This week...A secret camera was found in a ceiling tile inside a UK government building. Not just any building. The one that signed off on China's new mega-embassy in London. Nobody knows who put it there. Nobody knows how long it had been recording. Nobody knows what conversations were picked up in the corridors outside meeting rooms. At this point, as one MP put it, you have to assume everything was compromised.

ShinyHunters have been busy again. They used an Oracle zero-day so severe it scored 9.8 out of 10 to breach the University of Nottingham and over 100 other organisations, two thirds of them universities, before Oracle had even issued an advisory. The Nottingham data includes passport numbers, National Insurance numbers, disability information and financial records for 455,000 students and alumni. The data is already public.

And someone worked out that you can post a completely fabricated data breach notice to Maine's official government portal and it goes live instantly, no verification, no checks. The Register reported one as fact. The company named had never been breached.

All of that and a whole bunch more on this week's The Awareness Angle

Watch or listen to the episode today - YouTube | Spotify | Apple Podcasts

Visit riskycreative.com for past episodes, our blog, and our merch.

Click the image above to watch those heads move on YouTube!

Official Media Partner of the SANS Security Awareness & Culture Summit 2026

See Ant in person in Las Vegas. (He's not performing on the strip, no one needs to see that)

Risky Creative is the official media partner of the SANS Workforce Security & Risk Training Security Awareness Summit in Las Vegas this August.

Ant will be there in person across both days - streaming live conversations, interviewing practitioners on the floor, and giving remote attendees access to what's happening at the summit in a way that hasn't really been done before. Last year he did some interviews. This year it's going to be bigger. We want to hear from the people in the room - what they're working on, what's changing in their programmes, what they're taking away.

If you're attending remotely and want to get your voice into the summit floor, there'll be an opportunity for that too. More details coming very soon.

More details on the SANS Summit is here

Breach of the Week

ShinyHunters Breach University of Nottingham via Oracle Zero-Day

Watch | Read

The University of Nottingham confirmed on 10 June that ShinyHunters accessed a significant amount of data from its student record system. Have I Been Pwned flagged around 455,000 unique email addresses from the leaked dataset. The stolen data includes names, home addresses, phone numbers, dates of birth, course information, university IDs, National Insurance numbers, ethnicity, disability information, passport numbers and financial records. Nottingham reportedly refused to pay. The data is now publicly available in a 19GB archive. The breach also affected the university's campuses in Malaysia and China.

This wasn't a one-off. ShinyHunters used the same Oracle PeopleSoft vulnerability, rated 9.8 out of 10 for severity, to hit over 100 organisations across approximately 300 servers before Oracle had even issued a security advisory. Around two thirds of the victims were universities. Google's Mandiant team confirmed the campaign and has been notifying affected organisations directly.

If you or anyone you know studied at Nottingham, check haveibeenpwned.com now. And bear in mind this data does not expire. National Insurance numbers and passport numbers do not change. What was leaked this week will still be usable for fraud in five years.

• Check Have I Been Pwned now - If you or anyone you know studied at Nottingham, go to haveibeenpwned.com and enter your email address. It takes ten seconds and will tell you whether your details appeared in this breach.
• This data does not expire - People assume a breach stops being dangerous once the news cycle moves on. It does not. National Insurance numbers, passport numbers and dates of birth do not change. The data leaked this week will still be usable for fraud in five years.
• Universities hold far more about you than you probably realise - Your bank knows your finances. Your GP knows your health. But your university often holds both, plus your home address, your disability status, your ethnicity, your immigration status and your payment history. That makes them a very attractive target.

This week's stories...

Hidden Camera Found in the Whitehall Building That Approved China's Mega-Embassy

Watch | Read

A hidden camera was found in a ceiling tile at 2 Marsham Street in London, the building that houses the Home Office and the Ministry of Housing, Communities and Local Government. It is also the building that approved China's new mega-embassy at the former Royal Mint site in east London, which is what makes this one so hard to shake. The device was in a communal area. No link to any foreign state has been established. And nobody knows who put it there, how long it had been recording, or what it captured.

Luke made the point on the episode that you don't really think about physical devices being planted outside of a movie, and he is right, it does feel very Hollywood. But Ant picked up on the detail that really matters here, which is that this camera was in a ceiling tile. It was not tucked behind a plant pot as an afterthought. Somebody installed it. And while a communal area sounds harmless enough, think about what actually gets said in those spaces. People come out of a meeting and immediately start talking about how it went, whether the other side is going to bite, what they really thought. Loose lips sink ships, as the old wartime line goes. The unguarded stuff said in the corridor is often more revealing than anything in the meeting itself. The Shadow Chancellor has called for a full investigation, and as he put it, we urgently need to know who was responsible, how long the device was there, and whether anything sensitive was compromised. Right now the honest answer to all three is that nobody knows.

• Physical surveillance is real and it does not look like a hacker - A camera in a ceiling tile can sit there for weeks or months quietly capturing conversations, faces, keycards and whatever is on screen, and nobody has to type a single line of code.
• Communal areas are the weak spot - They feel low risk, so they are the first thing overlooked in a security sweep. That is exactly what makes them valuable to whoever planted this.
• No link established does not mean no risk - That phrase is doing a lot of work. It means nothing has been confirmed yet, not that there is nothing there to find.

Someone Filed Fake Data Breach Notices on Maine's Official Portal. Nobody Checked.

Watch | Read

Maine's breach notification portal is the most cited public breach database in the US, mostly because Maine has some of the strictest notification laws in the country. If you have listened to the show for a while, you will have heard Ant and Luke reference it almost every time a US breach comes up. The natural assumption is that when something lands on there, it has been checked. It hasn't. Anyone can fill in the form, and it goes live straight away.

Two completely made-up filings appeared this week. The first claimed VRChat had been breached and 2.4 million users' data was exposed, and it came complete with a named employee and a tidy little incident timeline. The Register, which is about as trusted and long-standing as cybersecurity publications get, ran it as fact. As Ant said on the episode, that is the real power of this portal. When you see something there, you believe it. VRChat later confirmed the named employee does not even exist and no breach ever happened. The second filing claimed Discord had been hit, affecting 10 million people, and this one was held together with a Gmail address for contact, a placeholder phone number, and a notification date of January 1st, 2000. Ant summed it up nicely: this is not an AI hallucination, this is someone who sat down and deliberately filled it in, knowing full well it would publish instantly and that the press would pick it up before anyone thought to pick up the phone.

• Official looking does not mean verified - Government portals carry a built-in sense of authority. The information on them is only ever as trustworthy as the process behind it, and here there basically wasn't one.
• If you hear about a breach affecting a service you use, go to the source first - A quick check on the company's own website would have debunked both of these in seconds. One email to VRChat or Discord and the whole thing falls apart.
• Misinformation about breaches is its own kind of attack - You can wreck a company's reputation, spook millions of users and get yourself into the headlines without ever touching a single system.

Google Chrome Is Killing Ad Blockers. The FBI Says You Need One.

Watch | Read

Chrome versions 150 and 151 strip out the last of the support for the extension system that uBlock Origin runs on. uBlock Origin is the best free ad blocker out there, and the thing worth understanding is that it does far more than hide adverts. It blocks trackers, malicious scripts, and a lot of the machinery used to push phishing pages and malware straight into your browser.

Back in December 2022, the FBI put out a public service announcement warning that criminals were impersonating brands through search engine ads to rip people off, and one of their actual recommendations was to use an ad blocking extension when searching the web. Ant flagged on the episode that we are now three and a half years on from that advice and the exact same scam is still running, which makes Chrome pulling ad blockers feel especially backwards. He also mentioned that his own business runs managed Chrome with a blocker built in, and that safety net is now going away for them like it is for everyone else. The way he put it stuck with us: Google have taken away the protection while also being the reason you needed it in the first place. He had a go at a seatbelt analogy, decided halfway through it was a terrible one, and moved on. It honestly wasn't that bad.

Brave and Firefox are both going to keep uBlock Origin working, so if Chrome is your browser, now is a good moment to think about switching. The one catch Ant flagged is that Riverside, the tool the show is recorded on, only runs in Chrome, so he is stuck there for the time being. Most people are not, so there is nothing stopping you making the move.

• The FBI literally recommended ad blockers - Their 2022 advisory listed using one as a way to protect yourself from criminals impersonating brands in search results. That guidance still stands, and Chrome removing the tool runs straight against it.
• Malicious ads are a real and very common way in - Criminals pay to place adverts in Google search that look identical to the real result. Without a blocker, those ads load and people click them, and it happens all the time.
• uBlock Origin Lite is not the same thing - There is a cut-down version called Lite that still works in Chrome, but its blocking is significantly weaker than the original. If you want the full version, you need a browser that still supports it, which means Firefox or Brave.

ServiceNow Admits Security Incident After Customer Data Was Accessed

Watch | Read

ServiceNow is one of those platforms most people have never heard of but plenty of large organisations quietly run in the background for IT, HR and internal records. A misconfigured endpoint let unauthenticated users reach customer data they should never have been able to see. The part that raised eyebrows on the episode is the allegation that ServiceNow knew about the flaw back in April and, when a customer flagged it, support suggested closing the ticket and not worrying about it. If your employer uses ServiceNow, your data may have been sitting exposed for two months before anyone acted.

The FIFA World Cup Kicked Off This Week. So Did the Scammers.

Watch | Read

Following on from last week, more than 10,000 World Cup themed malicious domains have now been registered since January, which makes the 30 figure quoted last week look rather quaint. Fake ticket sites, dodgy streaming links and scam merchandise stores are doing the rounds on WhatsApp, Telegram and Discord. Worth remembering that in the UK every match is free to air on BBC and ITV, so there is genuinely no reason to go near an illegal stream. And with fans travelling to unfamiliar places, QR codes are the one to watch, because nobody knows what normal looks like in a city they have never been to.

A Disgruntled Researcher Published Their Eighth Windows Zero-Day. This One Bypasses BitLocker.

Watch | Read

A researcher going by Nightmare Eclipse has dropped a BitLocker bypass called GreatXML, which lets anyone with physical access to a machine get past the encryption entirely, as long as that machine has ever run a Microsoft Defender offline scan. The code is sitting on GitHub right now. What makes this one different is the motive: the researcher says it is deliberate retaliation against Microsoft for mishandling their previous disclosures, claiming the company left them homeless. Ant's instinct on the episode was the obvious one, why hasn't Microsoft just hired this person. The usual reassurance that BitLocker keeps a stolen laptop safe does not fully hold anymore until this gets patched.

Met Police Wants Apple and Samsung to Make Stolen Phones Useless

Watch | Read

This one came onto Ant's radar through a LinkedIn post from Joe Tidy, the BBC's cyber correspondent and author of Ctrl+Alt+Chaos, who had been digging into the stolen device protections built into modern phones while researching the story and admitted he was genuinely impressed by how much is in there. The story itself is about the Met giving Apple, Google and Samsung a deadline to make stolen handsets genuinely unusable, that deadline passing, and the force now pushing the government for legislation. The numbers are stark: roughly 75% of phones stolen in London are shipped abroad, and of nearly 590,000 stolen between 2017 and 2024, under 14,000 ever made it back. Ant's takeaway echoed Joe's, that there is already a lot of protection sitting in both iPhone and Android, most people just have not switched it on. If you have an iPhone, Stolen Device Protection lives in Settings under Face ID & Passcode, and it is worth enabling today rather than the day after you get robbed.

Security Socials

Police Used ChatGPT to "Enhance" a Suspect Photo. It Made Up a Whole New Face

ChatGPT does not have the same skills as Deckard's Esper machine!

Watch | Read

Green Cove Springs Police Department in Florida put out an appeal asking the public to help identify a man who took a bicycle from a library bike rack. Reasonable enough, except the photo they shared was not the actual CCTV footage. It was a still that someone had run through ChatGPT to "enhance," and the result was a confident, sharp, completely different human being. Ant has tried this exact trick on a grainy photo of his own son and ended up with what looked like a 48 year old man rather than a nine year old boy, so he knew immediately what had happened. The comments did the rest of the work, with one person gently pointing out that the original was already low quality because someone had photographed the footage off a monitor rather than just exporting a frame from the video. This isn't Blade Runner. You cannot just say "enhance" and conjure detail that was never captured in the first place.

To their credit, the department listened. They later posted an update removing the AI image, explaining that making a positive identification using AI was never the intent and that they had simply been following suggestions from a previous appeal about using AI to clean up photos. They have gone back to the original footage, which is exactly where they should have started. The bike had a blue and black frame, the theft happened at the Green Cove Springs library on 26 May, and if you somehow know anything about a bicycle in Florida, they would still like to hear from you.