A new report by Wired states that customer data from “more than 350 hotels around the world may have been accessed as part of realistic reservation-hijacking scams.” According to the report, travelers’ information and booking data may have been stolen from the hotels and are being used by threat actors to launch social engineered phishing schemes.

These scams are effective because they exploit trusted brands and impersonate legitimate guest relations professionals. Victims are contacted about travel they have booked—or plan to book—through messages that appear to come from a hotel, reservation platform or guest services team. These messages often include accurate booking details to build credibility and redirect the victim to a fake guest portal or payment verification page. The victim is told there is an issue with payment and that the booking will be cancelled in the next 24-48 hours if it is not resolved. Once redirected to the fake guest portal or payment verification page, the victim is prompted to enter their credit card information which is transmitted directly to the threat actor. In many cases, victims do not realize they have been targeted until weeks or months later.

Here is a great summary of how the scam works if you want more information.

Tips to prevent becoming a victim include:

  • Do not respond directly to unsolicited emails, phone calls, texts, or instant messages. If you’ve received a request for additional payment or payment information, reach out to the company you booked through directly via information on their website or in your booking confirmation.
  • Watch out for pressure tactics. Legitimate businesses do not call or send text messages pressuring you to act immediately. They also will not demand payment with a different payment method from the one you used to book your reservation.
  • Secure your accounts after a breach. If you receive a notice that you were impacted by a data breach, take the time to change your passwords and check for suspicious activity, like unauthorized payments or logins. Setting up two-factor authentication can also help to better protect your accounts.

A California court just gave companies facing website tracking claims under the California Invasion of Privacy Act (CIPA) a very helpful ruling. In Blaker v. NetScout Systems, Inc., Case No. 25STCV31283 (May 27, 2026), the plaintiff claimed that NetScout violated California’s trap-and-trace law by using a software development kit (SDK) on its website that allegedly captured visitor communications without notice or consent. The court rejected that theory, finding that CIPA’s pen register and trap-and-trace provisions apply to telephone communications only, not ordinary software on a commercial website. 

That distinction matters because many recent CIPA claims try to take laws originally aimed at telephone surveillance and apply them to common website technologies, including SDKs, pixels, analytics tools, and other tracking tools. The court looked closely at the statute and found that the broader words plaintiffs often rely on, such as “addressing” and “signaling information,” have to be read alongside the statute’s more telephone-focused terms, like “originating number,” “dialing,” and “routing.” The court also pointed to related provisions that refer specifically to the “telephone line” where a pen register or trap-and-trace device would be attached, which made it hard to square the plaintiff’s website theory with the statute as a whole. Additionally, since the internet was already widely used when these provisions were enacted in 2015, the court said lawmakers could have said the law applied to commercial websites if that is what they intended. 

For businesses, this is a big decision because it gives defendants a clear, common-sense response to one of the main theories behind these CIPA website tracking cases: a website tool is not automatically the same thing as a telephone trap-and-trace device. The ruling is also notable because the court sustained NetScout’s demurrer without leave to amend, meaning the plaintiff was not given another chance to rework the complaint. This does not mean every CIPA website tracking case goes away, but it gives companies a strong new argument to push back when plaintiffs try to stretch telephone surveillance laws to cover routine website technology.

On May 27, 2026, Connecticut Governor Ned Lamont signed Senate Bill 5 (“the Bill”) into law, creating a broad framework for artificial intelligence oversight in the state. The Bill reaches beyond any single category of AI use and touches consumer disclosures, employment tools, AI companions, synthetic media, workforce issues, state agency AI use, and privacy-related governance. The law is relevant not only to technology companies, but also to employers and businesses in Connecticut that use AI-enabled tools in their ordinary operations.

The Bill defines “artificial intelligence” as “any machine-based system that, for any explicit or implicit objective, infers from the inputs such system receives how to generate outputs, including, but not limited to, content, decisions, predictions or recommendations, that can influence physical or virtual environments.” That broad definition may capture a wide range of tools businesses already use, including systems for hiring, customer engagement, analytics, content generation, fraud detection, personalization, and internal productivity. The Bill is a reminder that AI governance cannot be limited to high-profile AI projects. It should also include vendor tools and embedded automated features that may already be operating across the business and that could constitute AI under the statute.

The employment provisions are especially notable. The Bill regulates “automated employment-related decision technology,” defined as technology that processes personal data and uses computation to generate an output, such as a prediction, recommendation, classification, ranking, or score, that is a substantial factor used to make or materially influence an employment-related decision. Employers using these systems should pay close attention to notice obligations before covered employment decisions are made. Required notices must address the purpose of the technology, the nature of the employment decision, the trade name of the technology, the categories and sources of personal data analyzed, how the data will be assessed, and contact information for the deployer. These requirements are likely to require coordination among legal, HR, procurement, and IT teams.

Senate Bill 5 also targets AI systems that interact directly with consumers. An “artificial intelligence companion” includes AI with a natural language interface that provides adaptive, human-like responses and can sustain a relationship across multiple interactions. Operators must generally provide disclosures so users understand they are communicating with an AI companion, not a human being. Operators must also implement protocols to detect and address user expressions indicating suicide, self-harm, or imminent physical violence, including referrals to appropriate mental health resources. In doing so, Connecticut joins other states such as California, Washington, and Iowa in regulating AI chatbots and companion platforms, particularly where the technology may influence vulnerable users such as minors or blur the line between human and automated interaction.

The law further addresses AI-generated media. Covered providers of certain generative AI systems must include provenance data in audio, image, or video content created or materially altered by those systems and must use reasonable methods to make that provenance data difficult to tamper with, remove, or disassociate from the content. This requirement fits within a broader trend toward transparency obligations for AI-generated media.

The Bill establishes staggered effective dates—many provisions take effect on October 1, 2026, although key employment deployer obligations apply to covered deployments on or after October 1, 2027. AI companion requirements take effect on January 1, 2027. Businesses operating in Connecticut should begin by inventorying AI tools, mapping where personal data is processed, reviewing vendor roles, and updating AI governance before the Bill’s staggered compliance dates arrive.

If you are a Signal user, be on the alert for a new phishing campaign that attempts to steal recovery keys used to access cloud backups.

If successful, the attackers could have access to entire message archives, conversations, photos and documents shared through the Signal platform. Signal is often used for highly sensitive communications, so the threat is real and could be significant.

The attackers are using fraudulent messages impersonating Signal Support, telling users that their account data is at risk because of a synchronization problem and directing users to retrieve their backup recovery key from the Signal app and paste it into the conversation. The message tries to scare users by telling them that sharing the key is to prevent permanent data loss and creates a sense of urgency.

Signal will never ask users to share credential information and will not proactively contact users asking for passwords or recovery keys, so if you receive such a request, you should know it is malicious. Cyber Insider suggests the following tips to reduce becoming victimized by this latest scheme:

  • Never share a Signal recovery key, registration code, or PIN with anyone.
  • Treat unsolicited messages claiming to be from “Signal Support” as suspicious.
  • Verify account warnings directly within the Signal application rather than through links or instructions received in messages.
  • Enable Registration Lock and other account-protection features offered by Signal.
  • Store recovery keys and PINs securely in a password manager or offline location.
  • Consider using disappearing messages to reduce the amount of historical data available if an account is compromised.

I am a big fan of Verizon’s yearly Data Breach Investigations Report. I follow it closely, as it confirms what we are seeing in the field, and provides validation for defense strategies employed to protect against attacks. The 2026 Report was recently published, and as I have mentioned before, it is well worth reading.

At a high level, the tone is that attacks remain consistent with previous years, but threat actors are employing new methods, including the use of generative artificial intelligence augmented malware. The message is that although there are more zero day vulnerabilities, social engineering is increasingly successful and the speed of attacks has increased. Those defending systems know the landscape well and need to continue focusing on defending against the most common threats: system intrusion, social engineering, basic web application attacks, miscellaneous errors and privilege misuse.

The 2026 Report shows that in the last year credential abuse has decreased , which shows that users better understand how critical their credentials are in safeguarding systems. Although I have no data to back up this thought, it is logical to attribute that decrease to the increase in educating users about attacks using credentials, requiring password changes, and increasing knowledge and understanding of threat actors’ use of credentials —this is good news.

However, vulnerability exploitation rose, “now the most common initial access vector for breaches.” The 2026 Report notes that “[o]nly 26% of critical vulnerabilities…were fully remediated by organizations in 2025, a drop from the previous year’s 38%.” Further, the median time for full incident resolution went up to 43 days from 32 days, and “organizations had 50% more critical vulnerabilities to patch in this year’s reporting dataset compared to the previous year.” This means that cybersecurity professionals had to patch way more vulnerabilities than last year and weren’t able to finish the job—understandable to be sure. Nonetheless, organizations should consider strategies around addressing the increased number of vulnerabilities that need to be patched, and how to address that risk. The 2026 Report provides some sound strategies to consider.

Ransomware increased in 2025 and represented 48% of all breaches, but ransom payments declined. Significantly, “breaches with third-party involvement have increased by 60%” from last year and represented 48% of all breaches. This fact confirms how important third-party risk management is to an organization’s overall risk management program.

And then there’s the use of AI in attacks. Although the data is already dated, (such as citing reports from Anthropic in November 2025 and no mention of Mythos), nonetheless, the message is clear that threat actors are using AI to automate and scale well-known successful past techniques to lower the barrier for more threat actors to enter the landscape and create havoc. “The more novel cases include combining or chaining together multiple stages of the attack or taking more agentic approaches to the attack, where the agent makes executive decisions about the targets.” This is now the reality that defenders need to address and, if Mythos is released publicly, the “most powerful artificial intelligence to date” poses “a serious offensive cyberweapon.” It will be interesting to see how the threat landscape changes as AI tools become more powerful and their impact on next year’s Verizon Report.

Verizon provides a robust look at the threat landscape, offers practical and useful tips on how to respond, and urges all of us to work together to combat an ever widening and more sophisticated threat landscape. As always, it is well-done, thorough and thoughtful, and very useful to readers.

On May 20, 2026, in Zelma v. Wonder Group Inc. (D.N.J. May 20, 2026), a federal court in New Jersey largely dismissed Telephone Consumer Protection Act (TCPA) claims against food-tech company Wonder Group Inc. (Wonder), holding that two bare verification-code text messages were not “telephone solicitations” or “unsolicited advertisements.”

The TCPA regulates certain calls and text messages, including telemarketing and unsolicited advertising. Here, a pro se plaintiff sued Wonder after receiving two text messages, each containing only a Wonder verification code. The plaintiff alleged that he had never heard of Wonder, had not asked for communications from the company, and had listed his cell number on federal and state do-not-call registries since 2003. He argued that the messages were not innocent authentication texts, but a way to push him toward Wonder’s website and services.

The court had previously dismissed several claims but allowed the plaintiff to amend some TCPA theories. In his amended complaint, he reasserted claims based on the National Do-Not-Call Registry and the alleged absence of opt-out language in the texts. Wonder again moved to dismiss those counts, and on May 20, the court granted the motion with prejudice.

The court’s TCPA analysis turned on a simple question: Were the verification-code texts “telephone solicitations” or “unsolicited advertisements? The court explained that a telephone solicitation must encourage the purchase or rental of goods or services, while an unsolicited advertisement must advertise the commercial availability or quality of goods or services. Applying Third Circuit authority, the court held that the texts in this case did neither because they did not promote goods or services, identify anything for sale, or even include Wonder’s website.

The plaintiff’s “trojan horse” theory also failed. The court rejected the idea that a bare verification code could become advertising merely because the recipient might search for Wonder online afterward. That conclusion meant that the do-not-call and opt-out claims at issue required a sufficiently pleaded advertising or solicitation theory. For companies engaging in SMS marketing, the decision is useful but narrow. Authentication and verification texts may be easier to defend when they are content-neutral, contain no marketing language, and include no links or promotional cues. The opinion also reinforces that plaintiffs cannot convert every unexpected brand communication into a TCPA advertising claim without facts showing a commercial message.

A recent Third Circuit decision gives companies another strong defense point in the wave of website tracking and session replay litigation, including claims brought under the California Invasion of Privacy Act (CIPA). In Smidga v. Spirit Airlines, the plaintiffs alleged that Spirit used session replay code to record website visitors’ interactions, including text entries, clicks, and geolocation, and one plaintiff asserted a CIPA claim based on that alleged tracking. The Third Circuit affirmed dismissal because the plaintiffs failed to show a concrete privacy injury sufficient for Article III standing, relying heavily on its recent Cook v. GameStop decision involving similar session replay allegations. 

The decision is especially useful for companies because the court rejected the idea that an alleged statutory privacy violation alone automatically creates federal standing. The court emphasized that plaintiffs still must plead concrete harm, not just point to a privacy statute, and distinguished earlier data privacy cases involving allegations of deceptive tracking or disclosure of non-anonymous personal information. The court also found no close relationship to traditional privacy torts where two plaintiffs did not allege collection of personal information, the third did not allege embarrassment or humiliation, the allegedly intercepted information was anonymized, and users voluntarily entered information on the website. 

For companies defending CIPA and similar session replay cases, the decision reinforces several practical arguments: plaintiffs need more than boilerplate claims about “recording” website activity, anonymized or non-user-specific data may undercut concrete injury, and the absence of a specific privacy promise can matter. It also highlights the value of factual assertions at the jurisdictional stage, since Spirit submitted evidence that the software functions capable of collecting personal information had never been enabled and that collected data was not traceable to a specific website user. While the opinion is non-precedential, it is still a helpful signal that courts are scrutinizing standing in website tracking cases and are not treating CIPA-style allegations as an automatic ticket into federal court.

Verizon recently published its 2026 Data Breach Investigations Report, which is full of helpful information for cybersecurity professionals to implement strategies for protection of systems. For a summary, click here.

The Report notes that a whopping “67% of users are using non-corporate accounts on their corporate devices to access AI services” and “45% of employees are now considered regular users of AI (authorized or not) on their corporate devices.” Verizon’s data shows that “Shadow AI is now the third most common non-malicious insider action detected…a fourfold increase in percentage from the previous year.”

The most common type of data submitted to an external generative artificial intelligence model was company source code. In addition, the data showed that users were uploading images, structural data, and “even found research and technical documentation being uploaded to those unauthorized AI systems, which presents a risk of intellectual property exposure.”

The Verizon report reiterates the exponential growth of unauthorized use of gen AI systems, which will continue as users become more comfortable with the technology. This presents a significant data loss risk to organizations of intellectual property, proprietary and confidential information and sensitive personal information. No matter what industry, how big or small an organization is, whether for profit or not-for-profit, now is the time to address this risk and develop an AI Governance Program.

Colorado has now significantly revised its AI governance framework before the law ever takes effect. SB 26-189, approved by Governor Jared Polis on May 14, 2026, repeals and reenacts key portions of the Colorado Artificial Intelligence Act (CAIA) and reframes the law around “automated decision-making technology” (ADMT) used to materially influence consequential decisions in areas such as employment, housing, financial and lending services, insurance, health care, education, and essential government services. 

The revised law is narrower and more operational than the original version. Rather than treating every AI-adjacent business tool as a high-risk system, SB 26-189 focuses on covered ADMTs that process personal data and generate outputs such as predictions, recommendations, classifications, rankings, or scores that materially influence consequential decisions. It also excludes several low-risk or routine uses, including certain administrative, cybersecurity, fraud prevention, anti-money laundering, sanctions compliance, advertising, marketing, search, content moderation, and customer-service functions that do not materially influence covered decisions. 

For companies, the practical takeaway is that Colorado has not abandoned AI regulation, but it has moved toward a more targeted compliance model. Deployers must provide clear notice before using covered ADMTs in consequential decisions, provide post-adverse outcome information within 30 days, maintain compliance records for at least three years, and offer correction and meaningful human review rights in certain circumstances. While the original law was set to take effect next month, the amended law now takes effect on January 1, 2027, and applies to consequential decisions made on or after that date, gives the Colorado Attorney General exclusive enforcement authority, includes a conditional 60-day cure period, and confirms that the statute does not create a new private right of action. To review the amended law, click here

As you can tell, I am obsessed with Verizon’s Data Breach Investigations Report. It is worthy of full immersion, and I am picking it apart with precision (here and here). I always spend a lot of time delving into it as it informs and confirms strategies to assist others with prevention and resilience.

One of the important findings from the Report is that 67% of users in companies are using non-corporate generative AI tools on their corporate devices for their work. This unauthorized use is “now the third most common non-malicious insider action detected in our data loss prevention data set in 2025, a fourfold increase in percentage from the previous year.”

According to the Report, users are submitting company source code, images, structured data, research and technical documentation to unauthorized generative AI tools “which presents a risk of intellectual property exposure.” 

Not only can uploading company data into unauthorized AI tools risk the loss of IP but doing so increases the risk of loss of company proprietary or confidential information, and personal information of employees and customers. Using unauthorized AI tools with company data is called “Shadow AI” as your cybersecurity professionals are unable to detect, monitor, and prevent data loss through data loss prevention strategies.

If you are using an unauthorized generative AI tool for your work, you are using Shadow AI, and you are putting your company at risk. Stop using Shadow AI! If you want to use AI tools for your work, find out what tools are authorized, get trained on those authorized tools, and follow your organization’s AI Governance Program and AI Acceptable Use Program. If your company doesn’t have guidance, urge them to consider adopting a governance program. Help your organization find a tool that is safe to use and be an ambassador to prevent the use of Shadow AI by others.