Right To Know - August 2025, Vol. 32

Cyber, Privacy, and Technology Report

Welcome to your monthly rundown of all things cyber, privacy, and technology, where we highlight all the happenings you may have missed.

View previous issues and sign up to receive future newsletters by email here. 

Litigation & Enforcement: 

• Contractor Sues North Carolina County After BEC Scam Diverts $1.3 Million: A North Carolina county was duped into sending approximately $1.3 million to a criminal after a scam in which the criminal pretended to be a construction contractor and requested a change in wiring instructions. According to the complaint, Lenoir County officials failed to follow county policy to properly verify the change and failed to notice obvious differences in the email from the criminal. The complaint seeks damages as well as attorneys’ fees pursuant to North Carolina law.
• Former Army Soldier Pleaded Guilty in Connection with Hacking and Extortion Scheme: A 21-year-old former U.S. Army soldier recently pleaded guilty for his role in conspiring to hack and extort ten telecommunications companies. The scheme involved a group of conspirators using a hacking tool to acquire login credentials to illegally access and steal sensitive personal information. The group then attempted to extort payment to keep the data from being sold. The hacking occurred while the former soldier was on active duty. The soldier faces the possibility of more than 20 years in prison for his role in the conspiracy when he is sentenced in October.
• Kentucky Attorney General Files Privacy Suit Against Temu: On Jul. 19th, the Kentucky Attorney General filed a lawsuit against the online shopping platform Temu. The lawsuit claims that Temu collected users’, including minors’, personally identifiable and other information, including location data, WiFi networks used, list of installed apps, and access to audio and video recording and storage functions of a user’s phone, without their consent.  The lawsuit also alleges that Temu misrepresented the type and quality of goods it sells, and that it does so to increase the number of users whose data can be harvested. The lawsuit seeks penalties of up to $2 million per violation of Kentucky’s consumer protection law, and disgorgement of profits, as well as injunctive relief. 
• Arizona Woman Sentenced to Prison for Facilitating North Korean IT Worker Fraud Scheme: The U.S. Department of Justice announced that an Arizona woman was sentenced to 102 months in prison, in addition to other penalties, for helping North Korean information technology workers who fraudulently obtained remote information technology positions at more than 300 U.S. companies. The workers stole the identities of U.S. citizens and laundered the money that they were paid. The defendant operated a “laptop farm” where she received and hosted computers from the U.S. companies at her home to make it appear that the work was being performed in the U.S. She also received IT workers’ wages through direct deposit from U.S. companies into her U.S. financial accounts and transferred the proceeds to individuals overseas. As noted below in this issue of Right To Know, the Federal Bureau of Investigation has separately issued warnings about these kinds of schemes.

Industry Updates: 

• China Based Group Begins Exploiting SharePoint Compromise to Deploy Ransomware: According to a Microsoft release, they are starting to see a Chinese threat actor, dubbed Storm-2603, using CVE-2025-49706 and CVE-2025-49704 (the SharePoint CVE’s) to deploy ransomware on victim systems. According to Microsoft, this threat actor has previously used both Warlock and Lockbit ransomware variants in previous operations and is now using the Warlock variant. Microsoft specifically says that they don’t know what the objectives of Storm-2603 are, raising the possibility that the ransomware deployment is an effort to conceal their true motivations.

Regulatory:  

• Trump Administration Releases AI Action Plan: On Jul. 23rd, the Trump Administration unveiled its AI Action Plan, which sets the Administrations overarching priorities for AI and also provides some more specific goals for individual Federal agencies. The Plan frames AI development as vital to unlocking American prosperity in the future and as a technological race, akin to the space race during the Cold War. For additional information, see Clark Hill’s Client Alert regarding the AI Action Plan.
• FBI Issues Updated Alert on North Korean Remote IT Worker Threats to U.S. Businesses: On Jul. 23rd, the FBI issued an updated Alert about North Korea information technology workers stealing the identities of U.S. citizens, fraudulently obtaining remote IT jobs at over 300 U.S. companies, and laundering the money that they were paid. The scheme avoids sanctions on North Korea and threatens the security of the U.S. companies. It uses knowing and unwitting U.S.-based individuals to provide a U.S.-based location for companies to send devices and to circumvent controls intended to prevent unauthorized access to company networks. The FBI provides tips to protect against the scheme, including scrutinizing identity verification documents, verifying prior employment and education, requiring in-person meetings, capturing images of individuals, analyzing payment methods, shipping work related materials only to the address on identification documents, exercising caution with contracted IT workers hired by third-party companies, and contacting your local FBI office’s Private Sector Coordinator.
• OCR Settles HIPAA Ransomware Investigation with Syracuse ASC: On Jul. 23rd, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a significant settlement with Syracuse ASC, LLC (Specialty Surgery Center of Central New York) for potential violations of HIPAA’s Security and Breach Notification Rules. Syracuse ASC, a single-facility ambulatory surgery center in Liverpool, New York, faced OCR scrutiny following a ransomware breach affecting 24,891 individuals. The investigation revealed Syracuse ASC’s failure to conduct a required risk analysis and timely notify affected parties, exposing vulnerabilities in its ePHI security. As part of the resolution, Syracuse ASC agreed to a $250,000 settlement and must implement a comprehensive corrective action plan monitored by OCR for two years.
• S. Government Agencies Warn of Cyber Threats to Key Infrastructure After Iranian Bombing: CISA, in connection with the FBI, Department of Defense Cyber Crime Center, and NSA warned that key infrastructure organizations should remain vigilant against Iranian-affiliated cyber actors who may target U.S. devices and networks following the U.S.’s bombing of Iranian nuclear facilities. While no activity traceable to Iran had been observed, the agencies were warning that such attacks were possible and that vigilance was necessary (particularly for those entities working in key infrastructure positions).

State Action: 

• California Privacy Protection Agency Adopts Changes to Cybersecurity Audit Rule: The California Privacy Protection Agency (CPPA) adopted proposed modifications to regulations adopted under the California Privacy Rights Act (CPRA) that require annual cybersecurity audits for businesses that collect personal information and process it in a manner that poses a risk to an individual’s privacy. The new rule defines “reasonable” cybersecurity practices, something already required to be in place, to include multi-factor authentication (MFA), access controls, data encryption in transit and at rest, and several other types of controls and safeguards. California is one of several states that require reasonable cybersecurity measures to protect personal information, but with the new rule changes, they have taken a step further to provide a framework for what “reasonable” includes. The changes also help define when a business is required to conduct the annual audits. Such audits are required to be conducted by an external entity or an internal party with sufficient independence to exercise impartial and objective judgment on all issues. If an internal party is used, they are required to report directly to a member of executive management that does not have oversight of the business’s cybersecurity program.
• Connecticut’s First Public Enforcement Action Under CTDPA Targets TicketNetwork: On Jul. 8th, Connecticut Attorney General William Tong announced a settlement under the Connecticut Data Privacy Act (CTDPA) with TicketNetwork, Inc. The action followed a cure notice issued in November 2023, highlighting deficiencies in TicketNetwork’s privacy practices, including an unreadable privacy policy, lack of data rights disclosures, and nonfunctional mechanisms for access, correction, and deletion. TicketNetwork allegedly failed to resolve these issues within the 60-day cure period and misrepresented compliance to the Attorney General’s office. As part of the settlement, TicketNetwork must now adhere to the CTDPA, submit regular compliance reports, and pay an $85,000 fine. This marks a shift in the Connecticut Attorney General’s office from warnings to active enforcement under the CTDPA.

International Updates: 

• Britain to Ban Ransom Payments by Public Sector Bodies: Following a period of public consultation, the British Government has decided to attempt to subvert the business model of many threat actors by prohibiting payment of ransom demands. The ban would apply to public sector bodies and operators of critical national infrastructure (i.e. those covered by NIS2 across the EU).  The thinking is that this would make those entities less attractive targets for criminals deploying ransomware. Entities not within scope of this outright ban would be required to provide mandatory reporting and notification of any intent to pay a ransom, with the quid pro quo being government information and support such as identifying if the recipient(s) are a sanctioned cyber criminal group.
• Intended Simplification of GDPR Welcomed by EDPB & EDPS: The European Data Protection Board (the umbrella supervisory body for data protection in the EU) and the European Data Protection Supervisor (the independent supervisor of data protections for and within EU institutions and bodies) have issued a joint opinion supporting the Proposal to simplify EU data protection rules. The simplification measures proposed include a modification to Article 30(5) GDPR (data processing records) so that it only applies to organizations with more than 750 employees (unless in the case of the processing carrying a high risk to individuals’ rights and freedoms). Many have argued that the simplifications do not go far enough, particularly in light of the findings of the Draghi Report on competitiveness within the EU and how legislative burden is a very real and adverse factor for foreign direct investment into the EU.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.