Alston & Bird Privacy, Cyber & Data Strategy Blog

Crisis & Data Breach Response

Inside the SK Telecom Data Breach: What Happened and What Companies Can Learn

By and

In April 2025, SK Telecom—South Korea’s largest mobile carrier—formally notified regulators of a significant data breach that compromised sensitive SIM card data belonging to nearly 27 million users. Following an investigation, the Ministry of Science and ICT and the Korea Internet & Security Agency (KISA) concluded in July 2025 that SK Telecom was negligent in […]

Back from the Brink: District Court Clears Air Regarding Individualized Damages Assessment in Data Breach Cases

By , and

On June 27, 2025, the District Court for the Middle District of Florida, on remand from the Eleventh Circuit, reversed course when it denied class certification to a group of plaintiffs who were purportedly impacted by a spring 2018 cyberattack on Brinker International, Inc., the parent company of the popular chain restaurant, Chili’s. The recent […]

UK Data Protection Regulator Fines 23andMe ~$3.1 Million Following Credential Stuffing Attack

By and

On June 5, 2025, the UK’s Information Commissioner’s Office (ICO) fined 23andMe £2.31 million (~$3.1 million). The fine was for failing to implement adequate security measures to protect the personal data of over 155,000 UK users. The penalty followed a joint investigation with the Office of the Privacy Commissioner of Canada, highlighting  how regulators are […]

Suite Victory: Marriott Finally Checks Out of Court

By , and

On June 3, 2025, the U.S. Court of Appeals for the Fourth Circuit issued a pivotal ruling in longstanding litigation against Marriott International, Inc., arising out of a 2018 data breach involving its Starwood Preferred Guest Program.  In reversing the lower court’s grant of class certification, the Fourth Circuit determined that the customers’ contractual agreements […]

UK Data Protection Regulator Fines UK Law Firm ~$80,000 Following Ransomware Incident

By and

On April 14, 2025, the UK data protection regulator (the Information Commissioner’s Office (“ICO”)) fined DPP Law (“DPP”) £60,000 (approximately $80,000) following a ransomware incident. In its penalty notice, the ICO found that DPP failed to implement appropriate technical and organisational measures, as required by Article 5(1)(f) and Article 32 UK GDPR. This is the […]