Send us a text

The US military has issued a stark warning to all forces to operate under the assumption that their networks have been compromised by Salt Typhoon, a sophisticated threat actor with ties to the Chinese government. This breach highlights the urgency for organizations to adopt Zero Trust principles as cyber warfare becomes the new battlefield.

• Zero Trust is a framework, not a single product or technology
• The first tenant of Zero Trust is treating networks as already compromised
• Salt Typhoon remained undetected in networks for almost a year
• The threat actor targeted telecommunications, energy, and transportation infrastructure
• Critical national infrastructure remains at high risk from similar focused attacks
• Traditional security approaches focusing solely on perimeter defense are inadequate
• Once compromised, networks may never be fully trusted again
• Verification must occur upon every access request, not just initially

Support the show

Send us a text

The European Parliament has released a groundbreaking 175-page study concluding that AI companies' practice of training on copyrighted material without permission constitutes mass reproduction not covered by current laws. This study recommends transforming the landscape through an opt-in system, radical transparency requirements, and fair compensation models for creators whose work trains AI systems.

• EU study reveals AI companies are treating the internet like a free "all-you-can-eat buffet" of creative content
• Recommendation to shift from opt-out to opt-in system requiring AI companies to request permission
• Call for mandatory transparency about what data AI models are trained on
• Proposal for fair licensing models similar to Spotify where creators get paid when their work trains AI
• New EU AI Act regulations taking effect in August will incorporate some of these protections

Stay safe, stay informed, and always question the code.

Support the show

Send us a text

Cameron and Gabe dive into Healthline Media's record-breaking $1.55 million settlement for CCPA violations, examining whether such penalties are sufficient deterrents against improper sharing of sensitive health data.

• Healthline violated CCPA by sharing sensitive user health data with advertisers without proper consent
• First U.S. regulatory action against a company for disclosing "inferred sensitive data"
• Violation included failing to provide mechanisms to opt out of sensitive data sharing
• Discussion of whether fines proportional to company revenue would be more effective
• Comparison of data brokers to other harmful entities in society
• Brief preview of upcoming episode about a major data breach potentially larger than Equifax

Stay safe this holiday weekend and don't put fireworks where they don't belong! Tune in next time for our breakdown of a massive data breach of "epic proportions."

Support the show

Send us a text

Several popular Chrome extensions, including privacy and security tools, have been found leaking sensitive data through unencrypted HTTP and hard-coded credentials in their code. Security is both hard and easy - hard because of existing unencrypted protocols and trust placed in developers, but easy because fundamental security practices should be common knowledge in 2025.

• Chrome extensions including DualSafe Password Manager and Avast Online Security are leaking sensitive user data
• HTTP vs HTTPS - the 'S' stands for security and encrypts data transmission over the internet
• HTTPS Only extension from EFF forces secure connections when browsing
• Hard-coded credentials in extensions create permanent security vulnerabilities
• Developers sometimes collect excessive data "just in case" rather than minimizing collection
• OWASP (Open Web Application Security Project) provides essential resources for developers
• Technology abstraction makes users less aware of security fundamentals
• The newly restarted OWASP Nomad chapter offers virtual community for application security

Check out our GitHub repository of privacy resources at "Awesome Privacy Engineering Tools" for more information on implementing better privacy practices in development.

Support the show

Send us a text

We explore the recent LexisNexus data breach that exposed sensitive personal information of over 364,000 individuals through a third-party platform accessing their GitHub account. This incident highlights critical vulnerabilities in how data brokers handle our most sensitive information and raises questions about regulatory oversight.

• Data exposed included names, date of birth, phone numbers, social security numbers, and driver's license numbers
• The breach occurred when someone accessed the company's GitHub account through a third-party platform
• Attackers likely found hard-coded credentials that allowed them to move laterally through systems 

• Data brokers operate with minimal regulation despite handling massive amounts of sensitive information
• Better governance policies and automated privacy operations could significantly reduce these risks
• Both technical solutions and regulatory approaches are needed to protect consumer data

• Breach Occurred: December 25, 2024.
• Discovery: April 1, 2025.
• Public Notification: May 27, 2025.
• Notice Letters Sent: May 24, 2025.

Shameless plus: Check out tools like Transcend's autonomous privacy operations to help prevent similar incidents and continue to monitor your privacy activities.

Support the show

Send us a text

Gabe and Cameron dive into the unseen dangers of AI systems, exploring how inherent biases shape our perception and how prompt injection attacks pose serious security threats.

• Generative AI models contain built-in biases based on their training data, favoring Western and particularly North American perspectives
• A recent study shows ChatGPT-4 with personalization is more persuasive than humans 64.4% of the time
• Most users accept AI outputs without questioning the underlying biases
• Prompt injection allows hackers to insert malicious instructions into AI systems that can lead to data leaks and security breaches
• Security professionals don't yet understand the full scope of AI vulnerabilities
• Google's new video generation technology makes it impossible to distinguish between real and AI-created content
• Despite digital concerns, it's important to appreciate real-world experiences like enjoying ice cream on a hot summer day

Support the show

Send us a text

ProPublica's investigation reveals the National Shooting Sports Foundation has been secretly sharing gun buyers' personal information, including underwear sizes, for political purposes. This privacy breach raises serious concerns about data exploitation even in industries that publicly position themselves as defenders of individual rights.

• Gun owners group demands federal investigation into firearms industry data sharing
• Personal data shared included underwear sizes and was allegedly used for political targeting
• NSSF collaborated with Cambridge Analytica to enhance voter data
• Privacy concerns should transcend political divides - "Privacy is an everybody problem"
• The gun industry publicly defends rights while quietly engaging in data exploitation
• Senator Richard Blumenthal supports investigation into these practices

If you're a privacy professional or legal expert with insights on this issue, we'd love to have you on the show to discuss this further and answer some of the questions we've raised today.

Support the show

Send us a text

Privacy Please News, for hitting big topics quickly with a hint of sarcasm to bring some joy and knowledge. 

This week, we hit on the latest privacy events in tech with a satirical perspective on how your data is being shared, sold, and exploited. From Google's dramatic stance on sharing search data to state-sponsored hackers dominating zero-day exploits, this episode highlights the absurdity of our current digital privacy landscape.

• Google CEO Sundar Pichai compares sharing search data to "ripping out the company's brain"
• WhatsApp's new AI feature sends "private" messages to cloud servers despite Meta's safety claims
• Gun rights group outraged after gun industry shared customer data, including underwear sizes, for political campaigns
• OpenAI's Sam Altman promotes eyeball scanning for WorldC, dismissing privacy concerns as regulatory lag
• State-sponsored hackers from China and North Korea are leading the zero-day vulnerability exploitation game

Support the show

Send us a text

Cameron and Gabe return after a brief hiatus to explore major developments in security, privacy, and resilience. They dive into insights from the IAPP conference and VeeamOn, examining how AI governance and outdated privacy tools are reshaping the industry landscape.

• AI governance frameworks dominated IAPP discussions with companies "building the plane as they're flying"
• Verizon's Data Breach Report debunks overblown AI security fears, showing real risks are data leakage and poor access controls
• Growing frustration with outdated privacy management tools is driving demand for better solutions
• Security posture isn't about using recognized brands but about architecture without dangerous gaps
• Sam Altman's virtual appearance at IAPP disappointed attendees expecting an in-person keynote

Stay tuned for our bonus episode covering even more developments from this busy week in privacy and security!

Support the show

Send us a text

Privacy threats continue to escalate as human error undermines even the most secure systems, from military officials accidentally exposing classified information to Russian hackers targeting encrypted messaging apps.

• Signal security breach occurred when defense officials accidentally added a reporter to their encrypted group chat discussing sensitive military operations
• Russian-linked attackers targeting Signal users through QR code vulnerabilities, tricking users into linking their secure accounts to attacker-controlled instances
• QR codes present broader security concerns as users can't verify where they lead before scanning them
• Attackers can place malicious QR codes over legitimate ones in public spaces like restaurants and airports
• 23andMe's bankruptcy raises critical questions about the fate of genetic data from 15 million users
• When companies holding sensitive personal information go bankrupt, data ownership and protection becomes uncertain
• Human error remains the primary vulnerability in most privacy and security systems
• Always consider the long-term implications when sharing personal information with any service

Remember to think beyond the present when sharing your data – consider what might happen to that information in 10, 20, or even 30 years from now.

Support the show