Conduent and Figure Breaches Signal Transparency Crisis [Prime Cyber Insights]

[00:00] Aaron Cole: Welcome to Prime Cyber Insights. [00:02] Aaron Cole: We're opening today with a pretty grim outlook on transparency. [00:06] Aaron Cole: The Identity Theft Resource Center says corporate disclosure is on life support, [00:11] Aaron Cole: even as data compromises surged 79% over the last five years. [00:16] Aaron Cole: We are seeing this play out right now with two massive stories, the Conduant Breach, which might be the largest in U.S. history, and a major data leak at FinTech Giant Figure Technology. [00:28] Chad Thompson: It's a heavy start, Aaron. To help us navigate these layers, joining us today is Chad Thompson, who brings a systems-level perspective on AI and security, blending technical depth with creative insight from engineering and music production. Chad, welcome. [00:45] Chad Thompson: Before we dive into the technicals, the conduit numbers are just staggering. [00:51] Chad Thompson: Oregon and Texas alone are reporting over 14.5 million people affected, [00:57] Chad Thompson: with medical data and social security numbers exposed. [01:00] Lauren Mitchell: Lauren, it's great to be here. [01:03] Lauren Mitchell: The conduit situation is a textbook case of systemic risk. [01:08] Lauren Mitchell: Hackers were in their network for 84 days. [01:11] Lauren Mitchell: When you serve half the Fortune 100, that kind of dwell time translates to a catastrophic blast radius. [01:18] Lauren Mitchell: We're not just looking at a breach, we're looking at a three-month window where [01:21] Lauren Mitchell: sensitive government and medical data was essentially an open book. [01:26] Aaron Cole: And figure technology isn't faring much better. [01:29] Aaron Cole: Troy Hunt confirmed nearly a million unique emails were exposed [01:34] Aaron Cole: after the Shiny Hunters Group posted 2.5 gigabytes of data. [01:39] Aaron Cole: Lauren, the ITRC report says attackers are shifting away from mega breaches toward these [01:46] Aaron Cole: targeted attacks on high-value repositories. [01:50] Aaron Cole: It makes the lack of corporate transparency even more dangerous for the individuals whose [01:55] Aaron Cole: data is being repackaged for scams. [01:58] Chad Thompson: Exactly. [01:59] Chad Thompson: And that repackaging is exactly what we're seeing with taxis and scams. [02:04] Chad Thompson: Criminals are using records from as far back as 2021 to personalize IRS impersonations. [02:11] Chad Thompson: But even as we secure the perimeter, the tools we use are failing us. [02:16] Chad Thompson: Microsoft confirmed bug CW1226324. [02:21] Chad Thompson: where Copilot was summarizing confidential emails despite data loss prevention policies being in place. [02:29] Chad Thompson: Aaron, this hits right at the heart of Enterprise Trust and AI. [02:33] Lauren Mitchell: That Copilot bug is significant because it bypassed intentional security labels. [02:39] Lauren Mitchell: It's not just Microsoft either. [02:41] Lauren Mitchell: Researchers at Endor Labs just found six vulnerabilities in the OpenClaw AI assistant, including SSRF and authentication bypass flaws. [02:53] Lauren Mitchell: Traditional security tools are essentially blind to these LLM to tool flows. [02:57] Lauren Mitchell: We're building these incredibly powerful assistants on top of conversation states that aren't being properly audited for security boundaries. [03:06] Aaron Cole: It's a gap that threat actors are already exploiting. [03:09] Aaron Cole: Turning to the browser, Google just issued an emergency patch for the first Chrome Zero Day of 2026, CVE-2026-2441. [03:19] Aaron Cole: It's a high-severity CSS component flaw that was exploited in the wild before the fix was out. [03:25] Aaron Cole: Lauren, we've also got Apple fixing a sophisticated zero-day in their dynamic link editor that impacts everything from iPhones to Mac OS Tahoe. [03:35] Chad Thompson: The urgency to update is real, Aaron. [03:38] Chad Thompson: Beyond our personal devices, CISA is sounding the alarm on Honeywell CCTV products. [03:44] Chad Thompson: A critical vulnerability discovered by Suvik Kanda allows unauthenticated attackers to hijack accounts by simply changing the recovery email. [03:54] Chad Thompson: In a critical infrastructure setting, having your security cameras compromised is a worst-case scenario. [04:01] Chad Thompson: It's, you know, a missing authentication flaw that should not exist in 2026. [04:07] Lauren Mitchell: It speaks to the fragmentation we're seeing. [04:11] Lauren Mitchell: Look at the ransomware data from Searchlight Cyber, a record 7,458 victims last year, and 124 active groups. [04:21] Lauren Mitchell: Even though payments are down because victims are refusing to pay, the barrier to entry is lower because of AI. [04:27] Lauren Mitchell: Syndicates are fracturing into smaller, more agile cells, making them harder to track even as their individual success rate for social engineering increases. [04:37] Aaron Cole: Harder to track and less transparent. [04:40] Aaron Cole: That seems to be the theme of the year so far. [04:43] Aaron Cole: We've covered a lot of ground today, from the conduit record breaker to the foundational [04:48] Aaron Cole: flaws in our AI assistance. [04:50] Aaron Cole: Chad, thank you for joining us to break down these systems-level challenges. [04:55] Chad Thompson: Remember to check your browser versions and stay vigilant as tax season continues to ramp [05:00] Chad Thompson: up. [05:01] Chad Thompson: For more resources and the full technical breakdown, head over to pci.neuralnewscast.com. [05:08] Chad Thompson: We'll be back next week with more analysis. [05:11] Chad Thompson: Thanks for listening. [05:12] Chad Thompson: Neural Newscast is AI-assisted, human-reviewed. [05:16] Chad Thompson: View our AI transparency policy at neuralnewscast.com.