Iran has always been a formidable cyber threat to the United States, but after the war in Iran commenced, the attacks are coming frequently and in full force. According to the Joint Cybersecurity Advisory issued on April 7, 2026, by the FBI, CISA, NSA, EPA, DOE, and Cyber Command, Iranian-based hackers are targeting operational technology devices connected to the internet, including programmable logic controllers (PLC). The Advisory notes that the PLC disruptions have been seen “across several U.S. critical infrastructure sectors through malicious interactions with the project file and manipulation of data…resulting in operational disruption and financial loss.”

The Advisory states that U.S. organizations “should urgently review the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) in this advisory for indications of current or historical activity on their networks, and apply the recommendations listed in the Mitigations section of this advisory to reduce the risk of compromise.”

If your organization is considered critical infrastructure, it is crucial to review the Advisory, including the indicators of compromise and mitigation techniques.

Critical infrastructure operators at the water treatment plant in Minot, North Dakota, were forced to resort to manual processes when its Supervisory Control and Data Acquisition (SCADA) system became inoperable as a result of a March 14, 2026, ransomware attack. The attackers are unidentified, but it comes in the wake of the war in Iran, and both Iran and China are known to lead cyber-attacks against water utilities, which often have vulnerabilities that make them easy targets. Last month, the Water Information Sharing and Analysis Center, along with information sharing organizations for the auto, aviation, food, health, IT, national defense, oil and natural energy, and retail and hospitality industries issued a Joint Advisory to their members, including water facilities, warning them of increased cyberattacks from Iranian hackers, as well as physical attacks against critical infrastructure entities. The warning concluded by stating that “the threat environment is likely to remain highly volatile.”

Minot’s water system provides water to approximately 80,000 users. Although the water supply and quality were not affected by the attack, operators were required to manually read gauges for 16 hours while they uninstalled the compromised SCADA system. It has taken Minot over two weeks to spin up a new server.  

Since water facilities are a target for nation state cyber actors, the state of New York recently introduced cybersecurity standards for both drinking and wastewater treatment facilities. Other states will hopefully follow suit so the water supply and quality available will be less vulnerable to attack.

Critical infrastructure operators should be aware of the heightened risk, prepare for an attack, and test their incident response processes through a cybersecurity tabletop exercise that is designed to address a shut down so processes can be improved and services restored as efficiently as possible. We all depend on the basic necessities of food, water, electricity, and access to financial services, all of which could be downed by an attack and dramatically impact our lives. We depend on critical infrastructure operators to have measures in place to prevent and mitigate the effects of an attack.

Minnesota Governor Tim Walz issued an emergency executive order on April 7, 2026, dispatching the Minnesota National Guard after Winona County requested assistance following a cyber attack disrupting its “critical systems and digital services.” The attack occurred on April 6, 2026, and is “significantly impairing the county’s ability to deliver vital emergency and municipal services.”

The attackers are currently unknown, but it is further evidence of the increased threat of cyber-attacks following the war in Iran, which is the subject of a Joint Advisory issued by federal government agencies warning government agencies and critical infrastructure to prepare and prevent cyber-attacks during the war in Iran.

Despite a two-week cease fire, Iran has always been a formidable cyber adversary, and it is anticipated that the cyber-attacks will continue as normal.

While California’s wiretapping statute, the California Invasion of Privacy Act (CIPA), tends to dominate the conversation about the recent rise in wiretapping litigation, plaintiffs are also turning to other states’ wiretapping laws to target web tracking and session-replay tools. The U.S. Court of Appeals for the Third Circuit recently held that a website visitor could not pursue a Pennsylvania wiretapping claim in federal court because she did not allege a concrete enough injury to satisfy Article III of the U.S. Constitution. The case, Popa v. Harriet Carter Gifts, Inc., involves claims against a retailer, Harriet Carter, and its marketing-services provider, over alleged tracking of the plaintiff’s activity while she browsed the retailer’s website.

Article III standing is the threshold requirement to be in federal court, and it means that a plaintiff must show they were personally harmed in a concrete way, not just that a statute may have been violated. If a plaintiff cannot show a concrete injury, a federal court lacks power to decide the case. In Popa, the standing question was shaped by the Third Circuit’s earlier decision in Cook v. GameStop, Inc. 148 F.4th 153, 157 (3d Cir. 2025). There, the court held that routine website interactions, such as moving a mouse, clicking, using a search function, or adding items to a cart, do not by themselves amount to a sufficiently concrete injury for federal standing when the plaintiff did not enter sensitive or personal information during the session.

Applying that approach, the Popa panel noted that the plaintiff conceded she did not suffer an Article III injury, and the court therefore could not reach the merits of her Pennsylvania Wiretapping and Electronic Surveillance Control Act claims. Before this appeal, and prior to the Cook decision, the federal trial court had granted summary judgment to the defendants, ending the case in their favor without a trial. Because the federal courts lacked jurisdiction, the Third Circuit vacated the prior federal summary judgment ruling and instructed the district court to send the case back to state court.

For companies dealing with website-tracking claims, Popa is a reminder that in the Third Circuit, federal jurisdiction may hinge on what the user actually did on the site and whether the alleged tracking plausibly involved capturing sensitive or personal inputs, as opposed to ordinary browsing. That puts renewed focus on understanding what data a website and its vendors collect at each step of the user journey and aligning disclosures and consent mechanisms with how the technology works. And even when a case cannot stay in federal court, Popa highlights that a dispute may simply continue in state court, where the litigation may turn less on constitutional standing and more on the state statute’s scope and the specific facts of the implementation.

California Governor Gavin Newsom issued a new executive order aimed at tightening California’s procurement rules for artificial intelligence (AI) vendors and “raising the bar” for companies that want to sell AI tools to the state. The administration says the goal is to ensure contractors meet strong standards and can demonstrate responsible policies that prevent misuse, while protecting users’ safety and privacy. The announcement also frames California’s approach as a contrast to recent federal contracting “missteps,” emphasizing that AI adopted by the state should not enable bad actors to exploit data, undermine security, or violate civil rights. 

Practically, the order directs the Government Operations Agency to develop a plan for updated contracting processes and best practices that vet companies based in part on how they attest to and explain safeguards addressing key risks, including exploitation or distribution of illegal content, biased model behavior or lack of bias prevention technology, and violations of civil rights and free speech in AI tools. It also allows the state to separate its procurement authorization process for AI tools from the federal government (when needed). In addition, the governor directs the California Department of Technology to develop recommendations and best practices for watermarking AI-generated images or manipulated video consistent with state law.

The order is not only about restrictions—it also commits California to expanding generative AI use to improve public services, including a new AI-directed tool intended to help Californians navigate programs and benefits by life events, like starting a business or finding a job. Alongside that service-delivery push, the state plans a statewide engagement effort through the Engaged California program to gather input on how AI may impact the workforce, signaling that California wants both stronger guardrails and a clearer public mandate as AI adoption accelerates. To see the full executive order click here.

The Federal Bureau of Investigation (FBI) recently released a FLASH warning highlighting malicious cyber activity conducted by threat actors operating on behalf of Iran’s Ministry of Intelligence and Security. According to the FBI, these threat actors are using Telegram as a command-and-control infrastructure to push malware “targeting Iranian dissidents, journalists opposed to Iran, and other opposition groups around the world.” The FLASH was released “to maximize awareness of malicious Iranian cyber activity and provide mitigation strategies to reduce the risk of compromise” in light of the “elevated geopolitical climate of the Middle East and current conflict.”  

The FLASH is designed to warn network defenders, and the public, of continued malicious cyber activity by Iranian-backed cyber actors, and provides the tactics, techniques, and procedures used in this malware campaign.

The FBI notes that the threat actors use Signal to deploy various malware versions to infect machines running Windows operating systems and “could be used to target any individual of interest to Iran.”

According to the FLASH, the threat actors used social engineering to masquerade as commonly used programs or services on Windows machines. After compromise, they then “connected the infected machine to Telegram command and control bots that enabled remote user access to exfiltrate screen captures or files from the victim devices.” The threat actors include Handala Hack, which claimed responsibility for the Stryker attack. Handala Hack is also linked to another entity known as “Homeland Justice.”

Iranian-backed hackers continue to pose a threat to all companies because they leverage legitimate messaging apps like Telegram (through no fault of its own) to deliver payloads. If you or your company uses Telegram, or another messaging app, it is imperative to understand how these legitimate tools are used maliciously by threat actors. Follow the FBI’s guidelines and educate your users to this increased risk.

A new class action in the U.S. District Court for the Northern District of California alleges that Ace Hardware tracked users’ online activity through third-party tools before users could make meaningful choices through cookie consent tools, and that it continued even after users took steps to opt out. The plaintiffs claim that the Ace Hardware website intercepted browsing data before consent choices could be made, promised opt-out control but did not honor it, and used multiple third-party tools to collect detailed activity. Specifically, the complaint alleges tools from Google Analytics, Bazaarvoice, and other companies were used to collect information such as search terms, product views, and device identifiers.

In plain terms, the lawsuit frames the issue as a mismatch between what users were told about their privacy choices and what allegedly happened behind the scenes. While the lawsuit focuses on Ace Hardware’s website practices, it also reflects on the broader scrutiny of third-party analytics and marketing tools, especially where consent mechanisms are alleged to be ineffective or misleading.

Even when companies believe they have implemented standard consent banners, plaintiffs increasingly focus on what the underlying scripts actually do in real time. This case is a reminder that privacy risk often turns on implementation details, not policy language. Companies should pressure-test consent flows against what tags and pixels actually transmit, including on first page load and after opt-out selections. Aligning disclosures, consent settings, and real-time script behavior is increasingly where litigation exposure is won or lost.

On March 20, 2026, Oklahoma Governor Kevin Stitt signed into law Enrolled Senate Bill No. 546, a comprehensive privacy law that will go into effect on January 1, 2027—this makes Oklahoma the 21st state to enact a comprehensive privacy law. The bill follows the common model used in many state privacy statutes: it grants consumers baseline privacy rights, requires opt-outs for targeted advertising and certain disclosures, and expects companies to document and manage higher-risk processing.

In general, the law applies to a controller or processor doing business in Oklahoma, or targeting Oklahoma residents, and, during a calendar year, either controls or processes personal data of at least 100,000 consumers, or controls/processes personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data.

Consumers have rights to access and confirm processing, correct inaccuracies, delete personal data (including data “provided by or obtained about” the consumer), obtain portable data the consumer provided, and opt out of targeted advertising, the sale of personal data, and certain profiling with significant effects.

“Sale” is the exchange of personal data for monetary consideration, with carve-outs including disclosures to processors, for requested services, and to affiliates. Notably, this is narrower than laws in states that include “valuable consideration” in the definition of sale. “Sensitive data” includesprecise geolocation, biometric data used for unique identification, and known children’s data, and generally requires opt-in consent.

The statute also calls for data minimization and reasonable security, required privacy notice disclosures (including clear disclosure of sale/targeted advertising, where applicable), and data protection assessments for targeted advertising, sale of personal data, sensitive data processing, and certain profiling/high-risk processing. It will be enforced by the Attorney General, includes a 30-day cure process, and provides no private right of action. Companies should use the lead time to confirm applicability and operationalize opt-outs, consent, consumer requests, vendor controls, and assessments.

Mandiant recently issued its M-Trends 2026 Report, a must read for all cybersecurity professionals. The report provides several conclusions and insights, including that both nation states and run of the mill financially motivated threat actors are “integrating AI to accelerate the attack lifecycle.” These threat actors are “increasingly relying on large language models (LLMs) as a strategic force multiplier to move beyond mass email campaigns toward hyper-personalized, rapport-building, social engineering.”      

Speaking of social engineering, the report also highlights that threat actors are using vishing campaigns more frequently and quite successfully. Vishing now holds the number two slot in how threat actors successfully attack companies. We have seen an increase in successful vishing campaigns, and the Mandiant Report confirms that threat actors are increasingly using this attack vector over other methods. This highlights the continued need to educate employees (including customer service representatives, help desk, and human resources employees) on these tactics and to implement internal processes to address identity management.

And, of course, ransomware is as prevalent and catastrophic as ever. The report concludes that ransomware attackers are increasing the pressure on companies to pay by “systematically targeting backup infrastructure, identity services, and virtualization management planes” to limit a company’s ability to recover. Therefore, Mandiant suggests that companies prioritize these areas to give them a better posture to recover.

The Mandiant Report provides a real-world analysis of recent threats (and suggestions to mitigate them) that is useful for security professionals to assess current risks.