The authentication standards body known as the FIDO Alliance announced working groups this week with Google and MasterCard to develop technical guardrails to validate and protect AI agent-initiated transactions. Meanwhile, given the proliferation and increasing sensitivity of some tasks using AI, OpenAI launched an “enhanced” security risk mode for ChatGPT and Codex accounts facing increased risk of attack.
New research this week highlighted an incident in which 90,000 screenshots taken from a European celebrity’s phone were exposed online – underscoring the risks of commercially available spyware as an invasion of personal privacy and the threat of widespread data breaches and misuse. And WIRED looked at arrests in the United Arab Emirates as a result of people sharing screenshots and other online content.
There is so much more. Each week, we round up security and privacy news that we haven’t covered in depth ourselves. Click on titles to read full stories. And stay safe there.
The happiest place on earth has just gotten a little scarier. The Walt Disney Company announced this week that visitors to its Disneyland parks and Disney California Adventure parks will have the option to “opt in” to enter the park through a lane equipped with facial recognition technology. While the company says facial recognition itself is “completely optional”, it notes that “you may still be imaged” if you enter the park through the lane without the facial recognition system. Disney’s face recognition, like many others, works by converting images of people’s faces into a numerical value that can be used to match faces in other images. The company says these numerical values will be deleted after 30 days, “except in cases where the data must be retained for legal or fraud-prevention purposes.”
Facial recognition systems are widely used in the United States and around the world. Law enforcement agencies often use the technology, but it has also spread into everyday aspects of life, from airports to MLB and NFL stadiums to Madison Square Garden.
Anthropic’s Mythos Preview AI model is said to be so adept at digging up hackable bugs in software that its use has been carefully restricted until now to prevent it from falling into the hands of malicious hackers. So perhaps it would be more surprising if the National Security Agency were No Already trying it.
Bloomberg News and Axios reported this week that the NSA was among the agencies and companies granted early access to Mythos, which has so far been limited to 40 organizations, according to Axios. According to sources who spoke anonymously to Bloomberg, the agency has used the tool to look for bugs in Microsoft’s software — naturally, it still runs on most of the world’s PCs — and has been impressed by its speed and effectiveness in finding exploitable vulnerabilities. After all, the agency’s mandate includes some element of helping the U.S. government find and fix security vulnerabilities in the software it uses, as well as sometimes exploiting those vulnerabilities in the NSA’s own operations.
The NSA’s testing or adoption of Anthropic’s AI tools appears to have proceeded despite a ban on Anthropic announced by the Defense Department, following Defense Secretary Pete Hegseth’s claim that the company represents a supply chain risk. However, Hegseth said in February that the DOD would move away from Anthropic’s equipment in six months, and Anthropic has filed a lawsuit to prevent the ban from taking effect. Given that the NSA is part of the DOD, it’s not clear right now whether the NSA is simply using Mythos in the window before the ban goes into effect, or whether the tool is powerful enough to persuade the NSA to reconsider its ban – or make an exception.
The ransomware group known as Scattered Spiders is responsible for some of the most damaging extortion-focused hacking campaigns in recent memory, including breaches at MGM Resorts, Caesars Entertainment, and retailers like M&S and Harrods. It is also distinguished among ransomware gangs because of its membership: often very young, English-speaking hackers live in countries that cooperate with US law enforcement – and therefore, get arrested.
The latest alleged member of the group to be identified and charged is 19-year-old Peter Stokes, who was arrested at an airport in Finland, where he intended to fly to Japan. According to the Chicago Tribune, Stokes’ alleged involvement in targeting four Scattered Spider victim companies is described in a criminal complaint that has since been sealed. Stokes is reportedly accused of helping steal millions from unnamed victim companies, which included an online communications platform and a luxury retailer. According to the complaint, she also lived a jet-set life, traveling from Dubai to Thailand and New York and was seen in a photo wearing a diamond-encrusted necklace that read “Hack the Planet.”
A Medicare database left available on the open Internet inadvertently exposed Social Security numbers and other personal information to health care providers across the US, the Washington Post reports. The database was linked to an online Director of Medicare and Medicaid Services (CMS), which allowed Medicare patients to check which insurance plans health care providers accept. According to the Post, the sensitive data exposed was online for “at least several weeks”. As the Post reports, the rollout of the directory is part of an effort by the Trump administration to “build a national database of health care providers,” which is being overseen by Amy Gleason, the acting head of the US DOGE service, who also serves as an official at CMS.
<a href