The authentication standards body known as the FIDO Alliance announced working groups this week alongside Google and Mastercard to develop technical guardrails to validate and protect AI agent-initiated transactions. Meanwhile, as some works using AI become more widespread and sensitive, OpenAI has rolled out an “Advanced” security risk mode for ChatGPT and Codex accounts that face increased risks of attack.
New research this week highlighted an incident in which 90,000 screenshots scraped from a European celebrity’s phone were exposed online – underscoring the dangers of commercially available spyware as an invasion of personal privacy and a threat to widespread data breaches and misuse. WIRED looked into arrests in the United Arab Emirates resulting from people sharing screenshots and other content online.
And there’s more. Every week we round up security and privacy news that we haven’t covered in depth ourselves. Click on the titles to read the full stories. And stay safe out there.
The happiest place on Earth just got a little creepier. The Walt Disney Company announced this week that visitors to Disneyland Park and Disney California Adventure Park will have the option to “opt in” to enter the park via a walkway equipped with facial recognition technology. While the company says that subjecting yourself to facial recognition is “completely optional,” it notes that “your image may still be taken” if you enter parks through walkways without facial recognition systems. Disney’s facial recognition technology, like many other companies, works by converting images of people’s faces into a digital value, which can then be used to match faces in other images. The company says that these digital values will be deleted after 30 days, “except in cases where the data must be retained for legal or fraud prevention purposes.”
Facial recognition systems are widely used throughout the United States and the world. This technology is frequently used by law enforcement agencies, but it has also spread into aspects of everyday life, from airports to MLB and NFL stadiums to Madison Square Garden.
Anthropic’s Mythos Preview AI model has been described as being so adept at finding hackable bugs in software that its use has been carefully restricted until now to prevent it from falling into the hands of malicious hackers. So maybe it would be more surprising if the NSA did this no Try it already.
Bloomberg News and Axios reported this week that the National Security Agency was among the agencies and companies granted early access to Mythos, which has been limited to 40 organizations so far, according to Axios. The agency used the tool to look for bugs in Microsoft software – naturally, since it still runs on the majority of the world’s personal computers – and was impressed by its speed and effectiveness in finding exploitable vulnerabilities, according to sources who spoke to Bloomberg anonymously. After all, the agency’s remit includes some element of helping the US government discover and patch security vulnerabilities in the software it uses, as well as sometimes exploiting those vulnerabilities in the NSA’s own operations.
The NSA’s testing or approval of Anthropic’s AI tool appears to have occurred despite the Department of Defense’s announced ban on Anthropic, which followed Defense Secretary Pete Hegseth’s claim that the company posed a supply chain risk. However, Hegseth said in February that the Defense Department would transition away from Anthropic tools over six months, and Anthropic has filed a lawsuit to prevent the ban from taking effect. Since the NSA is part of the Department of Defense, it is not clear at this time whether the NSA is only using Mythos in the window before the ban goes into effect, or whether the tool is powerful enough to convince the NSA to rethink its ban – or make an exception.
The ransomware group known as Scattered Spider has been responsible for some of the most damaging, extortion-focused hacking campaigns in recent memory, including the hacks of MGM Resorts, Caesars Entertainment and retailers such as MandS and Harrods. They also stand out among ransomware gangs because of their membership: they are often very young English-speaking hackers who reside in countries that cooperate with US law enforcement, and thus tend to be arrested.
The latest alleged member of the group to be identified and charged is 19-year-old Peter Stokes, who was arrested at an airport in Finland, where he intended to board a plane bound for Japan. According to the Chicago Tribune, Stokes’ alleged involvement in targeting four Scattered Spider victim companies was described in a criminal complaint that has since been placed under seal. Stokes is reportedly accused of helping to steal millions from those unidentified victim companies, which included an online communications platform and a luxury retailer. According to the complaint, he lived a jet-set lifestyle, traveling from Dubai to Thailand to New York and appearing in one photo wearing a diamond-encrusted necklace that read “HACK THE PLANET.”
A Medicare database left available on the open Internet inadvertently exposed Social Security numbers and other personal information to health care providers across the United States, The Washington Post revealed. The database was linked to an online manager of the Centers for Medicare and Medicaid Services (CMS), allowing Medicare patients to check which insurance plans their health care providers accept. According to the newspaper, the exposed sensitive data had been online “for at least several weeks.” Rolling out the guide is part of the Trump administration’s effort to “create a national database of health care providers,” the Washington Post reported, which is being overseen by Amy Gleason, the acting head of the U.S. DOGE service who also serves as a CMS official.
