Amid years of warnings that China’s notorious Volt Typhoon hackers may be pre-positioning within United States critical infrastructure, a closed-door war game for insurers played out an array of worst-case scenarios—revealing a menacing, disruptive threat.
ICE’s internal oversight group, the Office of Professional Responsibility, has begun investigating online critics of the agency, opening more than 100 cases looking at what ICE officials call “incidents of doxing and threats” against agency employees. And in the European Union, tech companies will be able to scan citizens’ personal texts, emails, and social media messages again because of renewed powers in the “Chat Control” bill aimed at curbing online child abuse material. The European Parliament voted to extend the legislation despite a majority of lawmakers voting against the proposal.
WIRED revealed more about the Madison Square Garden surveillance landscape this week with revelations that MSG kept a database categorizing hundreds of celebrities, prominent Knicks superfans, and even some Taylor Swift wedding guests using labels that included “LGBTQIA,” “DO NOT HOST,” and low to high “risk.”
And new research this week shows that a wave of government website hijacks in which scammers promise “leaked” OnlyFans content are being stymied by thousands of copyright complaints from adult content creators, helping keep people safe by getting the malicious links taken down.
And there’s more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.
AI Found a Root Bug in Linux That Everyone Missed for 15 Years
Nebula Security has published exploit code for GhostLock (CVE-2026-43499), a use-after-free bug that sat in the Linux kernel for 15 years and lets any logged-in user take root on an unpatched machine, according to SecurityWeek and The Hacker News. The flaw shipped by default in essentially every mainstream distribution since 2011 and needs no special permissions or network access. Nebula’s exploit escapes containers and was 97 percent reliable in testing. It earned a $92,337 payout through Google’s kernelCTF program. It was fixed in April, but patch availability is uneven; Ubuntu, as of early July, still listed 24.04, 22.04, and 20.04 LTS as vulnerable or in progress, so defenders should confirm the fixed package rather than assume one is waiting.
Notably, Nebula found the bug with VEGA, its AI-driven bug-hunting tool, part of a 2026 run of Linux privilege-escalation flaws surfaced by automated tools combing old kernel code few had reread in years.
Flock Cameras Sent 4 Cops After a Reporter
Writing in The Drive, reporter Joel Feder describes being boxed in by four Plymouth, Minnesota, police cars in a Kohl's parking lot in late June—officers shouting, hands on their guns—because Flock's license plate cameras had flagged the $155,000 Range Rover he was testing, loaned from a New Jersey dealership, as stolen. Feder writes that police had been tracking the SUV around town for days … because of a typo.
The cause traced back to a data-entry error 2,000 miles away: a Jaguar Land Rover fleet plate reading 34 03 DTM had been reported to Los Angeles police as lost, but it was entered into the system as just “34 DTM”—dropping the smaller middle digits that New Jersey uses on manufacturer plates. Flock's cameras read the large characters, ignored the nonstandard structure, and started alerting police to any matching car. Feder reports that four other Land Rovers sharing the same license plate format were being tracked around Minnesota that same week; he was just the first pulled over.
The plate that kicked off all this police activity turned out not to have been stolen at all, just misplaced during a photo shoot. Ironically, the incident came barely two weeks after The Drive published a viral report on exactly this kind of Flock overreach.
ICE’s Cyber Contractor Gets Breached
Consulting giant Accenture has confirmed a security breach after a threat actor going by “888” claimed to have lifted 35 GB of data—source code, RSA and SSH keys, Azure access tokens, and configuration files—and put it up for sale on a cybercrime forum, according to BleepingComputer. Accenture called it an “isolated matter,” said it had remediated the source, and reported no impact to operations but declined at the time to comment on what was actually taken or how the attackers got in. To back the claim, 888 posted a screenshot appearing to show a cloned Azure DevOps repository on a redacted Accenture.com host; BleepingComputer couldn't verify the full scope. It's not the actor's first swing at the company—888 tried to sell Accenture employee data after a third-party breach in 2024, and Accenture separately got hit by LockBit ransomware in 2021.
The timing of the breach is particularly awkward: Accenture's federal arm has held ICE’s Cyber Defense and Intelligence Support Services contract—24/7 threat monitoring, intrusion detection, and incident response across the agency's networks—since September 2021, a roughly $56.5 million task order that expires at the end of August and is currently being recompeted.
The Pentagon Wants to Train an Army of Amateur Hackers—but Not for a Living Wage
The Pentagon opened applications this week for Cyber RAP, a paid apprenticeship that recruits people with no cyber degree or experience—just the aptitude to learn—into 12-month, full-time gigs learning to guard the department's networks, according to DefenseScoop. The US military’s CIO, Kirsten Davies, pitched it as ditching “academic gatekeeping” for “raw aptitude, patriotic drive, and hands-on capability.” But the pay is an abysmal $22,584 a year, and those who wash out will owe the government back for the training.
That's the deal for building talent in-house. The other option on the table is renting it. A provision in the Senate Armed Services Committee's FY2027 defense bill would let defense secretary Pete Hegseth spin up a pilot to run cyber operations through “contractor-owned, contractor-operated means”—a government-blessed hacker-for-hire crew, GovInfoSecurity reports.
Critics see a line being crossed. Nick Leiserson, a former Biden White House cyber official, said the hack-for-hire plan “contributes to global cyber instability” and noted the US has sanctioned Chinese contractors for doing the same thing.
The idea has a colorful pedigree. Last year, US representative David Schweikert of Arizona introduced the Scam Farms Marque and Reprisal Authorization Act, which would let the president issue “letters of marque and reprisal”—the same instrument the US last handed to privateers in the War of 1812—authorizing private operators to seize the assets of foreign cybercriminals, including crypto wallets tied to scams against Americans, as The Register reported. The bill went to committee and never got a vote.