This week on The Awareness Angle, we’re digging into the UK’s Online Safety Act again, but this time looking at the hidden privacy risks of handing your most sensitive data to unregulated overseas firms. From facial scans to passport details, we ask whether the cure is worse than the disease.

We also unpack Microsoft Recall’s ongoing privacy failings, with tests still showing it can capture credit cards, passwords and other sensitive details, even with filters supposedly in place. And in Canada, the City of Hamilton’s $5M cyber insurance claim has been denied after skipping a basic security control, multi-factor authentication.

Elsewhere, scammers are faking endorsements with AI, the UK's Liberal Democrats want tighter vetting of YouTube ads, Google joins the list of Salesforce breach victims, and Pandora confirms a third-party attack. Plus, a staggering 6.8 million WhatsApp scam accounts taken down, and the strange world of North Korea’s undercover IT workforce.

And finally, Ant is getting ready for two LinkedIn Lives from the SANS Security Awareness Summit in Chicago, so if you can’t be there, you can still soak up the atmosphere from wherever you are.

New Website Now Live!

This week saw us launch our new website.  It's now easier than ever to view past episodes. You can also now sign up to become a member and buy Awareness Angle merchandise.  We've got new items coming to the store in the coming weeks, so keep your eyes peeled.  Check out the site at riskycreative.com

🎧 Listen on your favourite podcast platform - Spotify, Apple Podcasts and YouTube

Listen Now

Podcast · Risky Creative

SANS Security Awareness Summit - A Different Remote Experience

🎙️ Live From Chicago...

This week, Ant will be bringing the energy of the SANS Security Awareness Summit straight to you with two live LinkedIn broadcasts direct from the community area in Chicago.

On Thursday, 14th August and Friday, 15th August (12:15–13:30 Chicago time, 18:15–19:30 UK), he'll be chatting with awareness professionals, vendors and other attendees to capture the buzz of the summit. You can already watch the official talks online, but these lunchtime lives will give you the conversations, atmosphere and insights from the floor, including the bits you don’t usually see.

It’s a chance to meet some of the people driving change in the awareness space, hear what’s hot in the industry right now and maybe even spot some of our new podcast merchandise making their debut.

Register for the live streams below:

Thursday's Event - https://www.linkedin.com/events/7359692338895503361/
Friday's Event - https://www.linkedin.com/events/7359693582628196353/

Online Safety Act or Privacy Risk?

Watch the discussion - https://youtu.be/c9CzNOszjxI?t=248

Under the UK’s new Online Safety Act, people now have to verify their age to use platforms like X, Reddit and Bluesky. That means millions are handing over biometric data, ID documents and even financial information to third-party companies outside the UK. Many of these firms have poor or unknown privacy track records, and some have ties to controversial figures or former intelligence officers.

Critics warn there’s no public oversight, no register of approved providers and no enforced privacy standards. The result is a system where your most sensitive data could end up in the hands of the cheapest bidder, stored in a country with weaker protections, with little way to know if it will ever be deleted. For most users, the choice is stark. Share the data or accept a censored internet.

A big thank you to Matt Gordon-Smith for messaging us and raising this point! Ant meant to give a shout-out in the episode but forgot!

Read more - https://bylinetimes.com/2025/07/31/the-online-safety-act-is-forcing-brits-to-hand-over-personal-data-to-unregulated-overseas-corporations-with-questionable-privacy-records/

∠The Awareness Angle

• Privacy by Compulsion – UK users are being forced to give facial scans, passport details and other sensitive data to unregulated foreign companies to access mainstream platforms.

• Trusting the Untrustworthy – Some providers have a history of breaches or links to surveillance groups, with vague privacy policies that allow data reuse and AI training.

• No Real Oversight – Without approved provider lists or mandatory standards, platforms can choose cost over safety when it comes to handling user data.

Microsoft Recall Still Spying on Your Screen

Watch the discussion - https://youtu.be/c9CzNOszjxI?t=587

Microsoft’s Recall feature on Copilot+ PCs is still capturing sensitive information, despite the company’s promises and new security filters. Tests by The Register showed that Recall can record credit card numbers, usernames and passwords if they appear on screen without obvious labels. Once saved, these screenshots can be accessed by anyone with the device’s PIN, even via remote access tools,  making it possible to bypass Microsoft’s security claims.

While Microsoft encrypts Recall data and ties access to Windows Hello, these measures are undermined by weak entry points like PIN access. Critics warn that the feature poses a significant privacy risk for everyday users, especially those in vulnerable situations. With Recall still in testing but expected to roll out widely, there are growing concerns it could quietly become the default on millions of devices before its flaws are fixed.

Read more - https://www.theregister.com/2025/08/01/microsoft_recall_captures_credit_card_info/

∠The Awareness Angle

• Security Bypassed by Simplicity – Encryption means little if someone can unlock Recall with just your PIN, locally or remotely.

• Sensitive Data Still Slipping Through – Credit cards, passwords and other personal info are still being stored, showing Recall’s detection logic is far from reliable.

• Privacy Implications for Vulnerable Users – Once captured, private moments and personal data are permanently logged with little control over what’s kept or shared.

No MFA, No Coverage: Hamilton’s Costly Cyber Mistake

Watch the discussion - https://youtu.be/c9CzNOszjxI?t=892

In 2024, the City of Hamilton was hit by a ransomware attack that paralysed 80% of its systems. Hackers demanded $18.5 million, which the city refused to pay. Recovery costs have since exceeded $20 million and will continue into 2026.

City officials expected their $5 million cyber insurance policy to soften the blow, but the claim was denied. The reason? Many departments had failed to implement multi-factor authentication (MFA), a requirement clearly stated in the policy. Staff resistance to MFA slowed its rollout, and the insurer cited the lack of it as a “root cause” of the breach. Despite the scale of the incident, no individuals have been held accountable, leaving residents to foot the bill.

Read more - https://www.cbc.ca/news/canada/hamilton/cybersecurity-breach-1.7597713

∠The Awareness Angle

• MFA Neglect Has Real Costs – Ignoring a basic security control didn’t just make the attack possible. It also voided insurance coverage.

• Resistance to Security = Vulnerability – Internal pushback left critical systems exposed, showing that security culture matters as much as technology.

• Accountability Gap – Leadership indecision and lack of ownership can multiply the damage from cyber incidents, both operationally and financially.

Do you have something you would like us to talk about? Are you struggling to solve a problem, or have you had an awesome success? Reply to this email telling us your story, and we might cover it in the next episode!

This Week's Discussion Points...

UK Online Safety Act, age verification & privacy risks
Watch | Read

Microsoft Recall still capturing sensitive data
Watch | Read

City of Hamilton ransomware & MFA insurance refusal
Watch | Read

Proton launches free cross-platform authenticator app
Watch | Read

“Ghost store” scams selling fake weight-loss treatments
Watch | Read

Calls to vet YouTube ads like TV ads
Watch | Read

Google Salesforce breach via vishing, ShinyHunters
Watch | Read

Pandora cyberattack & possible ShinyHunters link
Watch | Read

WhatsApp deletes 6.8m scam accounts
Watch | Read

North Korean IT workers funding regime
Watch | Read

📬 Subscribe to the Newsletter

https://www.riskycreative.com

Instagram’s New Location Feature

Watch - https://youtu.be/c9CzNOszjxI?t=3872

Instagram has added a location-sharing feature in the inbox that can show your followers where you last posted from. If location permissions are on, this might be enabled by default.

That might sound harmless, but think about it! The people who follow you on Instagram aren’t always close friends. They could be old acquaintances, casual contacts, or even people you barely know. Do you really want all of them to know your current or recent location?

How to switch it off

1. Open Instagram and go to your Inbox.

2. Tap the pin/Friends Map banner above Notes.

3. Select Location settings.

4. Turn off Share location and Show on map. If you see Visibility, set it to No one.

For extra privacy, you can also remove Instagram’s location permission in your phone’s settings.

⚠️ Some users report this feature may not be available in the UK or EU yet, but it’s worth checking so you’re ready if or when it arrives.

∠The Awareness Angle

• Assumed Trust – Just because someone follows you on Instagram does not mean you want them to know where you are. Location sharing blurs the line between friendly connection and personal exposure.

• Default On, Default Risk – If you have location permissions enabled, this feature may be switched on without you realising, making it easy to overshare.

• Check Before It Spreads – Even if it is not live in your region yet, keep checking your settings so you will not be caught off guard when it rolls out.

Thanks for reading! If you’ve spotted something interesting in the world of cyber this week — a breach, a tool, or just something a bit weird — let us know at hello@riskycreative.com. We’re always learning, and your input helps shape future episodes.