected versions include Siemens Industrial Edge Management Pro prior to 1.15.17 and 2.1.1, and Virtual prior to 2.8.0. Organizations using these products should review mitigations.
GNU tar Vulnerability Allows Security Bypass - CVSS 5.0 Medium
CERT-Bund issued security advisory WID-SEC-2026-1057 regarding a vulnerability in GNU tar that allows a local attacker to bypass security measures. The vulnerability carries a CVSS Base Score of 5.0 (medium) and Temporal Score of 4.6 (medium). Remote attack is not possible. Affected systems include Linux, UNIX, and Windows operating systems.
BigBlueButton Multiple Vulnerabilities Allow Data Manipulation and Redirect Attacks
CERT-Bund published security advisory WID-SEC-2026-1084 identifying multiple vulnerabilities in BigBlueButton open-source web conferencing system versions prior to 3.0.24. The vulnerabilities carry a CVSS Base Score of 6.5 (medium) and Temporal Score of 5.7 (medium). Remote attackers can exploit these flaws to manipulate data and redirect users to attacker-controlled domains. Organizations running affected BigBlueButton installations should apply mitigations.
QEMU Vulnerability, CVSS 7.8, Allows Disclosure, DoS
QEMU Vulnerability, CVSS 7.8, Allows Disclosure, DoS
SingCERT Security Bulletin Summarizes NIST Vulnerability Database
The Cyber Security Agency of Singapore (CSA) SingCERT published a security bulletin summarizing critical vulnerabilities from NIST's National Vulnerability Database. The bulletin categorizes CVEs by CVSSv3 base scores, listing vulnerabilities scoring 9.0-10.0 (Critical), 7.0-8.9 (High), 4.0-6.9 (Medium), and 0.1-3.9 (Low). Critical vulnerabilities include Axios prototype pollution (CVE-2026-40175, score 10.0), Sonicverse SSRF (CVE-2026-40089, score 9.9), SAP SQL injection (CVE-2026-27681, score 9.9), Axios proxy bypass (CVE-2025-62718, score 9.9), and PraisonAI sandbox escape (CVE-2026-39888, score 9.9).
Contractor Sentenced to 10 Years for $1.4M Home Remodeling Fraud
A Denver District Court judge sentenced Avi Schwalb to 10 years in the Colorado Department of Corrections for a home remodeling contractor fraud scheme that stole over $1.4 million from homeowners. In February 2026, a jury found Schwalb guilty on all 47 felony charges including theft, money laundering, and violating Colorado's organized crime law. The investigation covered work conducted from July 2021 to December 2024.