Cybersecurity Update 1-16 January 2026

United States of America

California Privacy Law - DROP - Takes Effect. On 1 January 2026, California’s DROP — Delete Request and Opt-out Platform — became active. DROP is a portal that gives Californians the ability to request the deletion of (all) their personal identifiable information from online platforms from over 500 data brokers — all in one request. It also stops the data brokers from selling the consumer data. Data brokers package, trade, and sell that information to various organizations, including advertisers and marketers, employers and recruiters, political campaigns, etc. While the DROP act comes with fines, it will have larger implications on the third parties that buy the data to enhance engagement with consumers. Companies should determine the impact this may have on the effectiveness of data-driven marketing provided by third parties (e.g., Acxiom, Epsilon, Merkle, Salesforce Marketing Cloud, etc.) that support business to consumer positioning and engagement. This new law may also affect other email and marketing platforms like MailChimp, Hubspot, and Braze. (Delete Act, Desert Sun, ABC7)

Federal Oversight of Data Center Grid Connections. On 18 December 2025, the Federal Energy Regulatory Commission (FERC) directed grid operator PJM to establish transparent rules to facilitate service of AI-driven data centers and other large loads co-located with generating facilities. PJM is the largest power grid operator and regional transmission organization (RTO) serving 67 million customers from 13 states — Illinois to New Jersey. At the heart of the issue is grid reliability vs. consumer cost. The most recent PJM capacity auctions — where the grid operator pays in advance for power plants to be available to serve the grid — hit record-high clearing prices FERC gave PJM until 19 January 2026 to present a plan to increase reliability and transparency including: (1) developing a load forecast that ensures demand flexibility and helps PJM determine the amount of new capacity need to maintain system reliability; (2) explaining the status of shovel-ready generation projects to serve PJM more quickly; and (3) identifying modifications to PJM’s reliability backstop mechanism to improve PJM’s ability to respond to acute resource adequacy shortfalls. PJM’s load forecast suggests it does not (and will not) have enough capacity to meet the demands of the emerging data centers. On 16 January 2026, the Trump administration and some US governors announced a plan to direct grid operator PJM to hold an emergency wholesale auction for technology companies (e.g., Microsoft, Google, etc.) to bid on 15-year contracts for new electricity generation capacity. The auction would deliver contracts supporting the construction of some $15 billion worth of new power plants. (FERC Fact Sheet, WSJ, Utility Drive, Canary Media, PJM 2026 Load Report, Bloomberg, WP)

Palantir’s Tool Supports ICE Operations. Palantir has fielded a tool to support Immigration and Customs Enforcement (ICE) called “Enhanced Leads Identification & Targeting for Enforcement (ELITE). ELITE is a targeting tool designed to improve capabilities for identifying and prioritizing high-value targets through advanced analytics.” It populates a map with potential deportation targets, brings up a dossier on each person that includes their name, a photo, their Alien Number (the unique code given by the U.S. government to each immigrant), their date of birth, and their full address. ELITE notes the source of the address (such as the government agency that supplied it), and gives an “address confidence score.” ICE is using it to find locations where lots of people it might detain could be based. In 2025, ICE awarded a $30 million contract to Palantir to build "ImmigrationOS," a system designed to consolidate data from various sources to streamline the identification, apprehension, and deportation of immigrants. Palantir’s software links disparate data sources—including IRS records, Social Security data, DMV records, and biometrics—to create comprehensive profiles for enforcement. The tools are used to assist in identifying, targeting, and deporting undocumented immigrants, as well as those with visa overstays. (404 Media, Palantir)

Sedgewick’s Government Services Subsidiary Breached. On 31 December 2025, TridentLocker ransomware gang claimed that it breached and exfiltrated 3.4 GB of data from Sedgewick Government Solutions. Sedgewick is a global third-party administrator (TPA) that manages claims and benefits for employers, insurers, and other organizations, handling things like workers' compensation, disability, auto liability, and property loss on their behalf, acting as an outsourced HR and claims department to help them navigate the unexpected with technology and expertise. They investigate incidents, process claims (like slip-and-falls or workplace injuries), and administer leave programs, focusing on their client's financial interests, not selling insurance policies themselves. A Sedgwick spokesperson confirmed the company is currently addressing a security incident at the subsidiary, which provides claims and risk management services to federal agencies like the Department of Homeland Security (DHS), Immigration and Customs Enforcement (ICE), Customs and Border Protection (CBP), Citizenship and Immigration Services, the Department of Labor, and the Cybersecurity, and Infrastructure Security Agency (CISA). The company also provides services to municipal agencies in all 50 states as well as the Smithsonian Institution and the Port Authority of New York and New Jersey. The cyber incident is said to only affect an isolated file transfer system, and not Sedgewick’s network or that of its subsidiary. However, TridentLocker has published some of the allegedly stolen data on their TOR data leak website. (The Record, X-Post, Bleeping Computer, Security Week)

Coinbase Fights Back. On 18 December 2025, Cryptocurrency exchange Coinbase filed lawsuits against Michigan, Illinois, and Connecticut over the states’ attempts to regulate prediction markets. Predictive markets let users buy and sell contracts based on outcomes of real world events, such as the winner of a sporting event, political debate, or central bank interest-rate decisions. College football matches and other sporting competitions have become the primary focus for users engaging with these platforms. Coinbase claims that the states are trying “gain jurisdiction over something they have no legal right to regulate.” Coinbase argues these "event contracts" [predictive gambling] fall under federal Commodity Futures Trading Commission (CFTC) oversight, not state gaming laws. On 11 December 2025, major players in the prediction market space (Kalshi, Coinbase, Crypto.com, and Underdog) have joined forces and started a lobbying organization to "defend against state level overreach" and coordinate legal and political strategies across the industry. The outcome of these legal battles will shape the future availability of prediction markets across the United States. If state regulators prevail, these platforms may face significant geographic restrictions, operating only in jurisdictions that explicitly authorize them or choose not to enforce gaming laws against them. (CDC Gaming, Coin Desk, BullDog Law)

U.S. Treasury Removes Intellexa Spyware-linked Trio From Sanctions List. On 30 December 2025, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) removed three executives tied to the Intellexa Consortium — the company behind the Predator surveillance tool — from its specially designated national (SDN) sanctions list. Predator allows users to perform espionage-related activities on infected devices, Once installed, the spyware can extract data, track a device’s location and access applications and personal information, including messages, call logs, contacts, microphone recordings, and stored media. Predator has remained available through the Intellexa spyware consortium despite US sanctions imposed in 2024 on Intellexa-linked entities and executives. The Biden administration imposed sanctions against the trio in 2024 as part of a broader move to sanction spyware operators. A US official stated that “this removal was done as part of the normal administrative process in response to a petition request for reconsideration.” “Each individual has demonstrated measures to separate themselves from the Intellexa Consortium and it has been determined that the circumstances resulting in the sanction no longer apply.” Separately, ICE in September lifted a stop-work order on a Biden-era surveillance contract, allowing the agency to proceed with acquiring commercial spyware it had previously been blocked from deploying. (OFAC, MeriTalk, CyberScoop, The Register)

ServiceNow Agentic AI ChatBot Exposes Customer Data and Connected Systems. On 13 January 2025, a researcher at AppOmni published a significant vulnerability in ServiceNow on premise instantiations that allowed unauthenticated attackers to impersonate any ServiceNow user using only an email address, bypassing MFA and SSO. The problem is with ServiceNow’s Service Agent that allows users to perform tasks and resolve issues in natural language. Conveniently, users can engage the chatbot not just within a ServiceNow interface, but also from connected platforms like Slack. The legacy Chat Bot was also integrated with the new "Now Assist" agentic AI technology. Unfortunately, ServiceNow shipped the same credential to every third-party service that authenticated to the Virtual Agent application programming interface (API). AppOmni reported its findings to ServiceNow on 23 October 2025 and to ServiceNow’s credit, it addressed two weaknesses by 30 October 2025. Customers using the on premise ServiceNow product should immediately upgrade to, at minimum, the earliest fixed version of each affected application to secure their environment. While the issue has been fixed, and a ServiceNow has stated that it has not witnessed evidence itself of malicious exploitation. Malicious actors could be lurking inside infrastructure, so potentially affected companies would do best to perform a thorough cyber-health and safety check. (AppOmni, DarkReading)

Indiana State Privacy Law in Effect. Indiana’s comprehensive consumer privacy statute, codified at Indiana Code 24‑15 became effective 1 January 2026. The law follows the “Virginia model,” but introduces several nuances that will matter for organizations doing business in, or targeting residents of, Indiana. The law gives citizens more control over their personal data, making it harder for companies to track and sell it without permission, while also setting clear rules for businesses on how to handle that data responsibly. The law states that business must obtain consumer’s consent to collect sensitive data. Moreover, business must provide a clear privacy policy that includes the categories of personal data processed, the purpose for processing personal data, the categories of data shared with third parties, the types of third parties, the consumer's rights, and the manner in which consumers may exercise their rights, including an appeal. The Indiana Data Privacy Law provides a 30-day cure period for alleged violations. A controller or processor who continues to violate the law after this cure period may be subject to an injunction and civil penalties of up to $7,500 for each violation. (Taft, Indiana Consumer Protection Law, White & Case, Data Grail, Criminal Defense Team)

New York Cybersecurity Law - Bans Purchase of Foreign Products. On 29 December 2025, Governor Hochul signed A2237 into law which bars New York State and its municipalities from purchasing technology products made by companies with ties to foreign governments that may pose national security risks. Under the law, the state’s chief information officer, in consultation with homeland security and procurement officials, must maintain and regularly update a list of restricted technologies, such as computers, webcams, drones, semiconductors and other components that may contain backdoors, spyware or other vulnerabilities. Any technology on this list will not be permissible for purchase by New York State agencies or local governments unless a waiver is issued under narrow conditions, such as when “no secure alternative” is available at a reasonable price. The law will take effect on 1 January 2027. (New York Law - A2237, StateScoop, SC World)

Condé Nast Subscriber Breach: On 20 December 2025, a malicious actor (claiming responsible disclosure of a vulnerability) using the name "Lovely" leaked the database of 2.3 million records on a hacking forum associated with WIRED.COM media giant Condé Nast. DataBreaches.net disclosed a complicated breach involving 33 million user accounts associated with media giant Condé Nast. Lovely shared record counts for other Condé Nast properties they claim to have stolen data, including, The New Yorker, Epicurious, SELF, Vogue, Allure, Vanity Fair, Glamour, Men's Journal, Architectural Digest, Golf Digest, Teen Vogue, Style.com, and Condé Nast Traveler. Condé still hasn't acknowledged the breach of email addresses, names, phone numbers, and more. (BleepingComputer, DataBreaches, Pwned)

Critical “Ni8mare” Vulnerability. On 7 January 2026, Cyera disclosed that it had discovered a maximum severe (10/10) vulnerability (CVE-2026-21858) affecting at least 100K n8n servers worldwide. N8n is widely used for automating tasks with AI and large language model services, making it a prime target for exploitation. Ni8mare," can enable unauthenticated, remote actors "to access files on the underlying server through execution of certain form-based workflows." This can lead to "exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage." Malicious actors can use this flaw to access sensitive files on n8n servers, potentially compromising API keys, OAuth tokens, and other crucial data. One such package, named "n8n-nodes-hfgjf-irtuinvcm lasdqewriit," mimics a Google Ads integration, and prompts users to link their advertising account in a seemingly legitimate form and then siphon OAuth credentials to servers under the attackers' control. No workaround is available, and users are urged to update to n8n version 1.121.0. (Cyera, BleepingComputer, HackerNews)

Supreme Court Takes Case Reviewing FCC’s Authority to Issue Fines. On 9 January 2026, the Supreme Court agreed to review the Federal Communications Commission (FCC) power to issue fines. In 2024, the FCC fined AT&T, Verizon, and T-Mobile $196 million for illegally sharing access to customers’ location information without consent. The carriers challenged the FCC’s ability to punish them. AT&T convinced the US Court of Appeals for the 5th Circuit to overturn its fine, while Verizon lost in the 2nd Circuit and T-Mobile lost in the District of Columbia Circuit. Verizon petitioned the Supreme Court to reverse its loss, while the FCC and Justice Department petitioned the court to overturn AT&T’s victory in the 5th Circuit. The Supreme Court granted AT&T and Verizon’s petitions to hear the challenges and consolidated the cases. FCC Chairman Brendan Carr continues to defend FCC’s authority to regulate data privacy practices, not the right to a jury trial. (ArsTechnica, Fierce Network, FCC Carr Opinion)

International Items of Interest

UK Cybersecurity Reboot. On 6 January 2026, the British government acknowledged that its years-long approach to its own cybersecurity was flawed and warned it will be impossible to meet a previous target of securing all government organizations from known cyber vulnerabilities and attack methods by 2030. The UK public sector has enormous digital resources: it spends over £26 billion annually on digital technology, employs a workforce of nearly 100,000 digital and data professionals, and delivers millions of online transactions every day. Yet, “to protect our critical national infrastructure, defend public institutions and maintain public confidence in essential public services, we must achieve a radical shift in approach [to cybersecurity] and a step change in pace.” The Department for Science, Innovation and Technology (DSIT) and concedes that the current system of accountability has left much of the British government vulnerable to cyberattacks, with responsibilities for risk “unclear at all levels of government,” including across the supply chain. Therefore it has launched anew Cyber Action Plan and will establish a new Government Cyber Unit, backed by over £210 million of central investment. The Cyber Unit will drive the plan forward, setting much stronger central direction, backing departments with expert support whilst demanding measurable progress. (The Record, Government Cyber Action Plan, PM Plan for Change, DSIT State of Digital Government Review)

Venezuela Blames the US for Blackouts. On 3 January 2026, President Trump and the Chairman of the Joint Chiefs of Staff, General Caine stated that US Cyber Command conducted cyber operations to cause widespread power outages and blackouts in Venezuela. General Caine stated that U.S. Cyber Command, U.S. Space Command and combatant commands “began layering different effects” to “create a pathway” for U.S. forces flying into the country early on 3 January 2026. NetBlocks confirmed “Metrics show a loss of internet connectivity in parts of Caracas, Venezuela, corresponding to power cuts during the US military operation which landed strikes on the capital and captured and removed President Maduro from the country.” US Cyber Command stated that it “was proud to support Operation Absolute Resolve.” The New York Times reported that cyber operations were used to cause the and to disable Venezuelan air defense radar ahead of the incursion. It was also reported that the power was restored “quickly” —perhaps purposefully by Cyber Command—and didn’t cause fatalities in hospitals, due to the use of backup generators. Turning off the power in Caracas and interfering with radar allowed US military helicopters to move into the country undetected on their mission. (NYT, Politico, Security Affairs, Wired, ArsTechnica)

Iran’s Nationwide Internet Blackout. On 8 January 2026, Iranian authorities shut down the Internet and phone amidst the anti-government protests. The military-grade GPS jammers have cut satellite internet performance by as much as 80% in parts of the country and have successfully disrupted StarLink’s service to the country. Cloudflare recorded a 98.5% collapse in Iranian internet traffic within 30 minutes of the shutdown starting. Starting around 12 January 2026, Starlink made its service free to use in Iran, despite its being banned in Iran. It is estimated that thousands of terminals may have been smuggled into the country. Iran appears to be engaged in spoofing — broadcasting fake GPS signals — to confuse and disable Starlink terminals. The GPS spoofing wreaks havoc on a Starlink terminal's connection and slows internet speeds and makes near impossible to send videos. (Rest of World, CNN, PPCLand, Reuters)

Two Arrested in Association with Damage to Finland Undersea Telecommunications Cable. On 31 December 2025, damage was discovered to an undersea telecommunications cable in the Gulf of Finland that links the capitals of Finland and Estonia. On 1 January 2026, Finnish authorities arrested two members of a cargo ship’s crew in connection with the damage of the cable that belongs to Finnish telecommunications service provider Elisa and is considered to be critical underwater infrastructure. The Fitburg, which has a crew of 14 — reportedly from Russia, Georgia, Azerbaijan and Kazakhstan — was seized while transiting through Finland’s exclusive economic zone. The cargo ship was transporting sanctioned steel products from Russia to Israel. Authorities are conducting crime scene work on the seabed near the damaged cable using underwater robots, side-scan sonar and multi-beam echo sounders to map the seafloor and confirm the cause of the cable break. Helsinki police have opened an investigation into aggravated criminal damage, attempted aggravated criminal damage and aggravated interference with telecommunications. At least 10 undersea cables have been cut or damaged in the Baltic Sea since 2023. Most investigations point to Russian involvement. (AP, The Record, CNN)

G7 Cyber Expert Group Releases Roadmap for Coordinating the Transition to Post Quantum Cryptography in the Financial Sector. On 12 January 2026, the G7 Cyber Expert Group (CEG) - chaired by the U.S. Department of the Treasury and the Bank of England - released a public statement advising financial entities, authorities and suppliers of key considerations and potential activities for transitioning to quantum-resilient technology in a coordinated and timely way. Quantum computers have the potential to revolutionize the financial sector, unlocking significant new capabilities and opportunities for organizations.“The introduction of quantum computers that can break our encryption tools presents a significant risk to the safety and soundness of our financial ecosystem. This is something we must address together, and the roadmap guidance will be an important reference for organizations to consider as they prepare their systems and data to be quantum resilient.” The roadmap outlines several considerations for financial sector stakeholders but is not prescriptive. (Treasury, G7 Document)

The UK National Cyber Security Centre (NCSC-UK) and International Partners Publish Principles for Operational Technology Security. On 14 January 2026, the UK National Cyber Security Centre (NCSC) in partnership with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD's ACSC), the Canadian Centre for Cyber Security (Cyber Centre), the US Cybersecurity and Infrastructure Security Agency (CISA), the US Federal Bureau of Investigation (FBI), Germany’s Federal Office for Information Security (BSI), Netherlands’ National Cyber Security Centre (NCSC-NL), and New Zealand’s National Cyber Security Centre (NCSC-NZ) published guidance on the importance of cybersecurity in operational technology (OT): Secure Connectivity Principles for Operational Technology (OT). The ‘Secure Connectivity Principles for Operational Technology’ document sets out eight core principles that organizations can use to design, secure, and manage connectivity into OT environments. These principles are particularly critical for operators of essential services, where insecure or poorly governed connectivity can have safety, reliability, and national security consequences: Principle 1: Balance the risks and opportunities; Principle 2: Limit the exposure of your connectivity; Principle 3: Centralize and standardize network connections; Principle 4: Use standardized and secure protocols; Principle 5: Harden your OT boundary; Principle 6: Limit the impact of compromises; Principle 7: Ensure all connectivity is logged and monitored; and Principle 8: Establish an isolation plan. The advisory also addressed that when evaluating industrial protocols within the OT environment, organizations should default to the latest secure versions of industrial protocols (e.g., DNP3 to DNP3-SAv5, CIP to CIP Security, Modbus to Modbus Security, OPC DA to OPC UA). They must ensure that protocols support cryptographic protections for authenticity and integrity, such as digital signatures; prefer protocols that support open standards and interoperability to facilitate vendor-agnostic solutions, and require a business case for the use of insecure protocols within the environment, making their use the exception rather than the norm. (NCSC OT Principles, CISA Blog, IC3, Industrial Cyber)

30,000 Korean Air Employee Records Stolen From Third Party Supplier. On 29 December 2025, the Clop ransomware group claimed responsibility for the Korean Air Catering and Duty Free (KC&D) breach and has already leaked the stolen data. Korean Air confirmed that the personal details of roughly 30,000 current and former employees have been stolen. The airline says customer data was not affected and that the leaked information appears limited to employee names and account numbers stored on KC&D’s ERP system. It is likely that Clop exploited the vulnerability in Oracle Enterprise Business Suite to gain access. (HackRead, Security Affairs, Korea JoongAng Daily)

Truebit Loses $26 Million in Cryptocurrency. On 8 January 2026, malicious actors stole more than $26 million worth of cryptocurrency from the Truebit platform. The Delaware-based company says it provides infrastructure for tokens, handling costly computations on behalf of other digital assets. In its post, it urged customers to stop using its smart contract platform was maliciously exploited - resulting in the loss of the cryptocurrency. (The Record, TrueBit X post)

British Regulator OFCOM Opens Investigation into X. On 12 January 2026, OFCOM, opened a formal investigation into social media network X to determine whether the the content violates the UK Online Safety Act. Specifically, wether X and its AI Chatbot Grok, has failed/is failing to comply with its duties under the Online Safety Act 2023 in respect of its: (1) Duties to carry out a suitable and sufficient illegal content risk assessment; (2) Safety duties about illegal content; (3) Duties to carry out a suitable and sufficient children’s risk assessment; and, (4) Safety duties protecting children. X and its AI chatbot Grok, flooded the Internet with nonconsensual, AI-manipulated nude and undressed photos of real people. On 15 January 2025, X stated that it is taking steps to prevent the distribution of nonconsensual images and child sexual abuse material (CSAM), and is working to take down illegal content and protect user privacy. (OFCOM, CyberScoop, X post)

Beijing tells Chinese Firms to Stop using U.S., Israeli Cybersecurity Software. On 14 January 2026, Chinese authorities told its domestic companies to stop using cybersecurity software made by roughly a dozen firms from the U.S. and Israel due to national security

concerns. The companies impacted include: Cato Networks, Check Point Software Technologies, Claroty, Crowdstrike, CyberArk, Fortinet, Imperva, Mandiant, McAfee, Orca Security, Palo Alto Networks, Rapid7, Recorded Future, SentinelOne, VMware, and Wiz. Several of the firms do not conduct business with Chinese clients, but others have built a significant footprint in China. For example, Fortinet has three offices in mainland China and one in Hong Kong. Check Point has addresses in Shanghai and Hong Kong. Broadcom lists six China locations, while Palo Alto lists five local offices in China, including one in Macau. Chinese authorities expressed concern the software could collect and transmit confidential information abroad and have urged Chinese firms to adopt domestic cybersecurity solutions. (Reuters, Security Affairs, Times of Israel, Journal Record)

South Korean Giant Kyowon Confirms Data Theft in Ransomware Attack. On 10 January 2026, the Kyowon Group (Kyowon), a South Korean conglomerate, that operates businesses such as educational workbooks like Red Pen and Kumon, as well as funeral services and travel, has suffered a ransomware attack on its IT network. According to the incident report filed with the Korea Internet & Security Agency (KISA), the attack involved an external server exposed to the Internet, which the attacker used to infiltrate the internal system, leading to a ransomware infection that spread throughout the subsidiaries. In a subsequent, Kyowon confirmed that the attacker exfiltrated customer data that could include, not only personal information of children and parents but also sensitive data such as card or account numbers used for tuition payments. (BleepingComputer, Asia Business Daily, Kyowon Blog)