It’s time once again for your weekly dose of infosec news, where I apply my experience as a PCMag managing editor to offer context on the best security-related stories we covered this week, along with some interesting outliers you might have missed.
It’s no secret that everyone wants your data, from companies looking to make money from it to governments that want to surveil their citizens. That means it’s worth paying attention when security tools come under attack. For example, encryption has long been a target for governments looking for ways to break into private data, and now VPNs, which encrypt your internet traffic and can obfuscate your physical location, are also under fire.
In the UK, the Prime Minister’s office is looking for ways to impose age requirements on VPNs, which, ironically, defeats their entire purpose of keeping who you are and what you’re doing safe from prying eyes, whoever may be watching. After all, VPN providers pride themselves on retaining as few records as possible about their customers, and the best VPNs keep virtually nothing, thereby ensuring their users’ privacy. If governments force them to keep records, like a user’s age or identity, well, you see how that could be a problem.
This isn’t the first time the UK government has taken aim at VPNs. Last year, the UK’s Children’s Commissioner floated a similar proposal. After the UK passed the Online Safety Act, users flocked to VPNs to bypass having to turn over their IDs, face scans, or other data to major platforms, so it’s natural that the government would try to do something about it.
Meanwhile, in Spain, La Liga, a Spanish football league, reportedly secured a court order against NordVPN and Proton VPN, forcing them to block access to sites that allegedly stream live games. The trouble, however, is that neither company says they were notified of the lawsuit in the first place, which casts doubt on the legitimacy of the order. Watch this space; in the fight to protect your data, VPNs might just be the new frontline.
Also this week, we reported on an exposed database on the open web containing over a billion Social Security numbers and other sensitive data, such as passwords, that could be used for identity theft. How did it get there? The researchers who discovered it aren’t sure, but note that either a hacker or an “amateurish threat intelligence vendor” (short for “someone who doesn’t know what they’re doing”) is probably responsible.
Finally, you didn’t think you’d get through this week’s security roundup without another AI-related security problem, did you? Wrong. Researchers at antivirus firm ESET discovered a new Android malware called PromptSpy that uses Google’s Gemini to collect data from infected devices. They note that this is the first time they’ve seen malware use generative AI in its execution flow, which isn’t exactly a good sign for future, more complicated malware.
Fraudster Hacked Hotel System, Paid 1 Cent for Luxury Rooms, Spanish Cops Say
Listen, I know that when you can see the ins and outs of a system, it can be tempting to use your powers for evil, or at least for your own benefit. But you shouldn’t, because at the end of the day, the house always wins, and here’s an example.
According to reporting by The Register, a hacker broke into a hotel booking website and reserved luxury hotel rooms that would normally cost thousands of dollars per night for about 1 cent each. To boot, he raided the minibars during his stays, and sometimes failed to settle those tabs. When he was arrested, he had just wrapped up a four-night stint at hotel that would normally cost €4,000 (about $4,716); he paid only a few pennies.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy
Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
The scam worked because the 20-year-old in question used an online booking site to pay for the reservations up-front, but then changed the payment validation system to process much less than the hotel would normally have received for the reservation. The hotel in question says he repeated his essentially free luxury stays several times, resulting in a loss of more than €20,000 (about $23,608) for the hotel, when you consider both the market rate for the rooms he stayed in and the minibar fees (so take that part with a grain of salt). That’s not to excuse his actions, of course—he might have gotten away with it if the booking site he used hadn’t notified the hotel that something was amiss.
South Korea Slaps $25M Fine on Dior, Louis Vuitton, Tiffany Over Salesforce Breach
Remember that massive Salesforce breach last year, the one that saw hackers make off with data from over 300 companies? Well, the fallout continues. This week, South Korea’s Personal Information Protection Commission, the country’s data protection regulator, fined LVMH, the parent company of luxury brands including Tiffany, Louis Vuitton, and Dior, $25 million for failing to properly secure customer data. According to Security Affairs, Dior will pay about $8.4 million after losing almost 2 million customer records in a voice phishing scam, and Tiffany will pay $1.6 million after losing customer data on 4,600 people thanks to malware on employee devices that leaked the data. The biggest fine of the group goes to Louis Vuitton, which will pay $15 million after losing 3.6 million people’s data in a similar malware-based attack.
Recommended by Our Editors
This isn’t the first time hackers have successfully breached luxury retailers, either. Since malware is big business now, the hacks go where the money is, and last year, we reported on a similar breach at Kering, parent company of Gucci, Yves Saint Laurent, and Balenciaga.
You Can Jailbreak an F-35 Just Like an iPhone, Says Dutch Defense Chief
This story isn’t so much a security warning, since I highly doubt most of you reading this have access to an F-35 Lightning. But The Register reports that Gijs Tuinman, the State Secretary for Defense of the Netherlands, recently told BNR (Dutch-language news radio) that because the F-35 is such a shared project, with components manufactured by and developed in multiple allied countries, it can be jailbroken like an iPhone, if the countries with them in their arsenals would like to upgrade them on their own.
Aside from the amusing notion of connecting an F-35 to a PC and jailbreaking it so you can sideload your own applications to it, the reality here is that if European countries would like to service and upgrade their F-35 squadrons without the help (or necessarily approval) of American defense authorities, it’s technically possible for them to do so. And considering geopolitical tensions between the United States and Europe, it’s a signal that countries may buy American military hardware, but they’re not necessarily wedded to the US to maintain and manage it.
Neither the US government nor Lockheed Martin, which manufactures the F-35, responded to The Register for comment. That said, as with most hardware (especially hardened systems like military hardware), before anyone can do anything, they need both significant knowledge and physical access, so don’t worry about hacked jet fighters anytime soon.
About Our Expert
Alan Henry
Managing Editor, Security
Experience
I’ve been writing and editing stories for almost two decades that help people use technology and productivity techniques to work better, live better, and protect their privacy and personal data. As managing editor of PCMag’s security team, it’s my responsibility to ensure that our product advice is evidence-based, lab-tested, and serves our readers.
I’ve been a technology journalist for close to 20 years, and I got my start freelancing here at PCMag before beginning a career that would lead me to become editor-in-chief of Lifehacker, a senior editor at The New York Times, and director of special projects at WIRED. I’m back at PCMag to lead our security team and renew my commitment to service journalism. I’m the author of Seen, Heard, and Paid: The New Work Rules for the Marginalized, a career and productivity book to help people of marginalized groups succeed in the workplace.
Latest By Alan Henry
-
Flirty Frauds, Discord Dramas, and Payroll Pirates: This Week in Digital Danger
-
Another Week, Another Data Disaster: Substack, Coinbase, and a Malicious Notepad++ Update
-
This Week in Cybersecurity: 40 PS5s Stolen, 149 Million Passwords Leaked, and $68M Worth of ‘Oops, We Were Listening’
-
From Grubhub to Google, Hackers Ate Well This Week
-
From AI Coding to QR Code Scams, 2026 Is Already a Security Nightmare
-
More from Alan Henry
Read Full Bio
