What is our right to digital privacy? Plus, public C.I.S.A. creds

Danny Brugmann

11 min read
Share
What is our right to digital privacy? Plus, public C.I.S.A. creds

Five Cyber Stories - May 24, 2026 - Issue 009

Welcome to the latest issue of Five Cyber Stories! If you’ve been with us since the beginning - first of all, thank you - you’ve probably noticed some trends in the stories we’ve highlighted. Many of these trends highlight some concerning vulnerabilities to America’s cyber-health. This week is no different. I'm bringing you stories about our daily exposure to online threats that compromise our privacy, to healthcare’s ongoing ransomware crisis, to the state of C.I.S.A and beyond.

Before we jump in, here's a quick link to subscribe if this newsletter was shared with you.

That said, here we go!

A (personal) plea for a standard of privacy (please)

An opinion: Part of my goal with this newsletter is to highlight some ways that seemingly hidden, digital issues affect our very real lives. But as part of writing this newsletter, I read a lot. Many of the stories I read feature cybersecurity but also digital surveillance. The two go hand-in-hand. Which leads me to the second goal of this newsletter: To go beyond just demystifying cybersecurity, but give you some tools to think about some of the trends these stories showcase and consider what our collective response should be. What follows is an attempt at that. You might not agree with my conclusion. That’s fine - great even. I hope that doesn’t stop you from considering my perspective.

Let's start with digital surveillance. This week I've read stories about Congress moving forward with an amendment that would effectively ban automated license plate readers (A.L.P.R.s) and a separate article about the F.B.I. wanting to buy access to networks of A.L.P.R.s. Another article featured reporting on researchers proposing a study that would have strapped bodycams on preschool teachers to train A.I. (then canceling that proposal due to - I would argue pretty obvious - feedback). Meanwhile, if you’d like to read about people’s thoughts on intrusive surveillance by way of Flock cameras, you can read this article, or this blog, or maybe this one.

If you are trying to minimize your exposure to online surveillance, you might be interested to learn that the businesses collecting our data are using "opt-out" forms designed not to work ($). There's also this story ($) about evidence showing apps used to track employees' behavior sharing their data with Google and Meta.

And here is where the surveillance economy begins to bleed into our reasonable expectation of privacy. The company, Palantir, held an internal "Hack Week" ($) to add more "oversight tools" to products being sold to D.H.S.'s I.C.E. and C.B.P. in part to ease employees' concerns. Though not from this news cycle, this article ($) gives fuller context on the employees' worries related to privacy and civil liberties.

I should quickly note that “Palantir” the company was named after magical seeing stones (pictured above) from J.R.R. Tolkien's Lord of the Rings which the Dark Lord Sauron uses to corrupt multiple characters.

Now we properly dive into privacy: This past week, the telecom sector also shared its concerns about privacy while unveiling their newly formed C2 I.S.A.C. or Information Sharing and Analysis Center. The center will convene telecoms firms AT&T, Charter, Comcast, Cox, Lumen, T-mobile, Verizon and Zayo in order to share information about cyber vulnerabilities or strategies to protect against possible threats. Mark Clancy, Chief Security Officer at T-Mobile described the advantages of creating the group separate from the government. "We could have a more freewheeling private-to-private conversation [and] we could distill the useful, important bits and push them … over to the government side," Clancy said in Cyber Security Dive.

Importantly F.O.I.A. requests only apply to government entities not private I.S.A.C.'s, meaning information about vulnerabilities and threats that affect real people won’t necessarily be accessible to real people. Meanwhile, the F.C.C. rescinded cybersecurity reporting requirements for telecoms — requirements that were instituted as a result of the China-backed Salt Typhoon hack , which "compromised" multiple U.S. telecom providers likely with a broader goal of undermining American infrastructure, like water, energy and transportation services. Now that these reporting requirements have been removed, it means our government is relying more on voluntary collaboration between private actors, which are by nature less accountable to the people who could be affected by a cyberattack.

But that’s probably fine (this author writes sardonically), because the Cybersecurity and Infrastructure Security Agency (yes, C.I.S.A again), which, as we’ve discussed, is responsible for maintaining cybersecurity across all levels of government, has become so wary of the security of our telecoms systems that it has recommended moving away from using U.S. telecoms for secure communication, or at least adopting security steps that augment personal privacy. So maybe, just maybe, adopting systems that limit public awareness of the security policies within these telecom firms is not in the public interest.

On that note, Trump mobile confirmed they were leaking customers' personal information after initial reporting from YouTubers coffeezilla and penguinz0.

These are just some of the stories from this week. I didn't have time to dig into the Electronic Frontier Foundation's report on "Tackling Arbitrary Digital Surveillance in the Americas", this story about the impact of deepfake nudes on an American high school, and I'm sure many other stories about digital privacy.

A Conclusion: We need a national, digital privacy law.

Since basically the beginning of this newsletter, I've written about related issues such as data brokers, self-surveillance, post-quantum cryptography's potential impact on privacy, Section 702 of F.I.S.A., smart glasses, and I.C.E. Smart Glasses, Flock cameras, stalkerware, dental data hygiene, "anonymous" surveys, and baby monitors. This covers nearly every issue of Five Cyber Stories.

Week after week, I see the twin themes of digital privacy and surveillance in cybersecurity and tech coverage. It saturates our politics, and it endlessly finds its way into headlines. (See extensive list of stories from just this week.) Think about all the energy, time, and resources spent because of the uncertainty caused by the lack of national privacy norms.

I’m, of course, not the first to highlight the need for such norms. The Verge's Editor-in-Chief Nilay Patel touched on this when discussing the TikTok ban:

“The TikTok drama is framed around China, but when you drill down, it really has a lot to do with privacy law, or more specifically, the fact that the United States doesn't have one.”

Now you might ask, "Danny, what would a privacy law in the United States look like? What does our right to privacy look like in the digital age?" You might have First Amendment concerns, Fourth Amendment anxieties, or national security worries. Maybe all of the above. (Luckily) it's not my job to determine a national privacy law. It's the job of Congress, informed by civil society, experts and the needs and concerns of everyday Americans.

Yes, digital privacy is a complicated topic with many perspectives, but surely the U.S. Senate which has been hailed "the greatest deliberative body on earth" can arrive at a compromise that sets the nation on more solid footing. There is common ground to be had. I worry that Congress failing to arrive at a policy solution on this issue dooms the country to continue in this relentless loop of controversy and debate about Flock cameras, license plate readers, data brokers, F.I.S.A. extensions and more.

So, I say it again. We need a national, digital privacy law.

Agree? Disagree? I’d love to hear your perspective. As always, shoot me a note by replying to this newsletter.

Unable to reset fingerprints

Reporting from TechCruch's Zack Whittaker

Here we go again: Zack Whittacker reported this week that NYC Health and Hospitals (N.Y.C.H.H.C.) had a data breach that started in November of 2025 and lasted until February 2026. The company stated in their press release about the incident that the following data was stolen:

"- Health insurance information (such as plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers);
- Medical information (such as medical record numbers, disability codes, diagnoses, medications, test results, images, or treatment plans);
- Biometric information (including fingerprints and palm prints);
- Billing, claims, and payment information; or
- Other personal information such as Social Security numbers, driver’s license numbers or other government-issued identification numbers, taxpayer identification numbers or IRS-issued identity protection numbers, precise geolocation data, credit or debit card numbers, financial account information or credentials, or online account credentials."

Whittacker notes that "fingerprints" and "palm prints", unlike passwords, can't be reset.

Healthcare and ransomware: I've written multiple times about ransomware affecting healthcare centers, and this latest incident reminds me of recent calls to consider ransomware attacks as acts of terrorism. The attack in this story could have lasting consequences for victims even without considering the biometric angle. As previously quoted, Andrew Guthrie Ferguson has written about ($) the importance of privacy when it comes to our biometric data: "We can ditch our cars or phones or Echo Dots, at least in theory. We can’t ditch our DNA, or our hearts, or our faces. That makes protecting them all the more important."

If only there was a government agency we could rely on to protect our domestic cybersecurity ...

Keys to the agency

Reporting from KrebsonSecurity's Brian Krebs

Out in the open: Security researcher Guillame Valadon with GitGuardian recently discovered a GitHub repository owned by the United States' Cybersecurity & Infrastructure Security Agency (C.I.S.A.). Though the repository was named "Private-CISA", it was publicly accessible and contained multiple types of sensitive government information including agency passwords. Valadon was unsuccessful in contacting C.I.S.A. about the exposed data, but security firm Seralys founder Phillipe Caturegli and journalist Brian Krebs were able to "notify" the agency of the issue. Public access to the repository was then removed. As of Friday, however, Brian Krebs reported that some of the credentials that had been leaked in the breach had still not been updated five days after this story became public. The leak seemed to all stem from a "default setting" that was possibly turned off by a government contractor.

This news was alarming enough to prompt Sen. Maggie Hassan (N.H.), who sits on the Senate Homeland Security Committee, to request a classified briefing. Members of the House Homeland Security Committee also reached out to the agency for answers.

Valadon told The Register's Jessica Lyons that he was uncertain if anyone with bad motives found and exploited the repository first. "The only ones that can answer definitively is GitHub," he said, and Lyons wrote that GitHub did not reply to The Register's request for comment before the article was published.

A sorry state: As I've written previously, C.I.S.A. remains without Senate confirmed leadership, has bled a third of its staff since the start of the Trump administration, and still seems to be without access to Anthropic's advanced vulnerability hunting A.I model, Mythos. For those thinking that Mythos is old news, the New York Time's DealBook newsletter featured Mythos in a main story ($) just this week. A major point in DealBook's reporting was about which banks have and do not have access to Anthropic's latest model.

Finally, the administration is currently proposing to slash the agency's budget by up to $700 million.

C.I.S.A refers to itself as "America's Cyber Defense Agency," but I (again) question how seriously our government is taking defensive cybersecurity given the state of the agency. According to reporting from Brian Kreb, the security researcher Guillaume Valadon, who found the exposed credentials said, "I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career." Yikes.

On a brighter note, I shared a story last week about rumors suggesting the administration may have a new nominee in mind to lead C.I.S.A. Let us hope this leak about C.I.S.A.'s future leadership is as real as the GitHub leak.

A playful take on GitHub's logo given the rough stretch of events for the company.

The pipes are leaking

Reporting from BleepingComputer's Sergiu Gatlan

Speaking of GitHub: The hacking group, TeamPCP, was confirmed by the Microsoft-owned GitHub to have breached "...roughly 3,800 internal repositories..." of code. I've written about a number of TeamPCP's hacks this year, which have included multiple open-source projects. The details of GitHub's breach are similar. According to reporting from Bleeping Computer's Sergiu Gatlan, the hack happened as a result of a compromised extension for coding tool Visual Studio Code (V.S.Code) also owned by Microsoft. CyberScoop is reporting the extension in question might be Nx Console.

Leaky pipes: For those of us who don't code, this still affects us. As mentioned, I've written about how TeamPCP's attacks on open-source projects undermine public trust and the public good. Wired's Andy Greenberg has a comprehensive article about TeamPCP's exploits ($), and Sergiu Gatlan wrote this list of some of the hacker group's hacks:

"​TeamPCP was previously linked to massive supply chain attacks targeting developer code platforms, including GitHub, PyPI, NPM, and Docker, and, more recently, to the "Mini Shai-Hulud" supply chain campaign(which also impacted two OpenAI employees)."

It is far from hyperbole to suggest this list of hacks has had major implications for the businesses involved, but GitHub says their breach only affected GitHub's "internal" repositories of code, not customers. I do hope the impact stays small and contained. Regardless, this could weaken trust in the code hosting service "...used by over 4 million organizations (including 90% of the Fortune 100)...". GitHub has long served as part of the infrastructure of software development and the web, but trust in its security and stability has been weakening to the point of existential risk ($).

From my perspective, limited though it may be, I believe this would be a great place for C.I.S.A. to step in to help provide stability. If it weren't dealing with its own GitHub security issues, that is.

A depiction of a macOS Terminal Window.

Basically bad security

Reporting from TechCrunch's Lorenzo Franceschi-Bicchierai

ClickFixed: As of Friday, F.B.I. Director Kash Patel's merch store, Based Apparel, is down after it was revealed to be infected with malware. Straight Arrow News's Mikael Thalen first reported on the hack. It largely involved tricking visitors of the site via a ClickFix method of social engineering. However, a security researcher claims that payment information was also being stolen via the site's checkout.

Cybersecurity matters: And it matters to everyone, even the director of the F.B.I. If someone tells you to copy/paste something unknown into your MacBook's terminal (or any command line interface), DON'T DO THAT!

But more seriously, I know not everyone can be as nerdy as I am. Cybersecurity debt accumulated by businesses can result in their least technically savvy customers paying the price. Cybersecurity comes for us all.

Wrap up

That's all from me this week. As always, reply to this email to let me know what I missed, and I'll see you next week with five more stories. May you all have a good Memorial Day Weekend! 🇺🇸

Danny

Read more