this week in security — march 22 2026 edition

Here's me, logging on after a week away and seeing all of the news:

THIS WEEK, TL;DR

U.S. says Iran is behind Handala, which hacked medical tech giant medical Stryker
TechCrunch ($): Wild developments this week, as the U.S. Justice Department formally accused the Iranian government of being behind the Handala hacking group (among other ostensible hacktivists). This is big because Handala took credit for hacking into U.S. medical tech giant Stryker and wiping tens of thousands of employee devices via its compromised InTune dashboards. Handala said it hacked Stryker in retaliation for a U.S. missile strike on an Iranian school, killing dozens of children. Separately, the U.S. killed at least one major Iranian cyber chief, reportedly in charge of the unit that runs Handala, in a missile strike. The FBI also seized the hackers' websites, not that they stayed down for long. Stryker says it's restoring its systems but has no timeline for its recovery. CISA warned companies to secure any accounts they use for remotely managing their employees' devices, fearing another mass-wipe.
More: Justice Department | Forbes ($) | Reuters ($) | The Record | Bloomberg ($) | @kevincollier

Telus confirms hack after ShinyHunters take credit for stealing corporate data
Cybersecurity Dive: The notorious hacking group ShinyHunters took credit for an alleged enormous data breach at Telus Digital, the Canadian phone giant's outsourcing business. ShinyHunters claim to have stolen a petabyte of data from the company's servers, mostly about its corporate customers, thanks to finding a private key that it stole almost six months ago during the Salesloft breach. Telus provides AI chatbots, fraud prevention and call centers to big companies, so the stolen data could be voluminous. Reuters ($) reports that the data includes call recordings and at least some personal information, including FBI background checks. Telus Digital has finally admitted a breach, but hasn't said much on its incident page beyond "we're working on it".
More: Telus Digital | The Register | CBC/Reuters

Feds thought Microsoft's cloud security was 'shit,' but approved it anyway
ProPublica: Deep reporting from @reneedudley and @dorisburke exposing how the Trump administration gutted FedRAMP, the federal government's program that assesses government tech for security and compliance, slashing its staff and budget to become a "rubber stamp" for the industry. This allowed Microsoft to allegedly gain key government contracts despite its cloud technology ranked as "a pile of shit" by auditors. Microsoft reportedly couldn't explain to auditors how its encryption worked across its government cloud, even though the Departments of Justice and Energy, and the defense sector, rely on it. Microsoft remains one of the U.S. government's biggest tech vendors, even after two damaging hacks that allowed hackers with China and Russia to access government data. All to say, FedRAMP isn't the seal of approval it once was.
More: @taggart-tech | @derekbjohnson | @moreperfectunion

Exploit toolkit can hack almost any iOS 18 device that visits a malicious website
Wired ($): Google and iVerify say that Russian spies have been planting malicious code in web components used on Ukrainian websites, including a government agency, capable of hacking into iPhones running the older iOS 18 software simply by visiting them. The hacking toolkit in question, dubbed Darksword, puts a quarter of all iPhones (currently running iOS 18) at risk of these drive-by hacks, which conduct smash-and-grab data thefts that don't need to rely on leaving behind persistent spyware. It's not clear who made Darksword, but it's been used by the same Russians who previously used malware developed and leaked from Western hacking tools maker Trenchant. All this goes to show that even powerful hacking tools can't be kept under wraps, and that mass-hacks targeting Apple devices are closer to reality than we think. Apple sounded its own alarm, urging users to update to the latest iOS 26 update, or at very least use Lockdown Mode. 
More: Apple | TechCrunch | Cyberscoop | NBC News | @ryanaraine

THE STUFF YOU MIGHT'VE MISSED

Meta pulls the plug on Instagram end-to-end encrypted messages
Platformer: Mark Zuckerberg says Instagram will soon stop end-to-end encrypting its users' direct messages, citing low adoption. In reality, Meta took forever to roll out Instagram E2EE, then reneged on switching it on by default, instead making it opt-in and neither easy to find nor activate. @caseynewton explains more in his latest blog. Some worry that this might be the slow death of E2EE worldwide, per Wired ($).

Apple releases first 'background security' update
Eclectic Light Company: Apple released its debut "background security" update, essentially a security hotfix that fixes certain iOS components with urgency but without needing to install a full software update. This first update fixed a bug in Safari's underlying WebKit engine. The reviews seem mixed, as some had to dig around to find the update, or manually install it, and it still required a phone restart. If you leave your phone long enough, it should install automatically (in theory). More via me at TechCrunch ($) (disclosure alert!).

Section 702 chatter hots up as spy law expiry looms
The New York Times ($): U.S. lawmakers are still debating the pros and cons of passing another round of U.S. surveillance laws without any substantial changes. The key U.S. spy law, known as Section 702 (which lets the NSA spy on Americans without a warrant by collecting information about foreigners whom they communicate with) is set to expire on April 20. Expect to see some flailing and panicking lawmakers around that time as this inevitably goes down to the wire. @charliesavage has a good Q&A on the whole deal. Reuters ($) says some Republican lawmakers will only vote for it if it's attached to the SAVE Act (*cough* voter suppression law *cough*), which requires government-issued ID to vote, even though there have been literally only a handful of fraudulent votes cast in decades of elections. 

Age verification firm fined for security failings as laws spread worldwide
PPC Land: Spain has fined Yoti, a major age verification firm, almost a million euros for security and privacy failings over the handling of people's face scans who used its app. BiometricUpdate has a shorter read on the case. Age verification laws are spreading around the world, and so I wrote a blog post this week about the security risks that everyone will face as a result of them, and what you can do about it. Age verification can be done in theory with privacy-first tech, but that requires governments to consider them to begin with — and they're mostly not. A good thread via @mikespecter.

Breathalyzer company hack leaves drivers stranded
WCVB 5: In-vehicle breathalyzer company Intoxalock was hacked. These breathalyzers, which are attached to a car's ignition switch, need to be recalibrated every month or so. But the hack means Intoxalock can't calibrate them, leaving drivers stranded and unable to start their cars. More via WGME. (via DataBreaches.net) 

OTHER NEWSY NUGGETS

Spyware chief links Greek Watergate to… Greece: Convicted and sanctioned spyware boss Tal Dilian, whose companies make the Predator spyware, essentially blamed the Greek government for a scandal dubbed "Greek Watergate," which saw senior Greek politicians and journalists targeted with Predator under the Kyriakos Mitsotakis government. The government rejected the claim, for what it's worth. (via OCCRP, @campuscodi)

Jaguar bailout sets bad precedent: U.K. watchdog Cyber Monitoring Centre says the U.K. government's $2 billion promise to bail out Jaguar Land Rover following its economy-rattling hack last year could send the wrong message to businesses. The argument goes that they may be less inclined to invest in resilience if they think they can get state-backed help after a cyberattack. (via The Register)

FBI buys location data: The FBI has resumed buying people's location histories from data brokers, its director Kash Patel confirmed to Congress. It's the first time since 2023 that the FBI has confirmed its buying this data without a warrant. Is this legal? Probably not! But lawmakers have a new bill that would require the FBI and other agencies to get a warrant first before it can buy this data on the open market. (via Politico ($), Ars Technica, this week in security)

Sears spills AI chatlogs: Sears left its AI chatbot's databases publicly exposed to the internet. The databases contained 3.7 million chat logs, 1.4 million audio files, and transcriptions of audio, including the personal information of customers who used Sears' Home Services. (via Wired ($), ExpressVPN)

Four firms quiet on Oracle hacks: Broadcom, Bechtel, Estée Lauder, and Abbott Technologies remain mum on recent extortion attacks that targeted their Oracle EBS systems, which companies use to run their HR and other business operations. The Clop gang took credit for the mass-hacks last year by listing the victims on its leak sites, but the four giants still have yet to acknowledge they were hacked. (via SecurityWeek)

THE HAPPY CORNER

Huzzah! The happy corner is back, and is for everyone. Welcome! 

Belgian police have come up with a massive database of phishing and fraudulent websites so that telecom companies can instantly block their customers from accessing them. Of course, they went ahead and called it Phish Nemo. Incredible, no notes. More to read in English. (Thanks for the flag, @campuscodi.)

@sunpig rented a thermal imaging camera to help check for drafty windows and the like. But, of course, like any responsible cat parent, he tried it out on his cats first. (Bonus cybercats!)

These CAPTCHAs are getting way out of control… 

Just absolutely awful jokes on Bluesky this week. (OK, I chuckled a little.)

And, major congrats to @yaelwrites, @dakekang et al for winning an Overseas Press Club award for their Associated Press project exploring the use of surveillance technologies across America and how U.S. spy tech gets exported to authoritarian regimes like China. It's an incredible series you may be familiar with (some were mentioned in past editions of this newsletter) that's definitely worth your time to read. 

Got good news to share? Get in touch! this@weekinsecurity.com.

CYBER CATS & FRIENDS

This week's cyber cat is Muffin, who can be seen here with her toys, on her heating pad, on top of two layers of blankets, on top of a dog bed — absolutely spoiled rotten. Muffin's human tells me that she thinks she got socially engineered into buying all this stuff… yep, 100% classic case of falling for maximum cuteness. Thanks so much to @riana for sending in!

🐈 Send in your cyber cats! 🐈‍⬛ Got a cat or a non-feline friend? Send me an email with their photo and name and they will be featured in a later newsletter!

SUGGESTION BOX

And that's all there is for this week. Thank you so much for reading. It's really nice to be back after a week away, even if the news was a lot to come back to!

As always, please do get in touch if you have anything for next week's newsletter, including news, cyber-cats, research, or if you just want to say hi. If you have a few minutes, have a browse around at some of my articles, and let me know if there's anything in the world of security you are keen for me to explore and write up.

Have a great rest of your weekend, and enjoy your week. Catch you next Sunday as usual.

Cheers,
@zackwhittaker