The AI Hiring Bot Has Millions of Sensitive Data Records Exposed
10 July 2025 Reading time: 5 minutes
TL;DR: Multiple vulnerabilities found in McDonald's AI-powered hiring system exposed data of 64 million job applicants. Security issues, such as weak passwords and a lack of robust security design, leave sensitive information exposed in the wild. This exercise is (one more) wake-up call for companies to reassess their reliance on automated systems and take concrete steps to protect sensitive information. [Source].
Cybersecurity is never limited to just IT systems but extends to all corporate environments. This story is about hacking an automated AI-driven hiring mechanism. Imagine a scenario where you apply for a job online only to find your sensitive personal data - name, email address and phone number - being shared without your consent on the dark web. Sounds far-fetched? Unfortunately not. The recent exercise shows that 64 million applicants' personal data records in McDonald's AI hiring system, McHire, could have been easily compromised.
Not-So-Tasty Recruitment System
Security researchers Ian Carroll and Sam Curry found that the McDonald's McHire platform, developed by AI software company Paradox.ai, had numerous (basic!) security vulnerabilities, enabling hackers to breach the applicant database with a simple administrator password like "123456." After gaining access to the McHire system, security researchers uncovered an Insecure Direct Object Reference (IDOR) vulnerability within the applicant database. By enumerating the applicant ID, they were able to access all the database records. This flaw enabled access to a massive amount of sensitive personal information, including names, email addresses, phone numbers, and chat logs spanning several years. Needless to say, the accessed data in the wrong hands could be easily exploited for phishing, fraud, or other malicious activities. Both McDonald’s and Paradox.ai recognised the gravity of exposing sensitive applicant data and the critical nature of the incident. McDonald's expressed disappointment regarding the security lapses of its third-party vendor, but would it change much?
How on Earth is This Possible?
The answer lies in a well-known security flaw: a weak username and password combination as simple as the immortal "123456". The researchers discovered these vulnerabilities by using a trivial dictionary attack - a "traditional" and basic technique where an attacker uses words and common patterns to identify weak passwords. Success after 30 minutes - not bad!
Reading between the lines, the ease of this breach might suggest deeper issues in the platform’s development process, potentially stemming from an over-reliance on AI-driven code generation. It’s plausible to assume that the security flaws emerged due to automated programming tools producing insecure code. In an AI-driven development environment, algorithms may prioritise functionality and speed over security, inadvertently embedding multiple vulnerabilities if not rigorously checked. The lack of robust human control and supervision in the SDLC could have led to a failure to enforce the necessary secure coding standards.
Recommendations? Elementary, my dear Watson.
How do we protect ourselves from falling victim to such security threats? The answer lies in taking simple, very well-known, yet effective measures to safeguard our businesses.
To prevent cybersecurity issues, organisations should enforce strong password policies with complex, lengthy passwords and multi-factor authentication. It is important to secure access to all sensitive resources (especially databases) with role-based access control. It is important not to forget about running regular security audits: conducting penetration testing (PT), automated vulnerability scans (VA), and engaging third-party security firms - it will tremendously help to identify weaknesses at the early (development) stages. And please always remember about employee training on secure practices and phishing awareness. The training can work best if combined with an existing robust incident response plan that ensures quick action during breaches.
Separate words should be said about having a secure software development lifecycle (SDLC) in place, as it integrates security practices at every stage of software development: from design to deployment. By incorporating threat modelling, secure coding standards, and regular security testing, it is possible to substantially reduce the risk of exploitable flaws much earlier (and cheaper).
So we, humans, are still needed! To me, this all highlights the necessity of integrating human expertise into modern "AI-assisted software development". Otherwise, we will have more opportunities to log in with "123456" to mission-critical systems and see more catastrophic breaches that expose sensitive data.
Cyber Attacks Becoming a Nightmare for UK Businesses. Are CEOs And CISOs Playing a Cybersecurity Roulette?
30 June 2025 Reading time: 10 minutes
Each passing day brings a new wave of cyber threats that loom over the future of business, waiting to strike at the most unfortunate moment. I was scrolling through today’s article in The Guardian, thinking “Ah, same old, same old”. But let us all stop for a moment and try to think together about what is really happening and how to break the vicious circle.
According to the UK Cyber Crime Statistics in 2025, over 560000 new cyber threats are discovered daily. Do you want more numbers? Recent figures released by the Royal Institution of Chartered Surveyors (RICS) show that an alarming one in four UK companies have suffered at the hands of cyber-attacks within just the last year alone. The predominant majority (81%) of those UK businesses that suffer from a Cyber Security Attack are small and medium-sized businesses (SMBs/SMEs). It is essential to grasp the extent of these statistics and their potentially catastrophic implications on a business's survival and reputation.
(Source: www.twenty-four.it/services/cyber-security-services/cyber-crime-prevention/cyber-crime-statistics-uk)
What lies at the heart of this growing crisis? Complacency, lack of awareness and absence of a long-term security strategy among some CEOs and CISOs are major contributing factors. Despite being aware of the looming dangers, they appear to “underestimate the enemy” and rather think about the short-term, small “demonstrable wins” (because it looks good in reports, right?), but at the same time, putting their entire companies at risk. This was exemplified by a recent high-profile attack on Marks & Spencer, which suffered weeks of downtime due to a catastrophic cyber breach that, in turn, led to a colossal financial loss. This all looks like a perilous game of cybersecurity roulette, and I am not sure if businesses can afford to play.
There is an opinion that these days, traditional antivirus software is largely useless in preventing the newer agile forms of attacks. So, can we still protect our precious business? The answer lies in taking multiple proactive measures to safeguard against modern, rapidly changing cyber threats. By implementing a series of basic yet crucial measures, businesses can significantly reduce their risks. These include regular software updates and system checks, comprehensive training programs for employees to identify potential scams, educating staff about the benefits and risks of new technologies, and ensuring that every employee is equipped with the necessary knowledge and skills to navigate this complex digital world. Do not forget to employ multiple authentication methods for enhanced security, conduct routine system checks and do prompt software upgrades, and you will put your business in a much better position.
I think it's a good “wake-up call” for leaders across all sectors to reassess their security protocols and take swift action. We must take immediate action - the costs and potential brand damage could become too high a price to pay in future. Do not wait until your business's vulnerabilities are exposed by hackers. Instead, implement basic cybersecurity measures today (and don't forget to ask professionals to come and revalidate them!).
Cybersecurity: A Big Guide for Small Businesses
20 June 2025 Reading time: 12 minutes
Every day we see that the threat landscape continues to evolve at breakneck speed, but one could be surprised by discovering that not only large enterprises, but small and medium-sized organisations have become prime targets for cybercriminals. But why? In many cases, it is a simple case of a lack of awareness leading to underinvestment in cybersecurity measures. While large corporations may have the budget to invest in cutting-edge technology, SMEs often struggle to keep up.
So, how can small businesses protect themselves without breaking the bank? Ultimately, the key to surviving lies not in luck but in preparedness.
One of the most effective ways for small businesses to fortify their cyber defences is by empowering employees with essential cybersecurity knowledge. Equipping your staff with the right skills to identify and combat online threats can prove invaluable in the fight against “daily” cyber threats.
In addition to employee education, it is important to regularly check software updates and patches, as those can close known vulnerabilities before they can be exploited by malicious actors. This simple yet effective measure can significantly reduce the risk of falling prey to cyberattacks.
It's surprising that despite its importance, many organisations still forget about some basic cyber hygiene, such as password security. A staggering 81% of hacking-related breaches are attributed to weak or stolen passwords. Addressing this issue forthwith is crucial and, ideally, combined with two-factor authentication mechanisms (2FA) in place.
Another critical aspect of cybersecurity that cannot be overlooked is the establishment of reliable backup systems. Not only does this safeguard against accidental data loss in the event of a ransomware attack, but it also saves precious time and money that would have otherwise been spent on (very) costly recovery. By the way, do you have an Incident Response Plan? When was the last time you had it tested?
There are many cybersecurity tools and resources which could be used for free. Local chambers of commerce, small business associations, or online communities often provide various free workshops, mentorship, or networking events. Government programs or grants for small businesses can also offer financial relief for investment in cybersecurity. Your employees can learn how to use free tools and successfully maintain the cybersecurity baseline themselves.
Last but not least, you might be surprised, but hiring professional penetration testing teams also doesn’t have to be expensive. Some cybersecurity firms, such as Risk Crew, offer services tailored for small and medium-sized enterprises (SMEs), balancing quality and affordability. These solutions will test your systems for vulnerabilities, ensuring robust protection without the high costs typically associated with enterprise-level services.
So, what can you do to get started today? By incorporating one step each week into your cybersecurity routine and monitoring its progress, you'll be on your way to building a robust defence against modern cyber threats. Always remember that cybersecurity is not just an IT problem; it's a team effort that requires every employee to be engaged. By focusing on high-impact, low-cost strategies, small businesses can significantly reduce their risk of cyberattacks and become a tough nut to crack for hackers.
InfraSEC 2025
5 March 2025 Reading time: 2 minutes
Please find the presentation from my talk as a keynote speaker at the InfraSEC conference in Warsaw, Poland on 19/02/2025.
 |
Presentation from my talk at InfraSEC 2025 in Warsaw, Poland about insecurities of industrial systems (PDF). |
A week after the presentation I was positively surprised and honoured knowing that my talk was top-rated by the conference participants!
And THAT news surely made my day!
From free will to wild algorithms: how AI is shaping our lives
6 November 2024 Reading time: 8 minutes
Buckle your seatbelt Dorothy, because privacy is going bye-bye!
It’s not a secret that we all are permanently under observation. We became desensitized and used to it long ago so it is not bothering us too much any more. However, in recent years, the concept of monitoring the lives of humble citizens has evolved much beyond traditional notions of police and state-run agencies. AI has given life to new forms of digital surveillance and methods of collecting information about us. These methods are fast, effective, multidimensional, pervasive and much more intrusive than ever before. These emerging technologies have the power to monitor our every move, almost track our thoughts (so far: indirectly), and control our actions in ways that threaten the very essence of human freedom. Wild imagination? Oh please – read some recent news!
AI-driven surveillance is employed pretty much everywhere these days. It spans from analysis of our behaviour online up to voice and face recognition including monitoring of eye movements. It’s not so difficult really. By using modern high-speed and high-resolution video cameras and machine learning algorithms, computers can now analyse all kinds of behavioural patterns including how you walk, how you talk, and the slightest changes in pupil size and iris to determine everything from our attention span to our political preferences. This data then could be used to infer our personalities, interests, and preferences with alarming accuracy. Technology is progressing so quickly so these days everyone can build a simple surveillance system for fun, e.g. for monitoring your cat. So think about this: if you can build an AI-driven system with Raspberry Pi on one rainy Sunday, think about what governments and large businesses can do with their powerful technology and unlimited resources.
The implications are staggering. In a world where AI-powered algorithms know what we are thinking, feeling, and doing every moment of the day, the concept of privacy becomes an anachronism. Our every move could be tracked and recorded by cameras and sensors that watch us from above, below (and one day probably within). Every transaction, every conversation, and every thought becomes a document. The document can be traced, collected and analysed for clues about our behaviour, preferences, and values. Would I personally ever benefit from it? Doubt. But I am sure, it will be regularly explained to me that it is all happening for my safety, personalised marketing and, surely, for the good of all mankind.
Another prominent example is modern-day elections and voting. I am not referring to the most recent one but to any elections these days. It is totally unclear to me whether the outcome truly reflects voters' genuine desires or is instead influenced by sophisticated state-of-the-art "political engineering". With AI at their disposal, politicians can now create and disseminate tailored messages to millions of people, often without them even realising they're being manipulated. This raises deep concerns that citizens might become unwitting pawns in someone else’s larger agenda, rather than active participants in the democratic process.
Who controls the controller?
The widespread collection of personal data and processing by AI by governments and large corporations raises significant concerns about their accountability. The technology goes forward and these entities can now process and correlate unimaginable amounts of behavioural data on individuals without their knowledge or consent. This starts from browsing history, search queries, location information, biometric data and more. Even innocent metadata which is collected in such vast amounts and processed by AI can tell a lot about an individual. The problem I see is the omnipresent lack of transparency. It creates an opaque situation where individuals have limited or no control (and/or knowledge) over what data was collected, when and by whom. Governments and corporations often justify these practices under the guise of "national security" or "marketing efficiency,". The absence of clear regulations and, first of all, transparent accountability mechanisms means that people have no idea about what is happening with their data, leaving their privacy vulnerable. Let’s not forget that data later can be shared with unknown third parties, who have their own agendas. Data can also be leaked or stolen. Considering all this, probably the only recommendation we can give is: whatever you do online - share as little as possible because everything and anything can be used against you sooner or later. Not an easy task considering that these days we all pretty much never go offline, right?!
But this isn't just a matter of the state watching its citizens. Large businesses and social media platforms aggregate an incredible amount of data on our online activities and create detailed profiles that shape our experiences and interactions. Is there any way we might know what our data is used for? I guess, you know the answer to this question. However, do we truly grasp the implications of this step-by-step erosion of individual freedom? It's leading us towards a dystopian society where every aspect of our lives is constantly in an instant feedback loop with machines, and even the smallest decisions could be dictated by algorithmic manipulation. Probably the meaning of the word “spontaneous” under the circumstances should be redefined. I guess it might be described as “less influenced by the existing behaviour-optimising algorithms”.
By allowing this to happen, we create a society where the boundaries between public and private spaces are disappearing, leaving us all exposed and vulnerable to the whims of our digital masters who wield immense power over human lives. I think a good example of this is Iran's hijab laws. For me, it is a chilling illustration of what happens when AI-powered surveillance is used to enforce rigid conformity and punish dissent. By tracking women's headscarf-wearing habits through facial recognition technology, the authorities have created a system that can identify and penalise those who fail to comply with the regime's strict dress code. This has led to widespread arrests, fines, and even confiscation of property for those deemed to be non-conformists. What if the next decision of the government will be let’s say prohibit women from laughing in public? Could this "law" be enforced with the existing technical measures? Piece of cake.
Do we still have a chance?
In the face of the rapidly advancing proactive and aggressive AI-driven data collection and analysis, it's essential to fully understand the consequences that lie ahead. We're not just talking about a loss of privacy or a threat to civil liberties any more. We are facing a fundamental transformation of human society into a vast global experiment in modification and control of human behaviour. As usual, for the benefit of the chosen few. I can envisage that the AI-powered monitoring systems that are being deployed today have the potential to completely reshape who we are and what we are. Our shopping, working, travelling or dating will never be the same, knowing that not one but many AI Big Brothers are watching and influencing your every step 24/7. Our thoughts and behaviour define us as a species. If our behaviour becomes permanently changed due to the constant influence of technological factors – what does it mean? Are we evolving? Are we going to live in a sort of “symbiotic relationship” with machines? Or maybe degrading?
So, what can we do? First and foremost, we need to be aware of the technologies that surround us and how they're influencing our lives. We must always question the assumptions behind these systems (and their creators) and challenge their right to control our every move. In a world where the reigns of control are gradually given to AI, it's more important than ever to assert our humanity, defend our freedom, and resist the forces of newborn cyber-totalitarianism that might threaten to engulf us all.
We stand at a crossroads in history where the decisions of artificial intelligence systems could shape major historical processes and change the lives of billions. It’s the first time when the algorithms could, literally, make history. The stakes are high, but the battle for human dignity and freedom is not yet lost. The future is never predetermined, but the path ahead is shaped by the choices of all of us. Maybe it is time to learn from history lessons and strive to create AI systems that serve humanity, rather than the other way around.
A tasty cake with security layers
22 October 2024 Reading time: 7 minutes
Imagine a world where no digital activity is fully safe. A world where malicious forces could hijack monetary transactions, private communication and interactions at any time, crippling businesses and lives alike. Sounds like grim science fiction? Take a look: it's our reality today. Cybercrime has become the leading cause of financial loss for companies worldwide, with projected costs reaching a mind-boggling $10.5 trillion annually by 2025.
The threat is very real, and it's not about big corporations anymore; small and medium-sized enterprises (SMEs) are equally vulnerable, accounting for a staggering 43% of cyberattacks. The digital storm rages on, with new threats emerging every day, each more sophisticated than the last. I think it's the right time to start thinking about fortifying your defences!
According to the annual Cost of a Data Breach Report for 2024 from IBM, the global average cost of a data breach has reached an all-time high of $4.45 million, marking a 15% increase over the last three years. Detection and escalation costs also have seen a significant surge of 42%, accounting for the highest portion of the “cost of breach”.
This remarkable growth in breach costs underscores the escalating threat landscape and the need for businesses to fortify their security measures to mitigate risks. The increasing cost is largely attributed to the sophistication and complexity of modern attacks, which demand more time-consuming and resource-intensive investigation and resolution processes.
The secret is in layers
Picture your business as a medieval castle under siege. The walls are breached, and the enemy is at the gates. What do you do? You don't just reinforce one wall, hoping it will hold; you fortify every aspect of your defences - the walls, the towers, the moat, the gatehouse. And that's what we call layered cyber security.
If layered security is in place - it makes it much harder for attackers to breach such a system. Each additional layer increases the complexity and difficulty of breaching the whole system. The concept has been proven effective in various industries, from finance and healthcare to government and manufacturing. For example, banks have notoriously implemented multiple layers of security to protect their customers' money, including network firewalls, intrusion detection systems, encryption, access controls, and, of course, regular software updates. Some studies show that organisations with multi-layered security in place were 70% less likely to experience a data breach compared to those without. Another study by IBM Security revealed that companies using multiple security controls were able to detect breaches 26% faster than those with fewer controls. Why am I not surprised?
Give me those layers
The core layers of defence are designed to protect against different types of attacks:
- Network security. Your first line of defence is network security, acting as the moat around your castle. Firewalls, intrusion detection systems, and prevention systems control traffic flow, detecting suspicious activity and limiting access. And there is a good reason for having it all. The sheer number of cyber-attacks can be mind-boggling (with estimates ranging wildly depending on the criteria used to define an attack, of course). Some reports claim that as many as 5.5 billion malware infections occur annually, while others put the figure for attempted intrusions at a staggering 6.3 trillion. This means a cyber attack every 3 to 11 seconds!
- Endpoint security. Protecting devices from malware, viruses, and other threats is crucial in today's mobile workforce. Ensure all devices are up-to-date and monitor for threats as they happen. But did you know that 68% of organisations experienced endpoint security incidents in the past year? The threat landscape has never been more daunting.
- Application security. Secure your software with regular testing and updates to patch vulnerabilities and reduce the risk of attacks. The only hope is that your vendor will be delivering those updates and patches promptly.
- Data security. Protect sensitive information in storage by implementing encryption and backing it up regularly to ensure confidentiality and availability. Do you remember the average cost of a data breach from the Cost of a Data Breach Report for 2024 from IBM? Check it again.
- Identity and access management (IAM). Control access to systems and data with strong authentication and role-based access control, safeguarding against insider threats and compromised accounts. IAM is critical in today's world where 70% of organizations face insider threats daily.
Continuous improvement is the only constant
Cybercriminals evolve, and so must your defences. A layered approach is not a set-it-and-forget-it solution; it requires periodic review and adaptation. Start by evaluating your current protection mechanisms regularly, identify gaps, and upgrade whatever is necessary. The future of cyber security surely lies in automated AI-driven tools that process real-time data to predict potential attacks, scale responses, if needed, and put in place advanced monitoring to quickly identify anomalies. But here's a chilling fact: 61% of organisations believe they are not fully prepared to handle a sudden attack. The reality is that no business can afford to wait for the future miracles of AI so thinking about cyber security and investing in security is required right now.
We should not forget that security is everyone's responsibility. Even simple steps like creating strong, unique passwords and being cautious with email attachments can make a significant difference. But even with robust measures in place, internal threats might remain a concern. But in this case, the layered cyber security solutions will help again and address this by implementing stringent access controls and monitoring user activity to catch suspicious behaviour.
A call to action
Cyber security is no longer just an IT issue; it's a business imperative. A multi-layered defence is the only way to stay ahead in today's digital landscape. It requires investment, vigilance, and continuous improvement. So, build your castle with layers of protection - for in this digital storm, the cost of not doing so could be catastrophic.
The stakes are high; the future is uncertain. The choice is yours: invest in cyber security or become another statistic in the ever-growing list of victims of cybercrime. The battle for cyber security is ongoing; ask yourself if you are ready to join the fight.