Weekly Compliance & Cybersecurity Roundup: GDPR Data Access Rights, Phishing Evasion, and a Breach at a Cybersecurity Vendor
May 11, 2026
weekly-compliance-roundup
This Week in Compliance & Cybersecurity
This week’s news carries practical lessons for compliance and security teams: a high-stakes GDPR enforcement case that could reshape how companies monetize user data, a sophisticated phishing technique exploiting trusted cloud infrastructure, and a data breach at a major cybersecurity vendor that raises uncomfortable questions about supply chain risk.
GDPR Article 15 in the Spotlight: LinkedIn vs. Noyb
Privacy advocacy group Noyb has filed a complaint against LinkedIn, arguing that the platform is withholding profile visitor data from free-tier users and effectively forcing them to pay for a Premium subscription to access their own data. The legal argument rests on GDPR Article 15, which grants individuals the right to access personal data that a controller holds about them — regardless of commercial packaging.
Why this matters for your business: If Noyb’s position is upheld, it would establish a clear precedent: companies cannot place personal data access rights behind a paywall. Any SaaS platform, data broker, or enterprise software vendor that segments data access by subscription tier should review whether those tiers inadvertently restrict a data subject’s legal rights under GDPR. Compliance and legal teams should audit how their products respond to Article 15 requests and whether any premium features overlap with data subjects’ statutory entitlements. The business risk here is not just regulatory fines — it is reputational and structural, requiring potential product redesign.
Phishing Gets Harder to Catch: Amazon SES Abuse
Researchers at Kaspersky have documented a growing trend of attackers abusing Amazon Simple Email Service (SES) to send phishing emails that bypass traditional security filters. Because SES is a legitimate, high-reputation sending infrastructure, reputation-based email security tools struggle to flag these messages as malicious.
Why this matters for your business: This attack vector is particularly dangerous for organizations that rely heavily on email security gateways as a primary control. Phishing emails arriving from trusted AWS infrastructure can convincingly impersonate internal systems, vendors, or financial institutions. Security teams should:
- Review email filtering rules to go beyond sender reputation and incorporate behavioral and content-based analysis
- Ensure DMARC, DKIM, and SPF policies are fully enforced and monitored
- Update security awareness training to reflect that even emails from known cloud providers can be malicious
- Assess vendor and third-party communications for signs of compromise
For SOC 2 and ISO 27001 audits, this is worth documenting as an emerging threat in your risk register.
Vendor Risk Alert: Trellix Source Code Repository Breach
Cybersecurity firm Trellix disclosed that attackers gained unauthorized access to a portion of its source code repository. While the company has not confirmed the full scope of the breach, exposure of source code from a security vendor carries significant downstream risk for enterprise customers.
Why this matters for your business: This incident is a textbook example of why vendor risk management cannot be treated as a checkbox exercise. When a cybersecurity vendor is breached, the risks include:
- Exposure of vulnerabilities in the vendor’s products that attackers can exploit before patches are issued
- Potential for tampered builds or supply chain attacks if the repository compromise extended to CI/CD pipelines
- Contractual and regulatory obligations to assess whether the breach affects your own compliance posture
Organizations using Trellix products should request a formal incident disclosure, review their third-party risk assessments, and monitor for any advisories related to product integrity. For teams undergoing SOC 2 or ISO 27001 audits, this is a reminder to ensure your vendor risk program includes breach notification requirements and periodic re-assessments.
Key Takeaways for Compliance Teams This Week
- GDPR access rights are non-negotiable — review whether any product feature restricts statutory data subject rights
- Trusted infrastructure is being weaponized — update threat models and email security controls to account for SES-based phishing
- Your vendors are part of your risk surface — the Trellix breach highlights the need for active, ongoing third-party risk monitoring, not just onboarding assessments