Digital Risk Report, October 2025

Happy Cybersecurity Awareness Month!

October marks National Cybersecurity Awareness Month (NCSAM)—a nationwide initiative focused on promoting stronger digital safety practices and empowering individuals and organizations to stay secure in an increasingly connected world.

As technology continues to evolve, so do the risks associated with data protection, privacy, and artificial intelligence. This month, we’re joining the national conversation by highlighting emerging threats, practical safeguards, and evolving regulatory trends to help you and your business stay one step ahead.

Whether you’re managing sensitive data, navigating new compliance requirements, or leveraging AI responsibly, cybersecurity is everyone’s responsibility, and awareness is the first line of defense.

Legislative & Regulatory

Colorado and Montana changed data privacy thresholds to differentiate between biometrics and kids and to lower consumer numbers before applicability. 

California Governor Signs New Data Privacy Bills:

On October 8, 2025, California Gov. Gavin Newsom signed two major privacy-focused bills into law—one requiring all web browsers to include universal opt-out functionality that lets users automatically decline the sale or sharing of personal information across the web, and another mandating that social media platforms treat account deletions as California Consumer Privacy Act requests to remove users’ personal data.

DoD CMMC Program

The DoD finalized the CMMC program in 2025, requiring defense contractors to meet tiered cybersecurity standards as a condition for contracts.

FTC agrees to $7.5 million settlement with Chegg over claims, including illegal “Dark Patterns” 

On September 15, 2025, the FTC announced a $7.5 million settlement with educational tech company Chegg for failing to provide reasonable methods for cancelling subscriptions. Among the allegations were that Chegg’s website buried the cancellation options and made it intentionally difficult to complete. 

U.S. HHS settles HIPAA claim with Cadia Healthcare

On September 30, 2025, the HHS settled with Cadia Healthcare for  $182,000 for failing to obtain a patient’s consent before posting the patient’s “success story,” including pictures, on their public website.

CPPA fines Tractor Supply Co. $1.35 million 

On September 30, 2025, the California Privacy Protection Agency fined Tractor Supply Co. $1.35 million, an annual fee required by the Delete Act.

Notable Data Breaches

City of St. Paul

Ransomware attack crippled the city's digital services, leading to a state of emergency and deployment of the Minnesota National Guard's cyber unit. Sensitive documents, including HR files and financial records, were exposed.

Salesforce 

Breach exposing business contact information used for communication with potential advertisers and leading to a surge in fake phishing emails targeting Google and Gmail users. The hacking group launched a website this month to extort victims.

Gucci, Balenciaga, and Alexander McQueen

Data breaches on Gucci, Balenciaga, and Alexander McQueen were targeted in a ransomware attack via third-party systems connected to the brands rather than directly breaching their core infrastructure.

Oracle

A zero-day vulnerability in Oracle E-Business Suite was exploited by the Cl0p ransomware group in targeted cyberattacks.