This week on The Awareness Angle, it is a reminder of just how much data follows us around, and how often it ends up exposed in places we barely think about. From magazine subscriptions and radio stations holding millions of records, to healthcare providers, gas stations, and even space agencies dealing with serious breaches, the theme this week is scale, and how quickly it can spiral.

We look at incidents that were first reported as small, only to grow into hundreds of thousands or millions of affected people months later. We also dig into the way modern attacks blend into normal work, fake blue screens, booking emails, sideloaded apps, and even trusted security tools being used as a way in.

There is a longer view, too, with Equifax still discussing culture years after its breach, new government cyber plans taking shape, and insurers quietly spelling out what they will not cover when cyber incidents spill into the physical world.

It is a packed episode, full of practical lessons and uncomfortable reminders about trust, habit, and the digital footprints we all leave behind.

This week's stories...

Condé Nast breach and the risk hiding in forgotten subscriptions

Watch | Read

Condé Nast is responding to a breach claim that could affect up to 40 million users across brands, including Vogue, GQ, Wired, and The New Yorker. An attacker using the name “Lovely” shared data samples allegedly taken from subscription systems and claimed to have access across multiple Condé Nast properties. The exposed information reportedly includes names, email addresses, usernames, phone numbers, dates of birth, and location data. According to reports, the attacker alleged they attempted to flag vulnerabilities before releasing proof, though Condé Nast disputes parts of that account and says it has taken steps to disable the accounts involved in the unlawful access.

During the discussion on the show, the focus was less on the headline number and more on how ordinary this type of data feels. Subscription accounts like these are often created years earlier and then forgotten entirely. They don’t feel sensitive or important, yet the data persists long after interest fades. That long lived, low attention data is what makes incidents like this so uncomfortable, it surfaces quietly and is easy to abuse without ever feeling like a major breach at the time.

The Awareness Angles

• Subscription data is still valuable - names and email addresses alone can fuel phishing and scams
• Forgotten accounts create blind spots - users move on while data remains
• Proof leaks are rarely the end - small samples often point to wider exposure

European Space Agency breach shows even critical organisations aren’t immune

Watch | Read

The European Space Agency confirmed a cyber incident that is now under criminal investigation, after attackers gained unauthorised access to parts of its internal IT environment. Reporting suggests a public vulnerability was exploited, with attackers claiming to have taken hundreds of gigabytes of internal files. ESA said mission-critical spacecraft operations were not affected, but the incident was serious enough to involve law enforcement and trigger a wider forensic review.

The discussion wasn’t really about whether ESA should be better protected, it was more about frustration. There was a sense that some things just shouldn’t be messed with at all. Space, like healthcare or charities, doesn’t feel like a fair game. But that feeling clashes with reality. Attackers don’t draw ethical lines. If a vulnerability exists and remains open, it becomes an opportunity, regardless of how harmless or important the organisation feels.

The Awareness Angles

• Attackers don’t respect boundaries - ethical lines don’t factor into targeting decisions
• Unpatched weaknesses still get exploited - it only takes one open door
• Sensitive data isn’t limited to operations - internal documents and partner information still carry risk

Fake blue screens are being used to trick hotel staff into installing malware

Watch | Read

Hotels across Europe are being targeted by phishing emails that impersonate booking-related messages, often posing as reservation updates or cancellations. The emails lead staff to malicious pages that display a fake Windows blue screen and instruct users to follow recovery steps. Those steps involve running commands that install malware directly onto the system. It is a ClickFix-style attack, but disguised as a system failure rather than a security warning.

The conversation focused on how easy this is to fall into when it lands in the middle of a normal working day. Hotel staff deal with booking emails constantly, and fixing problems quickly is part of the job. When something looks technical and urgent, the instinct is to resolve it and move on, not stop and question whether it should be escalated. That pressure, combined with something that looks familiar, is what makes this technique effective.

The Awareness Angles

• Urgency drives behaviour - fake system errors push people into fast decisions
• Normal workflows lower scepticism - familiar-looking emails get less scrutiny
• ClickFix keeps evolving - attackers rely on users to run the malware for them

ChatGPT Health raises the stakes for account security

Watch | Read

OpenAI announced ChatGPT Health, a feature that allows users to connect medical records and wellness apps to their ChatGPT account. The company says the feature is not intended for diagnosis or treatment, and that connected health data won’t be used to train models. The goal, according to OpenAI, is to make responses more useful by grounding them in a user’s own health context.

The discussion wasn’t really about whether this is a good or bad feature, it was about concentration of value. On the show, the point was made that for many people ChatGPT is already a second brain. It holds questions, ideas, work context, and personal thinking. Adding health data into that mix means a single account can now represent a very complete picture of someone. That makes the impact of account compromise much higher than it used to be, even if the feature itself is well intentioned.

The Awareness Angles

• Accounts are becoming life hubs - more context means higher impact if compromised
• Login security matters more than ever - strong MFA and recovery controls are critical
• Convenience quietly expands risk - connecting data should always be a conscious choice

This Week's Discussion Points...

Condé Nast breach claims and subscriber data risk – Watch | Read

Covenant Health breach grows to nearly half a million people – Watch | Read

Tokyo FM breach highlights how radio stations hold vast listener data – Watch | Read

US gas station operator breach exposes payment cards and ID data after delayed notification – Watch | Read

European Space Agency breach placed under criminal investigation – Watch | Read

Equifax says security culture is now built in, after one of the biggest breaches on record – Watch | Read

Fake Blue Screen of Death attacks targeting hotel staff – Watch | Read

HSBC blocks customers using sideloaded Bitwarden apps – Watch | Read

OpenAI launches ChatGPT Health and raises questions about account value – Watch | Read

UK government publishes new cyber action plan – Watch | Read

And Finally...Cybersecurity Training That Ticks Boxes but Changes Nothing

We discussed NCSC's training for Schools.

Watch

This week we talked about NCSC cybersecurity training being issued to school staff, a 36 minute video, stock slides, synthetic narration, no interaction, and no assessment. Everyone completes it, signs it off, and moves on. On paper, the risk is managed. In reality, very little of that content will be remembered when someone receives a real scam, a fake text, or a convincing phishing email. It is a familiar pattern in security awareness, training designed to satisfy a requirement rather than change behaviour. The problem is not that people do not care, it is that long, generic training delivered once a year does not reflect how threats actually show up in daily life.

The Awareness Angle

• Completion is not protection - Watching a video does not mean someone can spot a scam under pressure
• Relevance beats length - Five minutes of current, relatable examples beats 36 minutes of theory every time
• Engagement is the control - If people do not remember it, it cannot protect them

Thanks for reading! If you’ve spotted something interesting in the world of cyber this week, a breach, a tool, or just something a bit weird, let us know at hello@riskycreative.com. We’re always learning, and your input helps shape future episodes.

Ant Davis and Luke Pettigrew write this newsletter and podcast.

The Awareness Angle Podcast and Newsletter is a Risky Creative production.