Sign up to save your podcasts
Or
Share Facepalm Retrospective: 2025’s Greatest Cyber Fails — From 123456 to the Louvre
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Facepalm Retrospective: 2025’s Greatest Cyber Fails — From 123456 to the Louvre
Welcome to the Small Business Cybersecurity Guy Christmas Special with host Noel Bradford and guests Mauven MacLeod and Graham Falkner. This episode is a rapid-fire, often hilarious and sometimes horrifying roundup of the most spectacular cyber security disasters of 2025, told with a no-nonsense focus on what small businesses should learn from them.
We open with the MacHire fiasco: security researchers discovered an admin account on McDonald’s AI hiring chatbot (Paradox.ai/Olivia) protected by the password "123456," exposing up to 64 million applicant records. The researchers reported the flaw; no known mass theft occurred, but the episode underlines vendor risk and the dangers of legacy test accounts and absent MFA.
Next, we cover the Louvre post-heist revelations: a €88m jewel theft followed by reports showing decades-old surveillance systems running Windows 2000/XP, passwords like "Louvre" and systemic neglect. The story is used to illustrate how even world-famous institutions fail at basic cyber hygiene.
We recap the PowerSchool catastrophe, where a 19-year-old college student used compromised credentials to access a support portal and exposed data on some 62 million students and millions of staff. The attack led to ransom demands, payments, further extortion attempts, criminal charges, and a clear lesson — no MFA, huge consequences.
The UK was a hotspot in 2025: Jaguar Land Rover, Marks & Spencer, Co-op, Harrods and others suffered disruptive breaches often rooted in third-party/supply-chain compromises. We also discuss the Foreign, Commonwealth & Development Office breach (detected in October, disclosed in December), suspected China-linked activity, and the difficulties of attribution.
In a rapid-fire segment we cover smaller-but-still-impactful stories: a ransomware gang that abandoned an extortion against nurseries after public outrage; attacks on Asahi, DoorDash and Harvard; widespread exploitation of unpatched SharePoint vulnerabilities; and how simple phishing and credential theft continue to be the root cause of major incidents.
Key takeaways for small businesses are emphasized throughout: enable multi-factor authentication, use strong unique passwords and password managers, patch promptly, run vendor due diligence and risk registers, train staff on phishing/social engineering, maintain incident response plans, and treat supply-chain security as part of your attack surface. The hosts argue the fundamentals work — do the boring basics correctly.
The episode closes with practical advice, links to the revamped blog and Noel’s "No BS Cyber for SMBs" newsletter on LinkedIn, and a festive-but-sober call to change weak passwords (definitely not to "123456") and enable MFA before the new year.
#Cybersecurity #Ransomware #DataBreaches #PasswordSecurity #SupplyChainSecurity #SmallBusiness #UKCyber #InfoSec #Christmas2025 #PowerSchool #McDonalds #JaguarLandRover #ForeignOffice
View all episodes
By The Small Business Cyber Security GuyWelcome to the Small Business Cybersecurity Guy Christmas Special with host Noel Bradford and guests Mauven MacLeod and Graham Falkner. This episode is a rapid-fire, often hilarious and sometimes horrifying roundup of the most spectacular cyber security disasters of 2025, told with a no-nonsense focus on what small businesses should learn from them.
We open with the MacHire fiasco: security researchers discovered an admin account on McDonald’s AI hiring chatbot (Paradox.ai/Olivia) protected by the password "123456," exposing up to 64 million applicant records. The researchers reported the flaw; no known mass theft occurred, but the episode underlines vendor risk and the dangers of legacy test accounts and absent MFA.
Next, we cover the Louvre post-heist revelations: a €88m jewel theft followed by reports showing decades-old surveillance systems running Windows 2000/XP, passwords like "Louvre" and systemic neglect. The story is used to illustrate how even world-famous institutions fail at basic cyber hygiene.
We recap the PowerSchool catastrophe, where a 19-year-old college student used compromised credentials to access a support portal and exposed data on some 62 million students and millions of staff. The attack led to ransom demands, payments, further extortion attempts, criminal charges, and a clear lesson — no MFA, huge consequences.
The UK was a hotspot in 2025: Jaguar Land Rover, Marks & Spencer, Co-op, Harrods and others suffered disruptive breaches often rooted in third-party/supply-chain compromises. We also discuss the Foreign, Commonwealth & Development Office breach (detected in October, disclosed in December), suspected China-linked activity, and the difficulties of attribution.
In a rapid-fire segment we cover smaller-but-still-impactful stories: a ransomware gang that abandoned an extortion against nurseries after public outrage; attacks on Asahi, DoorDash and Harvard; widespread exploitation of unpatched SharePoint vulnerabilities; and how simple phishing and credential theft continue to be the root cause of major incidents.
Key takeaways for small businesses are emphasized throughout: enable multi-factor authentication, use strong unique passwords and password managers, patch promptly, run vendor due diligence and risk registers, train staff on phishing/social engineering, maintain incident response plans, and treat supply-chain security as part of your attack surface. The hosts argue the fundamentals work — do the boring basics correctly.
The episode closes with practical advice, links to the revamped blog and Noel’s "No BS Cyber for SMBs" newsletter on LinkedIn, and a festive-but-sober call to change weak passwords (definitely not to "123456") and enable MFA before the new year.
#Cybersecurity #Ransomware #DataBreaches #PasswordSecurity #SupplyChainSecurity #SmallBusiness #UKCyber #InfoSec #Christmas2025 #PowerSchool #McDonalds #JaguarLandRover #ForeignOffice