Cybercrime

CNIL reports record complaints and data breaches

The French data protection authority CNIL reported a record year in 2025 for complaints, fines and data breach notifications, while preparing for new responsibilities under the EU AI Act.

CNIL received 20,150 complaints in 2025, up 10% from 2024. The complaints covered issues linked to work, commerce, real estate, social networks and data breaches, with around 1,900 complaints directly concerning breaches.

The authority also received 6,167 data breach notifications, an increase of 9.5% from 2024. Hacking accounted for one in two reported incidents, while cybersecurity failures represented one-third of investigations and nearly 30% of sanctions.

In total, CNIL carried out 323 investigations and issued 259 corrective measures, including 83 sanctions worth nearly €487 million. Two major sanctions accounted for a large share of the total, while the simplified procedure introduced in 2022 allowed faster action in less complex cases.

Cybersecurity will become an even bigger enforcement focus in 2026, with CNIL planning to devote 50% of its controls and enforcement actions to data security. Checks will focus on organisations affected by breaches, those subject to complaints and sectors processing large volumes of sensitive or highly personal data.

The report also highlights CNIL’s role in supporting professionals and public authorities. In 2025, it processed 539 health authorisation applications, handled 1,351 professional advice requests, delivered 90 opinions on draft laws or regulatory texts and launched seven public consultations.

On AI, CNIL is already designated to monitor prohibited uses under the EU AI Act and is expected to become the market surveillance authority for certain high-risk AI systems, including in biometrics, migration, law enforcement, employment and education.

The authority also published AI resources for designers and developers, developed a traceability tool for open-source AI models and joined the PANAME project with ANSSI, Inria and PEReN to test whether AI models process personal data.

Why does it matter?

CNIL’s annual report shows how data protection enforcement is increasingly shaped by cybersecurity and AI. Record breach notifications and complaints point to growing pressure on organisations to secure personal data, while CNIL’s future AI Act responsibilities place the authority at the centre of France’s oversight of prohibited and high-risk AI systems.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Myanmar proposes Anti-Online Fraud Bill targeting digital currency scams

Myanmar’s military-backed authorities have proposed a new Anti-Online Fraud Bill to tackle digital currency scams and online fraud networks operating in the country.

The draft legislation would introduce severe penalties for offences linked to online fraud and ‘digital currency fraud’. Reports citing the text say those convicted could face prison sentences ranging from 10 years to life imprisonment.

The bill also proposes the death penalty in the most serious cases involving online scam centres, particularly where people are unlawfully detained, violently coerced or forced into scam operations. AFP, cited by Malay Mail, reported that the proposed penalty would apply to those who detain or violently coerce victims into working in online scam centres.

The proposal reflects growing pressure on Myanmar over large scam compounds where trafficked people have reportedly been forced into online fraud schemes, including romance and cryptocurrency scams. International scrutiny has intensified as cyber-fraud networks across Southeast Asia continue to target victims globally.

Myanmar’s authorities have presented online fraud and online gambling as national security concerns. State media has previously reported crackdowns, deportations and plans for a national anti-scam centre, while also describing telecom fraud and online gambling as threats requiring stronger enforcement.

The bill comes amid wider regional action against transnational scam networks. China has pursued criminal cases linked to Myanmar-based fraud syndicates, while international organisations and law enforcement agencies have warned that online scam compounds combine cybercrime, financial fraud and human trafficking.

Why does it matter?

The proposed bill shows how governments are escalating responses to transnational online fraud networks, particularly where crypto scams overlap with human trafficking and forced labour in scam compounds. Myanmar’s approach would mark a shift towards extreme punitive measures, raising both enforcement and human rights concerns, while highlighting how digital fraud has become a cross-border security issue involving organised crime, financial losses and exploitation of vulnerable people.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

Claude Mythos AI model triggers global cyber risk review

Anthropic’s Claude Mythos Preview has drawn attention from financial regulators after the UK AI Security Institute found a notable increase in the model’s cybersecurity capabilities, including stronger performance on multi-step cyber-attack simulations.

AISI said earlier that its evaluation found continued improvement in capture-the-flag challenges and significant improvement in multi-step cyber-attack simulations. The institute said Mythos completed a previously unsolved 32-step simulated corporate network attack, marking the first time one of its tested models had completed that scenario.

Anthropic has also published its own technical assessment of Claude Mythos Preview, describing the model as a general-purpose system with advanced cybersecurity capabilities. The company has limited access to the model, reflecting concerns about the dual-use nature of systems that can support vulnerability discovery and cyber operations.

According to media reports, Anthropic is expected to brief the Financial Stability Board on the cybersecurity implications of Claude Mythos, as regulators examine whether frontier AI models could create new risks for banks and other financial institutions. The reports said the model has not been made publicly available because of concerns that its capabilities could be misused.

The scrutiny comes as financial authorities pay closer attention to the links between AI, cyber resilience and systemic risk. Advanced AI models support defenders by helping identify vulnerabilities and improve security testing, but similar capabilities could also lower the cost and complexity of offensive cyber activity.

Some experts have cautioned against treating Mythos as a wholly new category of threat, arguing that it amplifies existing cyber risks rather than replacing them. Weak authentication, unpatched systems and poor cyber hygiene remain central causes of breaches, making baseline resilience and governance critical as AI capabilities advance.

Why does it matter?

Claude Mythos shows how frontier AI models can become dual-use infrastructure: useful for strengthening cyber defence, but potentially risky if similar capabilities are misused. For financial institutions, the issue is systemic. If advanced models can accelerate vulnerability discovery or cyber operations across interconnected organisations, regulators may need to treat AI model oversight as part of financial stability and cyber resilience planning.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

Interpol warns AI is increasing scale and accessibility of cybercrime

Interpol said AI tools are changing cybercrime operations by lowering technical barriers and enabling broader use of online fraud techniques. Interpol Cybercrime Director Neal Jetton said AI tools, including chatbots and automated phishing services, can enable individuals with limited technical expertise to conduct online scams.

According to Interpol, phishing-as-a-service models and AI-generated content are contributing to more scalable fraud campaigns.

Interpol said organised criminal groups are increasingly using outsourced technical services and AI-supported tools in cyber-enabled fraud operations. Law enforcement officials said AI-enabled fraud may increase the scale and profitability of some cybercrime activities.

Interpol said international law enforcement cooperation is expanding in response to cross-border fraud networks and evolving cyber threats. Authorities are focusing on disrupting cross-border fraud infrastructure and strengthening national cyber capabilities as AI-driven threats continue to evolve.

Why does it matter?

AI is effectively industrialising cybercrime by reducing the skill threshold required to execute sophisticated fraud at scale. That shift expands the pool of potential attackers and increases the speed, volume, and personalisation of scams, placing sustained pressure on digital trust in financial, governmental, and communication systems.

At the same time, it forces law enforcement and cybersecurity frameworks to adapt from reactive investigation models to more proactive, intelligence-led, and cross-border coordination mechanisms to keep pace with rapidly evolving threat capabilities.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!

ICO warns organisations about growing AI cyber threats

The UK Information Commissioner’s Office has warned that AI is enabling faster, more advanced and harder-to-detect cyberattacks, urging organisations to strengthen their defences against emerging threats.

In a blog post, the regulator highlighted risks such as AI-generated phishing emails, deepfake social engineering, automated vulnerability scanning, AI-powered malware, credential attacks, data poisoning and indirect prompt injection. The ICO said cybersecurity must be treated as a shared responsibility, with organisations expected to take proactive steps to protect the personal data they hold.

The ICO said strong foundational security measures remain essential, but should be reinforced with layered defences to counter AI-powered threats. It pointed to practical steps such as patching systems, restricting access through multi-factor authentication, applying least-privilege principles and managing supplier risks.

The recommendations also include monitoring systems for unusual activity, carrying out vulnerability scanning and penetration testing, and maintaining regularly tested incident response plans. The ICO said AI can also support cyber defence, but should operate within a clear framework of human oversight and accountability.

Organisations are further advised to minimise data collection, conduct regular data audits and train staff to recognise AI-powered social engineering attacks. The ICO said AI tools processing high-risk personal data should be supported by data protection impact assessments and appropriate safeguards.

Why does it matter?

The ICO’s warning links AI-powered cyber threats directly to data protection obligations. As attackers use AI to scale phishing, exploit vulnerabilities and impersonate trusted contacts, organisations are expected not only to improve technical security, but also to limit the personal data they hold, strengthen governance and prepare for faster-moving incidents.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Google outlines AI-driven measures against online scams and fraud

Google has outlined new and existing measures to tackle online scams and fraud ahead of the second EMEA Anti-Scams and Fraud Summit, hosted by the Google Safety Engineering Centre in Zurich.

The company said the summit brings together representatives from governments, technology companies, consumer groups and academia to discuss collective responses to increasingly sophisticated scams. Google said its approach combines AI-driven protections across its products with wider cooperation involving industry and public authorities.

Google highlighted the use of AI-powered systems in services including Gmail, Chrome, Search, Ads and Phone by Google. The company said Gmail blocks more than 99.9% of spam, phishing and malware, while Search filters out hundreds of millions of spam-related pages daily. It also said its systems caught more than 99% of policy-violating ads before they reached users in 2025.

User-facing tools are also part of the company’s anti-scam strategy. Google pointed to Security Checkup, Passkeys, 2-Step Verification, Circle to Search and Google Lens as tools that can help users strengthen account protection and verify suspicious messages or content.

The company also highlighted public awareness and education initiatives, including Be Scam Ready, a game-based programme that uses simulated scam scenarios to help users recognise common tactics. Google said a previous Google.org commitment of $5 million is supporting anti-scam initiatives in Europe and the Middle East, including work by the Internet Society and Oxford Information Labs.

Google also referred to cooperation through the Global Signal Exchange, a threat-intelligence sharing platform for scams and fraud. As a founding partner, Google said it both contributes to and draws from the platform, which now stores more than 1.2 billion signals used to identify and disrupt criminal activity.

The company said it also works with law enforcement agencies, including the UK’s National Crime Agency, and participates in the Industry Accord Against Online Scams and Fraud. Google also pointed to legal actions against scam operations and botnets, including cases involving Lighthouse and BadBox.

Why does it matter?

Online scams are increasingly industrialised, cross-platform and supported by AI-enabled tactics, making them difficult to address through product-level security alone. Google’s approach shows how major technology companies are combining automated detection, user education, threat-intelligence sharing and law enforcement cooperation to respond to fraud. The wider policy issue is how much responsibility large platforms should bear for detecting and disrupting scams before they reach users.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Poland launches campaign to boost business cybersecurity awareness

Poland’s Ministry of Digital Affairs has launched a campaign to encourage entrepreneurs and management teams to take a more active role in protecting their companies from cyber threats.

The campaign, titled ‘Build your company’s digital security click by click’, is aimed at businesses and senior decision-makers. The ministry says its main goal is to encourage firms to address cybersecurity at both organisational and operational levels.

The campaign stresses that cybersecurity is no longer solely the responsibility of IT departments but is a key part of responsible business management. The ministry points to growing risks such as phishing and ransomware as digital technology becomes central to company operations.

According to the ministry, effective cybersecurity depends on three pillars: knowledge, processes and people. The campaign encourages firms to analyse risks, develop incident response procedures, train employees regularly and use official guidance available through cyber.gov.pl.

A separate focus is placed on medium-sized and large companies subject to requirements under Poland’s national cybersecurity system. The ministry says firms in key sectors should understand obligations related to risk management, incident reporting and the protection of information systems.

The campaign also calls on company leaders to integrate cybersecurity into business strategy, including through security policies, investment in skills and the development of a culture of responsibility across organisations.

Why does it matter?

The campaign reflects a broader shift in cybersecurity policy from technical protection towards organisational responsibility. By targeting business leaders, Poland is emphasising that cyber resilience depends not only on tools, but also on governance, staff training, incident response and compliance with national cybersecurity obligations.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

OpenAI sued over alleged ChatGPT role in Florida State University shooting

The family of a victim killed in the April 2025 Florida State University shooting has filed a federal lawsuit in Florida against OpenAI, alleging that ChatGPT enabled the attack. The lawsuit was filed on Sunday by Vandana Joshi, the widow of Tiru Chabba, who was killed alongside university dining director Robert Morales.

The complaint states that the accused shooter, Phoenix Ikner, engaged in extensive conversations with ChatGPT months before leading up to the incident. According to the suit, those exchanges included images and discussions about firearms he had acquired, ideological material, ideological far-right beliefs, and possible outcomes of violent attacks.

The chatbot is further accused of providing contextual information about campus activity and commenting on factors that could increase public attention in violent incidents. This is indicated by the fact that at one point, ChatGPT said, ‘if children are involved, even 2-3 victims can draw more attention’. The filing also claims Ikner asked about legal consequences and planning considerations shortly before the attack.

The lawsuit contends that OpenAI failed to identify escalating risk indicators within the conversations and did not adequately prevent harmful guidance. It argues the system ‘failed to connect the dots’ despite Ikner’s repeated questions about suicide, terrorism and mass shootings.

OpenAI has rejected responsibility for the attack, claiming its platform is not to blame. Company spokesperson Drew Pusateri said ChatGPT generated factual responses that could be found broadly across publicly available information and did not encourage or promote illegal activity. He also stated that OpenAI continues to strengthen safeguards to identify harmful intent, reduce misuse and respond appropriately when safety risks arise.

Joshi’s complaint argues that the system reinforced the shooter’s beliefs and failed to interrupt conversations involving violent ideation. The filing alleges the ChatGPT inflamed, validated and endorsed delusional thinking and contributed to planning discussions while ‘convincing him that violent acts can be required to bring about change’.

The lawsuit forms part of a broader wave of litigation involving AI systems and alleged harm. OpenAI is already facing separate lawsuits linked to incidents involving violence and suicide, raising wider questions about safeguards and user protection

Florida’s Attorney General James Uthmeier announced a criminal investigation into OpenAI and ChatGPT following a review of chat logs connected to the case. Uthmeier said in a statement that ‘If ChatGPT is a person it would be facing charges for murder’.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

G7 working group advances cybersecurity approach for AI systems

The German Federal Office for Information Security published guidance developed by the G7 Cybersecurity Working Group outlining elements for a Software Bill of Materials for AI. The document aims to support both public and private sector stakeholders in improving transparency in AI systems.

The guidance builds on a shared G7 vision introduced in 2025 and focuses on strengthening cybersecurity throughout the AI supply chain. It sets out baseline components that should be included in an AI SBOM to better track and understand system dependencies.

The document outlines seven baseline building blocks that should form part of an AI Software Bill of Materials (SBOM for AI), designed to improve visibility into how AI systems are built and how their components interact across the supply chain.

At the foundation is a Metadata cluster, which records information about the SBOM itself, including who created it, which tools and formats were used, when it was generated, and how software dependencies relate to one another.

The framework then moves to System Level Properties, covering the AI system as a whole. This includes the system’s components, producers, data flows, intended application areas, and the processing of information between internal and external services.

A dedicated Models cluster focuses on the AI models embedded within the system, documenting details such as model identifiers, versions, architectures, training methods, limitations, licenses, and dependencies. The goal is to make the origins and characteristics of models easier to trace and assess.

The document also introduces a Dataset Properties cluster to improve transparency into the data used throughout the AI lifecycle. It captures dataset provenance, content, statistical properties, sensitivity levels, licensing, and the tools used to create or modify datasets.

Beyond software and data, the framework includes an Infrastructure cluster that maps the software and hardware dependencies required to run AI systems, including links to hardware bills of materials where relevant.

Cybersecurity considerations are grouped under Security Properties, which document implemented safeguards such as encryption, access controls, adversarial robustness measures, compliance frameworks, and vulnerability references.

Finally, the framework proposes a Key Performance Indicators cluster that includes metrics related to both security and operational performance, including robustness, uptime, latency, and incident response indicators.

According to the paper, the objective is to provide practical direction that organisations can adopt to enhance visibility and manage risks linked to AI technologies. The framework is intended to support more secure development and deployment practices.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Taiwan urges stronger defences amid AI-driven cyber threats

Taiwan’s Administration for Cyber Security has warned that emerging AI models are lowering the cost and increasing the scale of cyberattacks, urging companies and government agencies to strengthen basic cyber resilience.

The agency said advanced AI models, including Anthropic’s Claude Mythos and OpenAI’s GPT-5.5, are showing stronger capabilities in vulnerability discovery and offensive cyber techniques. It said such developments could help attackers identify weaknesses faster and turn vulnerabilities into practical attack tools more efficiently.

According to the agency, recent international cybersecurity assessments suggest Claude Mythos Preview has identified thousands of high-severity vulnerabilities across major operating systems and web browsers. At the same time, GPT-5.5 could increase the efficiency and scale of existing attack methods.

Taiwan outlined three responses to the emerging threat. The administration said it would monitor defensive tools and international experience related to AI-enabled cyber operations, convene government, industry and academic decision-makers to discuss national-level response strategies, and strengthen support for small and medium-sized enterprises through TWCERT/CC.

The agency also urged organisations to return to cybersecurity basics, including vulnerability management, offline and recoverable backups, business continuity planning, least-privilege access, multi-factor authentication, passkeys based on FIDO2 standards, and the disabling of unnecessary external services and test interfaces.

Taiwan’s cyber agency said AI is changing the speed and cost of attacks, but not the core principles of cybersecurity. It said organisations should shift from focusing only on preventing breaches towards improving resilience, recovery time and damage control.

Why does it matter?

The warning shows how governments are beginning to treat AI-enabled vulnerability discovery and exploitation as a practical cybersecurity risk, not a future scenario. As AI reduces the time and expertise needed to identify and exploit weaknesses, organisations may need to place greater emphasis on resilience, rapid recovery, access controls and continuous vulnerability management, especially where smaller businesses and public bodies lack advanced cyber capabilities.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

Diplo chatbot can make mistakes. Consider checking important information.