This episode dives into the attacks and scams that show how fragile everyday systems really are. From a rail IT supplier leaking terabytes of data to CCTV cameras exposing maternity wards, and a Google ad scam that fooled one of our own. It has been a busy week.
Luke and I break it all down in plain language. No drama. No jargon. Just what people need to stay safe at work and at home.
Watch or Listen to the episode today - YouTube | Spotify | Apple Podcasts
Visit riskycreative.com for past episodes, our blog, and our merch.
Introducing Kindred Cyber and Kinsights
Last week, Ant launched Kindred Cyber, his new home for people-centred security work. One of the first things he is offering is Kinsights, a clear and honest look at how your culture is really doing. It cuts through noise, shows what is working, and gives you the actions that actually help people change their behaviour. If you want a sharper view of your awareness activities, Kinsight is where to start. Find out more at www.kindredcyber.com
The Breach Report
Italian rail supplier hit with a 2.3 TB data leak
A hacker claims to have taken 2.3 TB of internal data from Almaviva, an IT supplier for Italy’s rail network. Technical docs, contracts, HR files, accounting data. The lot. It is unclear whether passenger data is included but the size and depth of the leak is heavy.
The Awareness Angle
- Supply chains matter. Attackers often go for the vendor, not the main brand.
- Structured data is gold. When the leak includes internal repos, it indicates deep access.
- Reputation is fragile. Public sector contracts depend heavily on trust.
Salesforce customers impacted via Gainsight integration
ShinyHunters are back. This time they appear to have used tokens from a previous breach to access Salesforce customers through a Gainsight integration. Salesforce revoked all tokens while they investigate. It is another reminder that synced tools can quietly open doors you thought were locked.
The Awareness Angle
- Third parties expand the attack surface. OAuth connections are often the weak link.
- Attackers reuse access for months. Once they have one foothold, they circle back.
- Token hygiene matters. Organisations need to audit old integrations more often.
One hundred and twenty thousand CVs leaked in Cornerstone Staffing ransomware attack
Qilin claim to have stolen 300 GB of Cornerstone Staffing data, including 120,000 CVs and more than a million files with personal data and financial documents. CVs are a treasure trove for cybercriminals. Perfect for identity theft and targeted phishing.
The Awareness Angle
- CVs expose everything. Skills, job history, phone numbers, home addresses.
- Double extortion is standard now. Even if you recover systems, the leaks keep coming.
- Threat groups move fast. Qilin have claimed almost one thousand victims since 2023.
A WhatsApp flaw exposed 3.5 billion phone numbers
Researchers from the University of Vienna scraped almost the entire WhatsApp user base by hammering the contact lookup system. With no rate limits in place at the time, they pulled phone numbers, profile photos and bios in bulk. phones, photos and names. All public metadata, just gathered at scale.
The Awareness Angle
- Metadata is enough. Attackers do not need messages to target you.
- Rate limits matter. Systems should never allow bulk lookups.
- Phone numbers are weak identifiers. They are too easy to harvest.
The News
US, UK and Australia sanction Russian hosting companies linked to ransomware
Media Land, a well known bulletproof hosting provider, has been sanctioned for enabling ransomware gangs including LockBit and Evil Corp. It is part of a coordinated effort to choke off the infrastructure these groups rely on.
The Awareness Angle
- Hitting infrastructure hurts. Without servers, campaigns slow down.
- International coordination is improving. Sanctions across three nations is a strong signal.
- Enablers are in scope. Not just the hackers, but the support systems.
Twitch banned for under sixteens in Australia
Australia’s new social media rules now include Twitch. Under sixteen accounts must be blocked or closed. Platforms face huge fines if they do not comply.
The Awareness Angle
- Livestreaming now equals social media. Regulators are treating them the same.
- Age verification is coming. Likely ID checks or face recognition in future.
- The internet is shifting. Young users will move to lesser known platforms.
Hackers sell maternity ward CCTV footage online
Fifty thousand CCTV systems across India, including maternity hospitals, schools and homes, were hacked using default passwords and weak setups. Footage was sold on Telegram for as little as nine dollars. Eight people were arrested.
The Awareness Angle
- Default passwords remain a massive problem.
- CCTV needs proper security just like any other device.
- Real people suffer real harm. The victims here were at their most vulnerable.
Teenagers plead not guilty in the London Transport cyber attack
Two teenagers linked to Scattered Spider have pleaded not guilty after the TfL attack that disrupted systems and forced identity checks for every staff member. The trial is set for June 2026.
The Awareness Angle
- Critical infrastructure is under constant pressure.
- Younger attackers are being recruited and guided by bigger groups.
- Legal cases like this take years to resolve.
Awareness Awareness
CIISec Live is this week
Ant is heading to the Chartered Institute of Information Security CIISec Live at Heathrow for a QI style session blended with a Who Wants to Be a Millionaire format. The question we are answering is simple. How do we actually change behaviour and culture in cyber?
If you are in engagement, training or human risk, the event is worth your time. https://www.ciisec.live/
This Week’s Topics From Us
1. The social engineering trick that asks for your phone’s unlock code
A WhatsApp style scam screenshot has been doing the rounds. It shows how easy it is for someone to ask for your phone’s passcode under the disguise of returning a lost phone. Simple but effective. Real or not, it's a useful reminder.
2. The AI data leak problem is getting worse
A developer posted 200 customer records straight into ChatGPT to debug a SQL query. No policy prevented it. No DLP caught it. The browser made it invisible. Everyone is facing this problem and policy alone is not enough. Engagement matters.
3. Sponsored Google ads strike again
Luke shared a real example after someone booked flights through a sponsored Google search result. A convincing fake site, Airpaz, took the booking and the card details. Thankfully the bank stopped it. The Trustpilot reviews for Airpaz tell the full story and they are not pretty.
The Awareness Angle
- Sponsored does not mean safe.
- Fake sites look perfect now.
- Always check the URL before entering details.
Subscribe to the Newsletter
And finally… a quick reminder for Black Friday
If you buy any connected tech this week, especially cameras, doorbells or baby monitors, change the default passwords immediately. Cheap devices often come with weak security. A few minutes of setup can prevent a painful story later.
Thanks for reading! If you’ve spotted something interesting in the world of cyber this week, a breach, a tool, or just something a bit weird, let us know at hello@riskycreative.com. We’re always learning, and your input helps shape future episodes.
Ant Davis and Luke Pettigrew write this newsletter and podcast.
The Awareness Angle Podcast and Newsletter is a Risky Creative production.
