Right To Know - May 2025, Vol. 29

Cyber, Privacy, and Technology Report

Welcome to your monthly rundown of all things cyber, privacy, and technology, where we highlight all the happenings you may have missed.

View previous issues and sign up to receive future newsletters by email here. 

 

State Action: 

• Virginia Governor Signs Bill Restricting Minor’s Use of Social Media: On May 2nd, the Virginia Governor signed a bill amending the Virginia Consumer Data Protection Act (“VCDPA”) to impose restrictions on minors’ use of social media. Social media platform operators are required to 1) use commercially reasonable methods to determine if a user is under the age of 16, and 2) if a user is under 16, limit their use of the social media platform to one hour a day, unless a parent consents to increase or decrease it. The law also precludes social media operators from using information collected to determine a user’s age for any other purpose. The law takes effect as of January 1, 2026.
• State Regulators form Privacy Consortium for Collaboration and Enforcement: The California Privacy Protection Agency (“CPPA”) and the California Attorney General announced the formation of a new coalition of eight state regulators to collaborate on the implementation and enforcement of privacy laws. States participating include California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon. The Consortium will hold regular meetings and coordinate enforcement based on member’s common interests.

Regulatory: 

• NIST Updates Incident Response Recommendations and Considerations: On Apr. 3rd, the National Institute of Standards and Technology released Special Publication (SP) 800-61r3 (Revision 3), “Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile,” which updates a 2012 version of the Special Publication, for public comment. The newly released SP describes how to incorporate incident response into the cybersecurity risk management activities in NIST Cybersecurity Framework 2.0 (2024), and includes a new incident response lifecycle model. The news update also refers users to NIST’s Incident Response Project Page for additional resources.
• Irish Data Watchdog Fines TikTok €530m: Concluding its inquiry into TikTok, the Irish Data Protection Commissioner’s office has fined the Chinese company for illegal transfers of personal data of EEA users to China. Breaches of transparency requirements in TikTok’s data processing were also identified.  Corrective action has been ordered with a time limit of six months failing which suspension of data transfers by TikTok to China will be ordered.  Irish DPC is the lead supervisory authority in the EU for TikTok.
• HHS OCR Settles HIPAA Ransomware Case with Guam Memorial Hospital for $25,000: The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has reached a $25,000 settlement with Guam Memorial Hospital Authority (GMHA) over potential HIPAA Security Rule violations following two ransomware-related complaints. OCR’s investigation revealed that GMHA failed to conduct a proper risk analysis, leaving electronic protected health information (ePHI) of approximately 5,000 individuals vulnerable. This marks OCR’s 11th ransomware enforcement action and the 7th under its Risk Analysis Initiative. As part of the resolution, GMHA must implement a comprehensive corrective action plan, including risk analysis, updated policies, enhanced workforce training, and improved access controls.
• CISA Nominee Put on Hold Until Telecommunications Security Report Released: S. Senator Ron Wyden plans to block the nomination of Sean Plankey, Donald Trump’s pick to lead the Cybersecurity and Infrastructure Security Agency (CISA), unless the agency releases a long-withheld report on vulnerabilities in the U.S. telecommunications network. Wyden, accusing CISA of a “multi-year cover up,” has been demanding the report’s release since 2022, arguing it’s crucial given recent breaches linked to the Chinese hacking group “Salt Typhoon.” Under Senate rules, Wyden’s hold can stall the nomination despite majority support, a tactic he’s successfully used before to pressure federal agencies. Neither CISA, the White House, nor Plankey have yet commented on the situation.

Litigation & Enforcement:

• Inspector General Confirms Improper Sharing of Information at Department of Veterans Affairs: The United States Department of Veterans Affairs, Office of the Inspector General confirmed allegations that sensitive information was improperly available on internal VA systems. The information included human resources paperwork about employees and personally identifiable information about veterans having surgery. The Inspector General recommended the department implement certain actions, including removing the information from certain shared systems, implementing automated tools to prevent improper sharing, and training. The Department is implementing the recommendations.
• U.S. Department of the Treasury Removes Sanctions on Cryptocurrency Mixer Tornado Cash: The Trump administration has decided to remove economic sanctions placed on the notorious cryptocurrency mixer Tornado Cash. Tornado Cash is an automated process that takes identifiable cryptocurrency in and then “mixes” it with other cryptocurrency to obscure the origination of the funds. When the US Department of the Treasury sanctioned Tornado Cash in August 2022, it accused the group of laundering over $7 billion in virtual currencies, including $455 million of funds stolen by the North Korea government hacking group the Lazarus Group.
• Michigan Attorney General Files Lawsuit Against Roku Alleging COPPA Violations: The Michigan Attorney General has filed a lawsuit against the Roku streaming service alleging that it has systematically collected, processed, and disclosed the personal information of children, and allowed third-parties to collect information on children, in violation of the Children’s Online Privacy Protection Act (COPPA) and the Michigan Consumer Protection Act. The Attorney General alleges that ROKU did not provide the required notice or obtain parental consent as required under COPPA. The lawsuit seeks compliance with federal and state law, as well as recovery of damages and penalties.
• European Commission Fines Apple and Meta for Violations of the Digital Markets Act: The European Commission has fined Apple €500 million and Meta €200 million for violations of the Digital Markets Act (“DMA”). The Commission found that Apple violated their anti-steering obligations by not allowing app developers to inform customers of alternative offers through alternate distribution channels outside of the App Store. The commission further found that Meta violated their obligation to provide consumers with the choice of a service that uses less of their personal data. The DMA requires gatekeepers to obtain consent from users’ for combining personal data between services. If consent is not given, consumers must have access to a less personalized but equivalent alternative. The Commission found that Meta’s “Consent or Pay” advertising model on Facebook and Instagram, where a consumer must consent to the combining or personal information or pay for an ad-free service, violated this provision of the DMA. Both Apple and Meta now have 60 days to comply with the Commission’s ruling or face additional penalties.
• Man Behind Black Kingdom Ransomware Attacks Charged by the US Federal Government: A Yemeni national, Rami Khaled Ahmed, also known as “Black Kingdom,” has been charged  in a federal indictment for deploying the “Black Kingdom” ransomware to extort organizations worldwide, including businesses, schools, and hospitals in the United States. The indictment, returned by a federal grand jury on May 1st, includes three counts: conspiracy, intentional damage to a protected computer, and threatening damage to a protected computer.
• Cybersecurity Fraud Still Being Targeted by DOJ Under False Claims Act: The Department of Justice settled an enforcement action against MORSECORP, Inc. for violation of the False Claims Act based on false statements about cybersecurity practices in connection with government contracts. MORSECORP had agreed, in contracts with the Department of Defense, to meet certain cybersecurity requirements, but failed to fully implement those requirements, failed to have a required security plan, and allowed its other cybersecurity controls to falter. In the settlement, MORSECORP admitted to certain key facts in the underlying whistleblower complaint and agreed to pay $4.6 million.

International Updates: 

• Marks & Spencer Cyber Incident Disrupts Online Orders and Store Stock: British retailer Marks & Spencer is facing product shortages in some stores following a cyber incident that disrupted its systems. The company halted online clothing and home orders and temporarily took some systems offline as a precaution. Contactless payment and click-and-collect services were also affected. While M&S has not confirmed the nature of the attack, experts suggest it may be ransomware-related. A spokesperson said they are working to restore normal availability but did not provide a timeline for resuming online orders. M&S operates around 1,000 UK stores and derives a third of its clothing and home sales online.
• Data Protection Commissioner Announces Inquiry into XIUC: The Irish Data Protection Commission has announced the commencement of an inquiry under Section 110 of the Data Protection Act 2018 into X Internet Unlimited Company (XIUC). The purpose of the inquiry is to determine whether personal data contained in publicly accessible posts by EU/EEA users on the ‘X’ platform was lawfully processed when it was used for training generative AI models, particularly Grok. The Inquiry will examine compliance with a range of key provisions of the GDPR, including the lawfulness and transparency of the processing.

Industry Updates: 

• The FBI Internet Crime Complaint Issues the 2204 Internet Crime Report: On Apr. 23rd, the Federal Bureau of Investigation announced the release of the FBI’s Internet Crime Complaint Center (IC3) 2024 Internet Crime Report. The top three reported types of cyber crimes were phishing/spoofing, extortion, and personal data breaches, with reported losses for all cyber crimes exceeding $16 billion—a 33% increase in losses from 2023. The report includes specific details and statistics about the various types of cyber crimes and types of victims. It also reports on IC3’s Recovery Asset Team, which has been highly successful in recovering fraudulent wire transfers when details, including bank information, are promptly reported. The Appendices to the report also contain additional educational and other materials.
• Critical File Transfer Vulnerabilities Actively Exploited in CrushFTP and CentreStack: Threat actors are exploiting two critical vulnerabilities—CVE-2025-31161 in CrushFTP and CVE-2025-30406 in CentreStack/Triofox—leading to full system compromise, data exfiltration, and extortion. The CrushFTP flaw allows unauthenticated access and is being widely targeted using public exploit code. CentreStack and Triofox suffer from a remote code execution vulnerability caused by a hardcoded machine key. Attackers have used RMM tools like AnyDesk and MeshCentral post-exploit and some have deployed Telegram bots for exfiltration. If either of these are used in your environment, it is essential that they be patched ASAP.
• Researchers Use ChatGPT Roleplay to Generate Password-Stealing Malware: Security researchers demonstrated how generative AI models like ChatGPT can be manipulated into producing malicious code by using roleplay prompts. In one experiment, researchers tricked the AI into generating a working Chrome password stealer by asking it to “pretend” to be a senior developer mentoring a junior engineer.
• Microsoft Warns of Exploitation of Apache Pinot Installations: Microsoft has put out of a warning of attacks exploiting Apache Pinot. Apache Pinot is an open-source, real-time analytics platform designed for querying large datasets, and is used by large companies. Microsoft’s warning indicates that the default configuration exposes Apache Pinot’s main components to the internet by Kubernetes LoadBalancer services but has no authentication mechanism. As a result, unauthenticated attackers can gain full access to the Pinot dashboard. Microsoft has identified several instances of attackers targeting Pinot misconfigurations.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.