Where the news is always bad, but the analysis is always good.

Good morning everybody! Happy Tuesday!

Google is fined $314 million for surveilling Android users, and the International Criminal Court suffers a cyberattack. Let’s dive in!

This week’s biggest headlines. Analysis section below.

Google Fined $314M for Unauthorized Data Collection: Google has been fined $314 million for unlawfully collecting and misusing Android user data. The data was gathered without users’ knowledge and was used to target them with advertisements.

Europol Disrupts $540M Fraud Network: Europol’s Operation Borrelli led to the arrest of five suspects and disrupted a cryptocurrency investment fraud ring that laundered over $540 million from more than 5,000 victims worldwide.

Canada Orders Hikvision to Cease Operations: Canada has declared Hikvision — a Chinese video surveillance equipment manufacturer — a national security threat and has ordered the company to leave the Canadian market.

Chinese Hackers Target French Organizations: Chinese-linked hackers targeted organizations in France — including those in finance, telecommunications, and government — by exploiting zero-day vulnerabilities in products developed by Ivanti.

Verizon and T-Mobile Customer Data Sold on Dark Web: A file containing data on 61 million Verizon customers and 55 million T-Mobile customers has been listed for sale on a cybercrime forum. Despite this, both Verizon and T-Mobile deny experiencing a data breach.

Major U.S. Grocery Store Parent Company Breached: Ahold Delhaize, the parent company of U.S. grocery chains Giant, Hannaford, Stop & Shop, and Food Lion, experienced a data breach that exposed personal and medical information of 2.2 million employees and customers.

“Tollbooth” for AI Crawlers Unveiled: Cybersecurity company Cloudflare has started blocking AI web crawlers from accessing its customers’ websites. Going forward, Cloudflare says AI companies will need to pay publishers to crawl and use their website content.

U.S. Makes Arrests in Crackdown on North Korean IT Workers: Zhenxing Wang has been arrested for his role in identity theft and helping North Korean IT workers secretly obtain remote jobs with U.S. companies. He was involved in infiltrating more than 100 firms.

Analysis based on this week’s news and my experience in the industry. More headlines below in the Lower Echelon.

Work From Anywhere?: Towards the end of May, the Wall Street Journal ran a profile on Christina Chapman: an American who was helping North Korean IT workers scam U.S. companies. Chapman enabled these scams through her operation of a “laptop farm.” Because U.S. companies are banned from hiring North Korean employees, North Korean IT workers will use stolen identities of U.S. citizens and apply for remote positions. When they are hired, they need someone on the ground in the U.S. who their new employer can mail a corporate laptop to. Also, software needs to be installed on the laptop to allow the North Korean IT worker to remotely log in and control the laptop. Operators of “laptop farms” provide these services (for a fee) to the North Korean scammers. It is estimated that hundreds of Fortune 500 companies have unwittingly hired North Korean IT workers.

As the scale of this issue has come into focus, the U.S. government has begun cracking down on laptop farm operators. In 2024, a Nashville man was arrested for operating a laptop farm that allegedly helped thousands of North Koreans gain jobs at U.S. and U.K. firms. He faces up to 20 years in prison. The Wall Street Journal profile on Chapman mentioned that she faces up to nine years in prison. In this week’s news, it was announced that the Department of Justice had made additional arrests against laptop farm operators.

This issue is something that the government and CISOs will continue to focus on. While I am generally a fan of the flexibility that remote work provides, this is a strong case for the security benefits of requiring employees to come into the office. 2025 has felt like the year of “return to office” mandates, with 70% of companies having a formal policy in place requiring in-office time. As the threat posed by foreign adversaries exploiting remote work becomes more visible, the laptop farm phenomenon may lead to even more return-to-office mandates in the near future.

Interesting cybersecurity news that didn’t quite make the cut to be a top story.

Cyberattack on International Criminal Court: The International Criminal Court (ICC) reported that it was targeted in a sophisticated cyberattack. According to the ICC, the attack has been contained, and efforts are underway to minimize its impact.

Germany Tells Google and Apple to Ban DeepSeek: Germany’s data protection commissioner, Meike Kamp, has asked Google and Apple to remove the DeepSeek app from their app stores. Kamp claims that DeepSeek, a Chinese AI startup, illegally transfers user data to China.

Hackers Breach Dam in Norway and Open Water Valve: Hackers breached the control system of the Lake Risevatnet dam in Norway by exploiting a weak password. They used the compromised system to open a water valve.

Swiss Government Data at Risk Due to Radix Ransomware Attack: Radix, a non-profit public health education organization that counts the Swiss government among its clients, has suffered a data breach. While the number of affected individuals has not been disclosed, Radix stated that all victims will be notified.

Ransomware Hosting Service Sanctioned by U.S. Treasury: The U.S. Treasury has sanctioned Aeza Group, a Russian company that provides services to ransomware gangs. In addition, three of the Aeza’s owners and one affiliated individual have also been sanctioned.

Quantas Airlines Data Breach Impacts Millions: Qantas, a major Australian airline, confirmed that a data breach affecting a third-party software used in its customer support operations exposed the personal information of up to 6 million customers.

Ransomware Gang Shutting Down?: Hunters International, a ransomware gang linked to over 250 attacks, announced they are shutting down and will provide free decryption keys to their victims. However, some experts suspect this move is merely a cover for rebranding under a new name.

600K WordPress Sites at Risk Due to Vulnerable Plugin: A critical vulnerability has been found in the Forminator WordPress plugin, which is installed on over 600,000 websites. The flaw allows unauthenticated attackers to delete files.