A gunman attempted to enter the White House Correspondents’ Dinner in Washington, DC, last weekend, while President Donald Trump, Vice President JD Vance, and other administration officials were in attendance. Media reports and Trump himself quickly identified the suspected shooter as 31-year-old engineer and computer scientist Cole Tomas Allen. The California resident was arrested at the scene on Saturday and appeared Monday in the US District Court for the District of Columbia to face three federal charges: attempting to assassinate the president, transportation of a firearm in interstate commerce, and discharge of a firearm during a crime of violence.
The authentication standards body known as the FIDO Alliance announced working groups this week along with Google and Mastercard to develop technical guardrails for validating and protecting transactions initiated by an AI agent. Meanwhile, given the proliferation and increasing sensitivity of some work using AI, OpenAI rolled out an “advanced” security risk mode for ChatGPT and Codex accounts facing heightened risk of attack.
New research this week shed light on an incident in which 90,000 screenshots pulled from a European celebrity’s phone were exposed online—underscoring the risks of commercially available spyware both as an invasion of personal privacy and a threat for widespread data breaches and abuse. And WIRED looked at arrests in the United Arab Emirates resulting from people sharing screenshots and other online content.
And there’s more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.
The Happiest Place on Earth just got a bit creepier. The Walt Disney Company announced this week that visitors to its Disneyland Park and Disney California Adventure Park will have the option to “choose” to enter the park through a lane that’s equipped with face recognition technology. While the company says subjecting yourself to face recognition is “entirely optional,” it notes that “you may still have your image taken” if you enter the parks through lanes without face recognition systems. Disney’s face recognition, like many others, works by converting images of people’s faces into a numerical value, which can then be used to match faces in other images. The company says these numerical values will be deleted after 30 days, “except in cases where data must be maintained for legal or fraud-prevention purposes.”
Face recognition systems are widely used across the United States and the world. Law enforcement agencies frequently use the technology, but it has also proliferated into everyday aspects of life, from airports to MLB and NFL stadiums to Madison Square Garden.
Anthropic’s Mythos Preview AI model has been described as so adept at digging up hackable bugs in software that its use has so far been carefully restricted to prevent it from falling into the hands of malicious hackers. So perhaps it would be more of a surprise if the National Security Agency was not already trying it out.
Bloomberg News and Axios reported this week that the NSA was among the agencies and companies granted early access to Mythos, which has been limited to 40 organizations so far, according to Axios. The agency has used the tool to hunt for bugs in Microsoft’s software—naturally, given that it still runs on the majority of the world’s PCs—and has been impressed with its speed and effectiveness in finding exploitable vulnerabilities, according to sources who spoke anonymously to Bloomberg. The agency’s remit, after all, includes some elements of helping the US government discover and patch security vulnerabilities in the software it uses, as well as sometimes exploiting those vulnerabilities in the NSA’s own operations.
The NSA’s testing or adoption of Anthropic’s AI tool appears to have proceeded in spite of the Department of Defense’s declared ban on Anthropic, which followed Defense secretary Pete Hegseth’s claim that the company represented a supply chain risk. Hegseth said in February, however, that the DOD will transition away from Anthropic’s tools over six months, and Anthropic has sued to prevent the ban from being enacted. Given that the NSA is part of the DOD, it’s not clear for now whether the NSA is merely using Mythos in the window before the ban goes into effect, or if the tool is powerful enough to persuade the NSA to rethink its ban—or make an exception.
The ransomware group known as Scattered Spider has been responsible for some of the most damaging extortion-focused hacking campaigns in recent memory, including the breaches of MGM Resorts, Caesars Entertainment, and retailers like M&S and Harrods. It’s also distinguished among ransomware gangs for its membership: Often very young, English-speaking hackers based in countries who are cooperative with US law enforcement—and, therefore, tend to get arrested.
The latest alleged member of the group to be identified and charged is 19-year-old Peter Stokes, who was arrested at an airport in Finland, where he intended to board a flight to Japan. According to the Chicago Tribune, Stokes’ alleged involvement in the targeting of four Scattered Spider victim companies is described in a criminal complaint that has since been placed under seal. Stokes is reportedly accused of helping to steal millions from those unidentified victim companies, which included an online communications platform and a luxury retailer. According to the complaint, he also led a jet-set life, traveling from Dubai to Thailand to New York and appearing in one photo wearing a diamond-studded necklace that read “HACK THE PLANET.”
A Medicare database left accessible on the open internet inadvertently revealed the Social Security numbers and other personal information for health care providers around the US, the Washington Post reports. The database was linked to an online director for the Centers for Medicare and Medicaid Services (CMS), which allowed Medicare patients to check which insurance plans health care providers accept. According to the Post, the exposed sensitive data was online for “at least several weeks.” Rollout of the directory is part of an effort by the Trump administration to “create a national database of health care providers,” the Post reports, which is being overseen by Amy Gleason, the acting head of the US DOGE Service who also serves as an official at CMS.
