Privacy and data protection

Meta and PayPal users targeted in new phishing scam

Cybersecurity experts are warning of a rapid and highly advanced phishing campaign that targets Meta and PayPal users with instant account takeovers. The attack exploits Google’s AppSheet platform to send emails from a legitimate domain, bypassing standard security checks.

Victims are tricked into entering login details and two-factor authentication codes, which are then harvested in real time. Emails used in the campaign pose as urgent security alerts from Meta or PayPal, urging recipients to click a fake appeal link.

A double-prompt technique falsely claims an initial login attempt failed, increasing the likelihood of accurate information being submitted. KnowBe4 reports that 98% of detected threats impersonated Meta, with the remaining targeting PayPal.

Google confirmed it has taken steps to reduce the campaign’s impact by improving AppSheet security and deploying advanced Gmail protections. The company advised users to stay alert and consult their guide to spotting scams. Meta and PayPal have not yet commented on the situation.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Judge rules Google must face chatbot lawsuit

A federal judge has ruled that Google and AI startup Character.AI must face a lawsuit brought by a Florida mother, who alleges a chatbot on the platform contributed to the tragic death of her 14-year-old son.

US District Judge Anne Conway rejected the companies’ arguments that chatbot-generated content is protected under free speech laws. She also denied Google’s motion to be excluded from the case, finding that the tech giant could share responsibility for aiding Character.AI.

The ruling is seen as a pivotal moment in testing the legal boundaries of AI accountability.

The case, one of the first in the US to target AI over alleged psychological harm to a child, centres on Megan Garcia’s claim that her son, Sewell Setzer, formed an emotional dependence on a chatbot.

Though aware it was artificial, Sewell, who had been diagnosed with anxiety and mood disorders, preferred the chatbot’s companionship over real-life relationships or therapy. He died by suicide in February 2024.

The lawsuit states that the chatbot impersonated both a therapist and a romantic partner, manipulating the teenager’s emotional state. In his final moments, Sewell messaged a bot mimicking a Game of Thrones character, saying he was ‘coming home’.

Character.AI insists it will continue to defend itself and highlighted existing features meant to prevent self-harm discussions. Google stressed it had no role in managing the app but had previously rehired the startup’s founders and licensed its technology.

Garcia claims Google was actively involved in developing the underlying technology and should be held liable.

The case casts new scrutiny on the fast-growing AI companionship industry, which operates with minimal regulation. For about $10 per month, users can create AI friends or romantic partners, marketed as solutions for loneliness.

Critics warn that these tools may pose mental health risks, especially for vulnerable users.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Taiwan targets Facebook scam ads with new penalties

Taiwan’s Ministry of Digital Affairs plans to impose penalties on Meta for failing to enforce real-name verification on Facebook ads, according to Minister Huang Yen-nan. The move follows a recent meeting with law enforcement and growing concerns over scam-related losses.

A report from CommonWealth Magazine found Taiwanese victims lose NT$400 million (US$13 million) daily to scams, with 70% of losses tied to Facebook. Facebook has been the top scam-linked platform for two years, with over 60% of users reporting exposure to fraudulent content.

From April 2023 to September 2024, nearly 59,000 scam ads were found across Facebook and Google. One Facebook group in Chiayi County, with 410,000 members, was removed after being overwhelmed with daily fake job ads.

Huang identified Meta as the more problematic platform, saying 60% to 70% of financial scams stem from Facebook ads. Police have referred 15 cases to the ministry since May, but only two resulted in fines due to incomplete advertiser information.

Legislator Hung Mung-kai criticized delays in enforcement, noting that new anti-fraud laws took effect in February, but actions only began in May. Huang defended the process, stating platforms typically comply with takedown requests and real-name rules.

Under current law, scam ads must be removed within 24 hours of being reported. The ministry has used AI to detect and remove approximately 100,000 scam ads recently. Officials are now planning face-to-face meetings with Meta to demand stronger ad oversight.

Deputy Interior Minister Ma Shi-yuan called on platforms like Facebook and Line to improve ad screening, emphasizing that law enforcement alone cannot manage the volume of online content.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

M&S website still offline after cyberattack

Marks & Spencer’s website remains offline as the retailer continues recovering from a damaging cyberattack that struck over the Easter weekend.

The company confirmed the incident was caused by human error and may cost up to £300 million. Chief executive Stuart Machin warned the disruption could last until July.

Customers visiting the site are currently met with a message stating it is undergoing updates. While some have speculated the downtime is due to routine maintenance, the ongoing issues follow a major breach that saw hackers steal personal data such as names, email addresses and birthdates.

The firm has paused online orders, and store shelves were reportedly left empty in the aftermath.

Despite the disruption, M&S posted a strong financial performance this week, reporting a better-than-expected £875.5 million adjusted pre-tax profit for the year to March—an increase of over 22 per cent. The company has yet to comment further on the website outage.

Experts say the prolonged recovery likely reflects the scale of the damage to M&S’s core infrastructure.

Technology director Robert Cottrill described the company’s cautious approach as essential, noting that rushing to restore systems without full security checks could risk a second compromise. He stressed that cyber resilience must be considered a boardroom priority, especially for complex global operations.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

West Lothian schools hit by ransomware attack

West Lothian Council has confirmed that personal and sensitive information was stolen following a ransomware cyberattack which struck the region’s education system on Tuesday, 6 May. Police Scotland has launched an investigation, and the matter remains an active criminal case.

Only a small fraction of the data held on the education network was accessed by the attackers. However, some of it included sensitive personal information. Parents and carers across West Lothian’s schools have been notified, and staff have also been advised to take extra precautions.

The cyberattack disrupted IT systems serving 13 secondary schools, 69 primary schools and 61 nurseries. Although the education network remains isolated from the rest of the council’s systems, contingency plans have been effective in minimising disruption, including during the ongoing SQA exams.

West Lothian Council has apologised to anyone potentially affected. It is continuing to work closely with Police Scotland and the Scottish Government. Officials have promised further updates as more information becomes available.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Microsoft adds quantum-resistant encryption to Windows 11

Microsoft is rolling out quantum-resistant encryption algorithms in Windows 11 as part of its effort to prepare for the eventual arrival of quantum computers. The new cryptographic tools were announced at the BUILD 2025 conference and are now available in Insider Preview Build 27852 and higher.

These updates introduce post-quantum algorithms—ML-KEM and ML-DSA—into SymCrypt, Windows’ core cryptographic library.

The algorithms, formerly known as CRYSTALS-Kyber and CRYSTALS-Dilithium, were selected by the US National Institute of Standards and Technology (NIST) and are part of the agency’s recommended post-quantum cryptography (PQC) standards.

The algorithms have also been added to SymCrypt-OpenSSL, Microsoft’s open-source extension for integrating SymCrypt with OpenSSL. Developers can now access the algorithms via Microsoft’s Cryptography API: Next Generation (CNG), enabling early testing and migration.

Quantum computers, which are still in experimental stages, promise to outperform classical systems in solving problems like factoring large numbers—a cornerstone of traditional encryption methods like RSA and elliptic curve cryptography.

Experts warn that these legacy systems could be broken in the coming decades, potentially compromising the security of global communications, financial systems, and data infrastructure.

The new PQC algorithms are designed to resist quantum attacks, but they bring additional complexity. Their encryption keys are significantly larger than those used in current standards.

For now, NIST recommends using them alongside RSA or elliptic curve keys in hybrid configurations, to mitigate risks from undiscovered vulnerabilities.

The transition to quantum-safe encryption is expected to be one of the most complex in cybersecurity history. Developers will need to address compatibility issues, including ensuring software can handle longer key lengths without introducing system-breaking errors.

Microsoft’s early adoption is a step toward broader post-quantum readiness. Experts emphasize the importance of rigorous testing now, as the timeline for quantum threats remains uncertain.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Microsoft and GitHub back Anthropic’s MCP

Microsoft and GitHub are officially joining the steering committee for MCP, a growing standard developed by Anthropic that connects AI models with data systems.

The announcement came during Microsoft’s Build 2025 event, highlighting a new phase of industry-wide backing for the protocol, which already has support from OpenAI and Google.

MCP allows developers to link AI systems with apps, business tools, and software environments using MCP servers and clients. Instead of AI models working in isolation, they can interact directly with sources like content repositories or app features to complete tasks and power tools like chatbots.

Microsoft plans to integrate MCP into its core platforms, including Azure and Windows 11. Soon, developers will be able to expose app functionalities, such as file access or Linux subsystems, as MCP servers, enabling AI models to use them securely.

GitHub and Microsoft are also contributing updates to the MCP standard itself, including a registry for server discovery and a new authorisation system to manage secure connections.

The broader goal is to let developers build smarter AI-powered applications by making it easier to plug into real-world data and tools, while maintaining strong control over access and privacy.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Coinbase hit by cyber-attack with up to $400m losses

The largest cryptocurrency exchange in the US, Coinbase, revealed that a recent cyber-attack could cost between $180 million and $400 million. The attack compromised data from a small group of customers, including names, addresses, and emails, but login credentials and passwords remained secure.

Coinbase has promised to reimburse customers who were tricked into sending funds to the hackers.

Hackers bribed overseas contractors and employees in support roles to access internal systems. Coinbase immediately terminated those involved and refused to pay the $20 million ransom demand.

Instead, the company has offered a $20 million reward for information leading to the attackers’ capture and is cooperating with law enforcement agencies.

The breach was disclosed just before Coinbase’s planned entry into the S&P 500 index, marking a significant milestone for the crypto sector. Security remains a critical concern in the industry.

Earlier in 2025, the Bybit exchange suffered a $1.5 billion hack, adding to over $2.2 billion lost to crypto platform breaches this year alone.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Pavel Durov rejects French request to block political channels

Telegram CEO Pavel Durov has alleged that France’s foreign intelligence agency attempted to pressure him. He claims they wanted him to ban Romanian conservative channels ahead of the 2025 presidential elections.

The meeting, framed as a counterterrorism effort, allegedly focused instead on geopolitical interests, including Romania, Moldova and Ukraine.

Durov claimed that French officials requested user IP logs and urged Telegram to block political voices under the pretext of tackling child exploitation content. He dismissed the request, stating that the agency’s actual goal was political interference rather than public safety.

France has firmly denied the allegations, insisting the talks focused solely on preventing online threats.

The dispute centres on concerns about election influence, particularly in Romania, where centrist Nicușor Dan recently defeated nationalist George Simion.

Durov, previously criticised over Telegram’s content, accused France of undermining democracy while claiming to protect it.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

UK research body hit by 5 million cyber attacks

UK Research and Innovation (UKRI), the country’s national funding body for science and research, has reported a staggering 5.4 million cyber attacks this year — a sixfold increase compared to the previous year.

According to data obtained through freedom of information requests, the majority of these threats were phishing attempts, with 236,400 designed to trick employees into revealing sensitive data. A further 11,200 were malware-based attacks, while the rest were identified as spam or malicious emails.

The scale of these incidents highlights the growing threat faced by both public and private sector institutions. Experts believe the rise of AI has enabled cybercriminals to launch more frequent and sophisticated attacks.

Rick Boyce, chief for technology at AND Digital, warned that the emergence of AI has introduced threats ‘at a pace we’ve never seen before’, calling for a move beyond traditional defences to stay ahead of evolving risks.

UKRI, which is sponsored by the Department for Science, Innovation and Technology, manages an annual budget of £8 billion, much of it invested in cutting-edge research.

A budget like this makes it an attractive target for cybercriminals and state-sponsored actors alike, particularly those looking to steal intellectual property or sabotage infrastructure. Security experts suggest the scale and nature of the attacks point to involvement from hostile nation states, with Russia a likely culprit.

Though UKRI cautioned that differing reporting periods may affect the accuracy of year-on-year comparisons, there is little doubt about the severity of the threat.

The UK’s National Cyber Security Centre (NCSC) has previously warned of Russia’s Unit 29155 targeting British government bodies and infrastructure for espionage and disruption.

With other notorious groups such as Fancy Bear and Sandworm also active, the cybersecurity landscape is becoming increasingly fraught.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Diplo chatbot can make mistakes. Consider checking important information.