San Mateo, CA, January 12, 2026 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
Employees bypass corporate controls through personal AI accounts
The rapid adoption of generative AI tools in the workplace is driving a sharp increase in cybersecurity and data governance risks, as employees continue to rely on personal AI accounts outside corporate controls. According to Netskope’s 2026 Cloud and Threat Report, 47 percent of workers using generative AI at work do so through personal accounts such as ChatGPT, Google Gemini, and Microsoft Copilot, limiting organizational visibility and enforcement. As AI usage scales, data exposure risks are accelerating, with prompt volumes rising far faster than user counts and sensitive data increasingly shared. Netskope reports an average of 223 generative AI data policy violations per month per organization, with the most active users seeing more than 2,000 incidents monthly. “The combination of the surge in data policy violations and the high sensitivity of the data regularly being compromised should be a primary concern for organizations that haven’t taken initiatives to bring AI risk under control,” said Netskope. Read more.
OpenAI creates a separate, locked-down mode for health data
OpenAI has announced the launch of ChatGPT Health, a dedicated, sandboxed experience designed for health and wellness conversations. The new feature allows users to connect medical records and wellness apps, such as Apple Health, MyFitnessPal, and Peloton, to receive tailored insights into lab results, nutrition, and fitness. OpenAI says Health operates in a silo with purpose-built encryption, isolated memory, and strict data controls, ensuring health conversations are not used to train models or influence non-health chats. Users are prompted to switch to Health for added protection when discussing medical topics, and connected apps require explicit consent and an additional security review. The company emphasized that the tool is meant to support, not replace, medical care, following criticism and lawsuits facing AI health features across the industry. Read more.
California introduces one-click deletion requests for data brokers
California has rolled out a new platform designed to simplify how residents limit data brokers’ ability to store and sell their personal information. The Delete Requests and Opt-Out Platform, known as DROP, implements the 2023 Delete Act by allowing verified California residents to submit a single deletion request, which is automatically sent to all registered data brokers, now numbering more than 500. While residents have had opt-out rights since 2020, the process previously required contacting each broker individually. Under the new system, brokers must begin processing requests in August 2026 and have 90 days to comply and report back. The law applies only to third-party data brokers, not to companies that hold first-party data, and exempts certain public records. Regulators say the tool can reduce “unwanted texts, calls, or emails” and also decrease the “risk of identity theft, fraud, AI impersonations, or that your data is leaked or hacked.” Read more.
Malicious PowerPoint files can trigger full system takeover
CISA has issued a critical alert about a code-injection vulnerability in Microsoft PowerPoint that allows attackers to execute arbitrary code via malicious presentation files. Tracked as CVE-2009-0556, the flaw stems from improper handling of OutlineTextRefAtom objects, where invalid index values can trigger memory corruption and enable code execution under the user’s privileges. Classified as CWE-94, the vulnerability requires minimal interaction; exploitation occurs simply by opening a crafted PowerPoint file. This exposes organizations to full-system compromise, data theft, and lateral movement across the network. CISA added the flaw to its Known Exploited Vulnerabilities Catalog on January 7, 2026, setting a remediation deadline of January 28, 2026. The agency urges immediate patching, adherence to BOD 22-01 guidance, and discontinuation of vulnerable PowerPoint versions where fixes are unavailable. Read more.
Low-cost Android TVs hijacked at massive scale
A massive Android-based botnet known as Kimwolf, linked to the Aisuru network, has grown to more than two million infected devices, according to new research from Synthient. Attackers target low-cost smart TVs and streaming boxes, many of which are compromised before purchase, giving criminals access minutes after devices go online. The network has been used to launch record-setting DDoS attacks peaking at 29.7 terabits per second, Cloudflare reported. Researchers found the highest infection rates in Vietnam, Brazil, India, and Saudi Arabia, with roughly 67 percent of devices lacking basic protections. Kimwolf operators monetize the network by renting residential bandwidth, installing apps via the Byteconnect SDK, and offering DDoS-for-hire services. Despite a December 28 security fix, millions of devices remain infected. Read more.
Google hires engineers to reduce AI answer errors in Search
A new job listing for an “AI Answers Quality” role shows that Google is actively hiring engineers to verify and improve AI Overviews in Google Search. The position sits within the Google Search team and focuses on delivering accurate responses to complex queries across search results pages and AI Mode, according to the listing. This is the clearest signal yet that Google recognizes its AI responses remain unreliable, even as they are pushed more aggressively into core products like Search and Discover. While AI Overviews have improved compared to early versions, contradictions, fabricated data, and weak sourcing remain common. These flaws matter because users often treat Google results as authoritative, even when citations do not support the claims being shown. Read more.
Wegmans discloses in-store facial recognition use
Wegmans has begun posting warnings in select New York City stores informing shoppers that biometric data, including facial recognition scans, may be collected and stored while they shop. Signs recently appeared at Brooklyn and Manhattan locations, stating that the technology is used to protect customer and employee safety and may include facial recognition, eye scans, or voiceprints. While the Rochester, New York-based chain says only facial recognition data is currently stored, it declined to disclose retention periods. The move follows a 2024 pilot that previously promised not to save shopper data. A 2021 New York City law requires disclosure of biometric collection, though enforcement is limited. Critics point to bias risks, citing past Federal Trade Commission findings of facial recognition misuse by other retailers. Read more.
Cyberattack halts Jaguar Land Rover production and sales
Jaguar Land Rover is dealing with the fallout from a major cyberattack that disrupted operations between September and November, sharply hitting sales and production. In a January 5 financial statement, parent company Tata Motors reported a 25.1 percent year-on-year decline in third-quarter retail sales, with 79,600 vehicles sold. Wholesale shipments fell further to 59,200 units, down 43 percent, following production halts across all factories in September. The Cyber Monitoring Centre called the incident the most economically damaging cyber event to hit the United Kingdom, estimating £1.9bn in losses and impacts across more than 5,000 organizations. Additional pressure came from U.S. tariffs, which weakened demand in North America, Europe, China, and the UK, and from the phaseout of older Jaguar models ahead of its electric reboot. Read more.
LastPass vault data still enables crypto theft years later
A major data breach at password manager LastPass in 2022 has enabled hackers to steal millions in cryptocurrency years later, according to new findings from TRM Labs. The blockchain analytics firm said exposed backups of roughly 30 million password vaults created long-term risk, allowing attackers to slowly decrypt vaults protected by weak master passwords and quietly drain digital wallets over time. TRM identified at least $28 million stolen between 2024 and early 2025, followed by another $7 million in September 2025, though it warned that this likely represents only a fraction of total losses. Both theft waves converged on Russian cryptocurrency exchanges and infrastructure. Despite the use of CoinJoin anonymization, analysts applied demixing techniques to link deposits and withdrawals, identifying Russia-based operational control behind the activity. Read more.
NordVPN says leaked Salesforce data came from test systems
NordVPN has denied claims that its internal Salesforce development servers were breached after a threat actor allegedly stole more than 10 databases containing API keys and Jira tokens. The company said the leaked material originated from a temporary third-party automated testing environment that contained only dummy data used during a vendor trial months earlier. According to NordVPN, the environment was isolated, never connected to production systems, and did not include real customer information, business data, source code, or active credentials. The VPN provider stated that the exposed schemas and API tables were artifacts of the test setup and confirmed it had never signed a contract with the vendor in question. While the incident was described as a false alarm, the company referenced its 2019 server breach as context for subsequent security investments, including a bug bounty program, third-party audits, and a transition to RAM-only servers. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
