Right To Know - December 2025, Vol. 36

Cyber, Privacy, and Technology Report

Welcome to your monthly rundown of all things cyber, privacy, and technology, where we highlight all the happenings you may have missed.

View previous issues and sign up to receive future newsletters by email here. 

Litigation & Enforcement: 

• Class Certification Granted in Alexa BIPA Suit: On Nov. 19th, Judge Valderrama in the United States District Court for the Northern District of Illinois granted certification of a class of “[a]ll natural persons in Illinois for whom Amazon created a voiceprint on or after Jun. 27th, 2014.” The Court, however, did find one named plaintiff was not an adequate representative due to certain atypical facts applicable to him. The plaintiffs in the case allege that Amazon’s Alexa “collected, captured, or otherwise obtained their voiceprints” in violation of Illinois Biometric Information Privacy Act (BIPA).
• NetChoice Survives Motion to Dismiss Lawsuit Over Maryland “Kids Code” Law: On Nov. 24th, the United States District Court for the District of Maryland denied the Maryland Attorney General’s Motion to Dismiss NetChoice’s lawsuit. NetChoice alleges that Maryland’s “Kids Code” (a law directed at protecting the privacy of children online) is unconstitutional because it violates the First Amendment of the United States Constitution, violates due process, and is preempted by the Children’s Online Privacy Protection Act and Section 230 of the federal Communications Decency Act.
• SEC Retreats From Landmark Cybersecurity Enforcement Against SolarWinds: The SEC has decided to voluntarily dismiss its enforcement action against SolarWinds. Originally filed in October 2023, the SEC alleged SolarWinds (and its then CISO Timothy G. Brown) defrauded investors by misrepresenting the company’s cybersecurity practices and failure to disclose known risks before and after the 2020 security incident. This was the first time the SEC had ever alleged a company defrauded investors by concealing vulnerabilities. However, late last year, a New York Federal Judge rejected the SEC’s attempt to impose liability under Section 13(b)(2)(B) of the Securities Exchange Act of 1934 for failing to maintain appropriate internal accounting controls on the basis of insufficient cybersecurity controls because the provision only applied to a company’s financial accounting systems. Nevertheless, the Court allowed limited claims concerning SolarWind’s Security Statement to proceed. With the agency’s decision to withdraw the case, those remaining claims will not move forward, potentially signaling a retreat from the SEC’s effort to test novel cybersecurity disclosure theories in court and raising questions about how aggressively the agency will pursue similar cases in the future.

Industry Updates: 

• CISA Warns of Targeted Spyware Threats on Mobile Messaging Apps: On Nov. 25th, the Cybersecurity & Infrastructure Security Agency (CISA) issued an alert regarding cyber threat actors’ uses of mobile messaging applications like Signal and WhatsApp to deliver spyware. Threat actors employ various tactics (i.e., phishing, impersonation, malicious QR codes, and zero-click exploits) to gain unauthorized access to the individual’s messaging app; spyware then deploys malicious payloads, enabling data access and exfiltration, or surveillance through microphone recording and location tracking. According to CISA, targets include high-value individuals and civil society organizations in the U.S., Middle East, and Europe. CISA urges messaging app users to review updated guidance and to take steps to protect against these threats (e.g., using end-to-end encrypted messaging applications).
• FBI Warns $262M Lost to Account Takeover Fraud: On Nov. 25th, the FBI’s Internet Crime Complaint Center (IC3) issued a warning regarding Account Takeover (ATO) fraud, citing more than 5,100 complaints and $262 million in ATO-attributed losses since Jan. 2025. ATO fraud involves cyber criminals impersonating financial institutions via social engineering and phishing to steal user credentials; once credentials are obtained, criminals quickly access accounts and disburse funds to criminal-controlled accounts, which are often linked to untraceable cryptocurrency wallets. IC3 advises victims to, among other tings, report incidents of ATO fraud to the FBI, notify the impersonated institution so it can warn other accountholders, and contact your financial institution to minimize financial damage.
• OpenAI Discloses 2025 Data Breach: OpenAI has provided notice regarding a data breach involving the data analytics provider, Mixpanel, that OpenAI uses. OpenAI uses Mixpanel on the OpenAI API product located at platform.openai.com for data analytics purposes. On Nov. 9th, Mixpanel became aware of an attack where an unauthorized actor gained access to part of their systems and was able to exfiltrate data containing certain identifiable customer information and analytics information. Mixpanel shared the affected data set with OpenAI on Nov. 25th and confirmed the data for API account users involved included name, email address, location, user IDs, and other analytic information. OpenAI is continuing to investigate the situation but is recommending that user remain cautious for potential phishing attempts using the information impacted.
• New Phishing Campaign Targets Zendesk Users: Threat intelligence firm, ReliaQuest, has reported finding a fresh batch of phishing domains and helpdesk tickets that suggest the Scatter Lapsus$ Hunters Group may be targeting Zendesk users. ReliaQuest identified over forty typosquatted Zendesk domains and URLs that look to try and mimic legitimate organization’s brands or names that could be used to harvest a phishing attack victim’s credentials. This is reminiscent to other known Scatter Lapsus$ Hunters’ campaigns that have targeted users of other major software as a service (“SaaS”) applications, such as Salesforce, Salesloft Drift, and Gainsight, but there is a possibility this could be the work of a copycat. This all underscores the need for organizations and users to be wary of potential phishing campaigns.
• An Estimated One Billion PCs Remain on Windows 10 After Microsoft Ended Support in October: During Dell Technologies Inc’s Quarterly Earnings Call on Nov. 25th, Jeffrey Clarke, Dell’s Vice Chairman and Chief Operating Officer, reported that there are still about 500 million PCs on Windows 10 that are capable of running Windows 11 and another 500 million on Windows 10 that can’t run Windows 11. While he presented it as a business opportunity for Dell, it is also a critical cybersecurity issue. After wide publicity, Microsoft ended support for Windows 10 on Oct. 14th. Microsoft has provided options for users in the U.S. to subscribe to Extended Security Updates (but not function updates) for at least a year for both consumers and business users. Some are free and some are for a fee. As with all operating systems and software, Windows 10 users who have subscribed to Extended Updates should promptly apply the periodic security updates. Windows 10 users who have not subscribed to Extended Updates should promptly subscribe to and apply them or upgrade to Windows 11. PCs continuing to use Windows 10 without security updates are at risk to known vulnerabilities.
• Cybersecurity Industry Leader Crowdstrike Provides 2025 Global Cybersecurity Threat Report: CrowdStrike issued their 2025 Global Cybersecurity Threat Report recently and some key takeaways from that report are interesting to note. First, it appears that threat actors are improving at both accessing systems and gaining the ability to move laterally within networks. Breakout times–the time it takes for threat actors to start moving laterally within networks they attack reached an all-time low of an average of 48 minutes last year–with the fastest recorded breakout time being 51 seconds. Second, the types of attacks being used are evolving with time, with voice phishing (known as vishing) – where threat actors call victims to amplify and apply social engineering techniques – increased by 442% between the first and second half of 2024 alone. Third, it appears that China continues to play a very active role in cybersecurity attacks with China-linked attacks increasing by 150% in 2024 with some industries seeing a jump of 200-300%. And, finally, AI continues to be used by threat actors in cybersecurity attacks with GenAI playing a role in several sophisticated cybersecurity campaigns in 2024.
• CrowdStrike Identifies and Removes Insider Who Shared Data With Hackers: Cybersecurity firm CrowdStrike recently confirmed that a former “insider” shared internal screenshots and limited information on Telegram with a hacker group known as ShinyHunters. The hacker group allegedly paid the insider $25,000 and obtained some authentication cookes, but CrowdStrike had already revoked the individual’s access before any misuse could occur. CrowdStrike spokesperson Kevin Benacci told TechCrunch, “Our systems were never compromised and customers remained protected throughout. We have turned the case over to relevant law enforcement agencies.” These cases highlight a growing trend in which threat actors increasingly rely on insiders rather than external exploits to gain access.

Regulatory: 

• FCC Reminds Broadcasters to Comply with Best Practices to Prevent Cyberattacks: On Nov. 26th, the Federal Communications Commission’s Public Safety and Homeland Security Bureau published a Public Notice to remind broadcasters to comply with best practices to prevent cyberattacks. The notice followed recent cyber intrusions that resulted in the broadcast of obscene materials and misuse of the Emergency Alert System (EAS). The Notice recommends several cybersecurity measures like (1) replacing default passwords with robust alternatives, and regularly changing passwords, (2) installing broadcast equipment behind network firewalls, and configuring VPNs to limit remote management access to only authorized devices, (3) continually monitoring EAS equipment and software and reviewing audit logs to detect and report unauthorized access, and (4) reviewing the list of recommended best practices issued by the Communications Security, Reliability, and Interoperability Council in 2014. It is interesting that this Notice includes recommendations that are over ten years old rather than more current ones like those published by the Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology.
• FCC Votes to Rescind Telecommunications Cybersecurity Requirements: In a 2-1 vote along party lines, the FCC voted on Nov. 20th, to rescind cybersecurity requirements the Biden administration had championed to prevent unauthorized access to telecommunications networks like that associated with the Salt Typhoon cybersecurity attack. The lone dissenting vote from Democrat Commissioner Gomez was accompanied by her statement where she strongly criticized the FCC for reversing its prior cybersecurity rulemaking, calling the move a “wake-up call” lost. She argues that voluntary collaboration among companies lacks enforceable obligations and is insufficient to protect against state-sponsored cyber threats like the “Salt Typhoon” attack. Gomez warns that without binding standards, the country is left vulnerable to future breaches and that relying on goodwill is “governing by hope rather than by duty.” She also notes the FCC has offered no concrete cybersecurity proposals or accountability mechanisms in place of the rescinded rules.

State Action: 

• California Attorney General Secures $1.4 Million Settlement with Jam City for CCPA Violations in Mobile Gaming Apps: California Attorney General Rob Bonta announced a $1.4 million settlement with mobile gaming company Jam City, Inc. for violating the California Consumer Privacy Act (CCPA). The California Department of Justice found that Jam City failed to provide consumers with required methods to opt out of the sale or sharing of their personal information across 21 popular gaming apps, including titles tied to major franchises like Frozen, Harry Potter, and Family Guy. The investigation also revealed that Jam City sold or shared the data of minors aged 13 to 16 without the affirmative opt-in consent mandated by the CCPA. Under the settlement, Jam City must implement in-app opt-out mechanisms and is prohibited from selling or sharing young teen users’ data without consent.
• California, Connecticut, and New York Secure $5.1 Million Settlement with Illuminate Education Over Massive Student Data Breach: California Attorney General Rob Bonta, along with the attorneys general of Connecticut and New York, announced a $5.1 million multistate settlement with Illuminate Education, Inc. after a 2021 data breach exposed the personal and medical information of millions of students, including more than 434,000 in California. The investigation found that Illuminate failed to implement basic security measures, such as terminating former employees’ login credentials, monitoring for suspicious activity, and segregating backup databases from active systems. A hacker used an ex-employee’s still-active credentials to access, steal, and delete student data. The company also misrepresented its security practices in its privacy policy and falsely advertised compliance with the Student Privacy Pledge. Under the settlement, Illuminate will pay $3.25 million to California and must adopt strict security, monitoring, and notification requirements. The action underscores heightened state scrutiny of children’s data security and ongoing multistate cooperation in privacy enforcement.

International Updates: 

• EU’s New Digital Package Aims to Simplify Digital Rules and Support Business: The European Commission has introduced a new digital package intended to reduce administrative burdens and make it easier for businesses to operate across the EU. The initiative brings together a simplified set of rules on AI, cybersecurity, data, and privacy, and is expected to save companies billions in compliance costs over the coming years. It also includes a new Data Union Strategy to improve access to high-quality data for AI development, and a proposal for a European Business Wallet that would give companies a single digital identity for interacting with public authorities and partners in all Member States. Together, these measures aim to create a more coherent digital framework, support innovation, and make cross-border business activities more straightforward.
• EU Launches Antitrust Probe into Meta’s WhatsApp AI Restrictions: The European Commission has opened an antitrust investigation into Meta’s new policy limiting third-party AI providers on WhatsApp. Announced in Oct. 2025, the policy bars AI companies from using the WhatsApp Business Solution when AI is their main service, while Meta’s own “Meta AI” remains fully available. The Commission fears the policy change could shut competitors out of a key communication channel and constitute an abuse of dominance under EU law. The probe, covering the EEA, except Italy, will assess whether Meta’s conduct harms competition in fast-growing AI markets.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.