The Defense Department operates slot machines on US military bases overseas, raising millions of dollars to fund recreation for troops—and creating risks for soldiers prone to gambling addiction.

When Dave Yeager stumbled upon the chamber of shiny, casino-style slot machines, he felt an instant pull. It was his first night of deployment in Seoul, South Korea, and the United States Army officer was in a bad headspace. The September 11, 2001, attacks had just happened, and he had a wife and two children under the age of 5 at home whom he missed fiercely. He felt lost.

Yeager had never seen a slot machine on a military base before—there weren’t any in the US—but he figured trying his luck couldn’t make things worse. “As I’m sitting there, the first thing I’m noticing is that my shoulders are relaxing,” Yeager remembers. “Then, I won. In that moment, all the stress, the anxiety, the pain, the hurt, the fear—it washed away.”

Pulling the slot machine’s levers felt like a salve—until they didn’t. Yeager found another room filled with slot machines at his next base. Over a period of about three months, he spiraled into what he says was a “devastating obsession” with playing the military-run casino games. He eventually drained his savings, sold his stuff, even stole from his unit. He didn’t tell anyone what was going on. “I thought no one could help me,” he says.

While not everyone who plays the slots struggles like Yeager did, a growing body of evidence indicates that veterans and service members are more likely to struggle with gambling disorders than civilians, says Shane W. Kraus, an associate professor at the University of Nevada, Las Vegas, who studies gambling disorders. Service members also tend to be more hesitant to seek help, out of fear of losing rank, security clearance, or being dishonorably discharged, he adds.

Not much has changed since Yeager served—in fact, within the last five years, the slot machine programs the military runs have been making increasing amounts of cash. And, some advocates say, they’re not funneling enough of what they make into education on problem gambling.

**Drafted Into Debt**

The Army Recreation Machine Program (ARMP) currently operates 1,889 slot machines in 79 locations abroad, including Korea, Japan, and Germany, according to Neil Gumbs, general manager, Army Recreation Machine Program (ARMP) Installation Management Command (IMCOM). The ARMP brought in $70.9 million from its slot machine operations during the 2024 fiscal year, according to a document obtained by WIRED. That year, the ARMP made $53 million in net proceeds. (The ARMP program covers slots on Army, Navy, and Marine Corps bases, while the Air Force also has their own version of the program.)

Those figures have been increasing. In the fiscal year 2023, the ARMP brought in $64.8 million in revenue, with $48.9 million in net proceeds. The year before, it made $63.1 million in revenue with net proceeds of $47.3 million, according to documents obtained through a public records request made by this reporter through the Data Liberation Project.

From October 2024 to May 2025, the ARMP’s “house” has had some solid wins. They generated about $47.7 million from players in that period, records obtained by WIRED show. Comparatively, the total return to players from October 2024 to May 2025 was about $37 million in reportable jackpots over $1,200.

In its heyday, the ARMP brought in over $100 million in revenue, per a 2017 report from the Government Accountability Office (GAO), but money-in dwindled substantially between 2010 to 2020, which Gumbs attributed to “movement and reductions in force and installations.” Things began to grow again after 2020. This was partly a boost from Covid-19 boredom, along with “renewed investment in new equipment and cost/expense reductions aided in increasing entertainment on offer,” Gumbs says.

This was a few years after the ARMP installed “Morning Calm,” a popular gambling room on the Army base Camp Humphreys in South Korea (likely a reference to the country’s nickname, “The Land of the Morning Calm”). Slots at the Morning Calm location bring in considerably more than other bases, securing the ARMP more than $6 million from October 2024 through May 2025. Second place? “Ocean Breeze” at Camp Butler/Foster in Japan.

With names like that, you’d think these locations were offering serenity—not siphoning savings. But folks like Yeager claim that’s exactly what they’re doing.

When asked for comment on Yeager’s experience, the ARMP’s Gumbs said: “ARMP is affiliated with the National Council on Problem Gambling (NCPG). Additionally, we promote responsible gambling, and all gaming areas and machines prominently display the national gambling hotline number.” A spokesperson for the NCPG notes that the ARMP became a member as of June 2025, after WIRED began looking into this story.

The ARMP also says it tracks which kinds of gaming machines people play the most, and how much revenue comes from each kind. For instance, 88 Fortunes—a progressive jackpot game inspired by Asian culture—is one of the most popular. It brought in more than $3 million to the house between October 2024 and May 2025. Another game, Novomatic Impera HD 5, brought in $4.3 million during that period.

Operations like Morning Calm appear much more organized than what Yeager remembers from his time in the service: “It’s like they had an extra back room, so they threw 50 slot machines in there,” Yeager recalls. He describes some rooms as the size of an average fast-food chain dining room, though the one he played in most in Seoul had maybe 200 machines. He says the atmosphere is “club-like” and dark.

Not all of ARMP cash is coming from service members—local civilians, retirees, veterans, and contractors who work on bases can also play—but a portion of the money the house generates is taken from a vulnerable population that’s literally putting their existence on the line for their country.

The money doesn’t go into thin air. The ARMP’s earnings go back into each branch’s Morale, Welfare, and Recreation (MWR). Some of it pays for entertainment on bases, such as golf courses, bowling alleys, and libraries. “Proceeds that are returned to MWR are decided and allocated by the garrison commander at each installation,” Gumbs tells WIRED via email. (Garrison commanders are leaders sometimes described as “city managers” of Army installations.) Yeager and other experts say the work the MWR does _is_ important. But he and other experts argue that the military must invest more in prevention, education, and treatment from problem gambling.

**Slot History**

Even though Congress banned gambling devices from domestic US bases in 1951, it’s done little to curb the ARMP on bases abroad. In the early 2000s, Congress asked the Pentagon to study how on-base slots impacted military families like Yeager’s. The Pentagon originally hired consulting firm PricewaterhouseCoopers to do the study, but within months ended the contract to complete the research itself. Rachel Volberg, who worked on the original PricewaterhouseCoopers report, tells WIRED that, while she was never told exactly why they decided to take it in-house, she got the strong impression “they didn't want the money to disappear because they were using it to fund recreational activities for enlisted folks.” She remembers chaplains as the main authority figures in leadership who took the issue seriously.

The final report didn’t reference new problem-gambling rates, but noted that the military couldn’t keep many of its morale operations like golf courses running “without slot machine revenue or a significant new source of cash.”

Volberg now studies problem gambling at the University of Massachusetts Amherst.# Asked for comment on the PricewaterhouseCoopers report, an IMCOM spokesperson, referred WIRED to the Pentagon, which referred WIRED back to the Army. The Army’s Public Affairs team also didn’t respond to a request from WIRED on this matter.

After the 2017 GAO report raised concerns, Congress passed a provision under the National Defense Authorization Act (NDAA), which, for the first time, required screening for gambling disorders every year for service members. A 2018 bill that would have required the DOD to create policies and programs to prevent and treat gambling disorders failed to gain traction.

Last year, US representative Paul Tonko, a New York Democrat, proposed an amendment to the NDAA that would ban the operation of slots on bases. That didn’t pass either. “Our brave service men and women sacrifice everything,” Tonko tells WIRED. “We must do all we can to support them by confronting problem gambling head-on.”

Perhaps counterintuitively, Yeager disagrees with abolishing the ARMP outright. “They do generate money for good causes,” he says, noting that having recreation on bases is key, particularly since eliminating the slots won’t eliminate ways to bet online, or the boredom and anxiety many service members feel.

Instead, he wishes the ARMP would dedicate more of its millions to helping folks struggling like he did. “Rather than just eliminate them, why don’t you mandate a small percentage of that money be turned back over into education, screening, and treatment?” Yeager says. He’d like to see a broad education campaign and more controls.

Other advocates want to see more money put into research and treatment programs, along with adding responsible gambling tools and information, says Cait Huble, communications director for the NCPG. In a 2022 review of the DOD’s responsible gambling policies compared with those of US states, the Kindbridge Research Institute, a nonprofit that focuses on gambling-related issues faced by veterans and other groups, found the DOD had the worst, compared to other jurisdictions with legal slot machine gambling in America.

When asked for comment on this report and whether more responsible gambling tools have been put in place since the Kindbridge review, Gumbs said that “proceeds that are returned to MWR are decided and allocated by the garrison commander at each installation,” and reiterated ARMP’s affiliation with NCPG and its commitment to “responsible gambling.” Another IMCOM spokesperson tells WIRED the NCPG partnership “provides us with insights, tools, and materials that help increase the visibility of responsible gaming at our locations, while also keeping ARMP aligned with the broader industry and any real-time updates from NCPG.”

In 2020, the Army updated its regulations to “provide information” to both soldiers and civilians about problem gambling. However, Huble says this isn’t enough. “Checking the box and saying: ‘We have information, there's a brochure in the health office,’ it's certainly different than making sure that clinicians and even commanders are trained in how to handle a situation where a soldier says they have a gambling problem.”

Meanwhile, another GAO report on problem gambling is expected, but some, like responsible gambling lobbyist Brianne Doura-Schawohl, say it’s “long overdue.” It’s also unclear how recent funding cuts by the so-called Department of Government Efficiency (DOGE) and the administration of President Donald Trump, a former casino mogul, will impact the report and future policy.

Yeager says that any recent DOD updates to gambling prevention policy have been “rudimentary at best,” adding: “There’s still a long way to go.”

**Clear and Present Danger**

For years, Yeager felt that neither the Army nor the Department of Veterans Affairs knew how to help him. That is, until 2007. He showed up to the VA (not for the first time) looking for help. By this time, he’d been disciplined and eventually released by the Army for his gambling, had separated from his wife, and survived multiple suicide attempts. Finally, a counselor dug through her desk and procured a pamphlet. “I swear to god, she blew the dust off of it before handing it to me,” he says.

It mentioned one of the VA’s few gambling treatment programs in the country, located in Ohio. This was what finally helped him. Now, he’s in recovery, spending his time working to improve the way the DOD handles problem gambling. “Because I didn’t fulfill my obligation as a noncommissioned officer, I try to fulfill it now as a veteran in recovery,” he says. “This is where I try to pay it forward.”

If Yeager could talk to defense secretary Pete Hegseth today, he has one main message to get across, starting but not ending with the gambling rooms “where the seed of gambling disorder was planted,” he says. “Educating soldiers, sailors, marines, and airmen that this is a real addiction and that there’s treatment that could improve readiness and could bring people out of the woodwork who are scared to go to treatment,” he says. “It would not be difficult to do.”

_For those struggling with problem gambling, you can contact 1-800-GAMBLER for the National Problem Gambling Helpline._

The US Military Is Raking in Millions From On-Base Slot Machines

Plus: A former top US cyber official loses her new job due to political backlash, Congress is rushing through a bill to censor lawmakers’ personal information online, and more.

Last week, the United Kingdom began requiring residents to verify their ages before accessing online pornography and other adult content, all in the name of protecting children. Almost immediately, things did not go as planned—although, they did go as expected.

As experts predicted, UK residents began downloading virtual private networks (VPNs) en masse, allowing them to circumvent age verification, which can require users to upload their government IDs, by making it look like they’re in a different country. The UK’s Online Safety Act is just one part of a wave of age-verification efforts around the world. And while these laws may keep some kids from accessing adult content, some experts warn that they also create security and privacy risks for everyone.

Russia’s state-backed hacking group Turla is known for its bold, creative attacks, such as masking their communications via satellite or piggybacking on other hackers’ attacks to avoid detection. The group, which is part of the Russian FSB intelligence agency, is now using its access to the country’s internet providers to trick foreign officials into downloading spyware that breaks encryption, allowing Turla’s hackers to access their private information.

And that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Google Will Start Estimating Your Age Based on Browsing Data**

Google is rolling out an AI-powered age-estimation system to apply content protections to Search and YouTube, even for users who haven’t provided their age. The system is launching in the EU, where digital safety regulations mandate that platforms take steps to protect minors from potentially harmful content.

Instead of relying solely on user-input data, Google says it will infer age using a “variety of signals” and other metadata to determine if a user should be shown restricted results. Privacy advocates say the move risks inaccuracies and raises questions about transparency and consent.

Google claims the changes align with regulatory expectations and will help protect younger users from inappropriate content. Still, the idea that platforms can algorithmically infer personal traits like age—and restrict content based solely on those assumptions—adds a new wrinkle to long-standing debates over moderation, censorship, and digital privacy.

**Army Revokes Former CISA Director’s West Point Appointment After Political Backlash**

Just 24 hours after naming Jen Easterly as West Point’s Distinguished Chair in Social Sciences, the Army rescinded the appointment following far-right criticism. The former Cybersecurity and Infrastructure Security Agency (CISA) director and academy alum had been lauded for her decades of service. But backlash erupted online after activist Laura Loomer claimed Easterly had ties to the Biden-era Disinformation Governance Board.

Nina Jankowicz, who served as executive director of the board, denied having worked with Easterly in a post on BlueSky, calling the episode yet another example of how we’re all living in “the stupidest timeline.”

Nevertheless, Army secretary Dan Driscoll canceled Easterly’s contract and ordered a full review of West Point’s hiring policies. The Army also suspended the practice of allowing outside groups to help select faculty. The reversal marks the second high-profile clash involving former CISA leaders and political pressure following Donald Trump’s revocation of Chris Krebs’ security clearance earlier this year.

****Congress Fast-Tracks Bill Letting Lawmakers Censor Info About Their Homes and Travel****

A bipartisan bill from US senators Amy Klobuchar and Ted Cruz could let lawmakers demand the removal of online posts showing their home addresses or travel plans, Rolling Stone reports. The proposal, which could pass by unanimous consent, is framed as a response to growing threats against public officials—especially after the assassination of Minnesota legislator Melissa Hortman last month.

Watchdogs joined dozens of media outlets in warning that the bill could chill reporting and enable selective censorship. While the legislation includes a nominal exemption for journalists, critics say it remains vague enough to allow members of Congress to sue outlets or demand takedowns of legitimate news stories.

“The Cruz-Klobuchar bill would not provide \[lawmakers\] the protection they seek but would create a powerful new tool that would result in censorship of public discussion and press accountability for their actions,” Daniel Schuman of the American Governance Institute told Rolling Stone. He urged Congress to go “back to the drawing board” and try crafting a bill that protects all Americans’ privacy “without undermining accountability for public officials.”

****Google Bug Let People Quietly Censor Articles From Search****

An alarming vulnerability in Google’s Refresh Outdated Content tool allowed bad actors to selectively scrub individual URLs from search results, 404 Media reports. And there was no hacking required. Journalist Jack Poulson discovered the bug when two of his investigative pieces, including one about a tech CEO’s domestic violence arrest, vanished from Google, even when searched by exact title in quotes.

The exploit involved repeatedly submitting URLs with minor capitalization tweaks. This reportedly confused Google’s indexing engine, which responded by de-listing not just the altered URLs but the original live articles too. Google confirmed the flaw and quietly rolled out a fix, saying it impacted only a “tiny fraction of web pages.”

Free press advocates warn the vulnerability could’ve enabled targeted, silent censorship, especially by powerful actors using reputation management tactics. “If your article doesn’t appear in Google search results,” Poulson said, “in many ways it just doesn’t exist.”

Google Will Use AI to Guess People’s Ages Based on Search History

The FSB cyberespionage group known as Turla seems to have used its control of Russia's network infrastructure to meddle with web traffic and trick diplomats into infecting their computers.

The Russian state hacker group known as Turla has carried out some of the most innovative hacking feats in the history of cyberespionage, hiding their malware's communications in satellite connections or hijacking other hackers' operations to cloak their own data extraction. When they're operating on their home turf, however, it turns out they've tried an equally remarkable, if more straightforward, approach: They appear to have used their control of Russia's internet service providers to directly plant spyware on the computers of their targets in Moscow.

Microsoft's security research team focused on hacking threats today published a report detailing an insidious new spy technique used by Turla, which is believed to be part of the Kremlin's FSB intelligence agency. The group, which is also known as Snake, Venomous Bear, or Microsoft's own name, Secret Blizzard, appears to have used its state-sanctioned access to Russian ISPs to meddle with internet traffic and trick victims working in foreign embassies operating in Moscow into installing the group's malicious software on their PCs. That spyware then disabled encryption on those targets' machines so that data they transmitted across the internet remained unencrypted, leaving their communications and credentials like usernames and passwords entirely vulnerable to surveillance by those same ISPs—and any state surveillance agency with which they cooperate.

Sherrod DeGrippo, Microsoft's director of threat intelligence strategy, says the technique represents a rare blend of targeted hacking for espionage and governments' older, more passive approach to mass surveillance, in which spy agencies collect and sift through the data of ISPs and telecoms to surveil targets. “This blurs the boundary between passive surveillance and actual intrusion,” DeGrippo says.

For this particular group of FSB hackers, DeGrippo adds, it also suggests a powerful new weapon in their arsenal for targeting anyone within Russia's borders. “It potentially shows how they think of Russia-based telecom infrastructure as part of their toolkit,” she says.

According to Microsoft's researchers, Turla's technique exploits a certain web request browsers make when they encounter a “captive portal,” the windows that are most commonly used to gate-keep internet access in settings like airports, airplanes, or cafes, but also inside some companies and government agencies. In Windows, those captive portals reach out to a certain Microsoft website to check that the user's computer is in fact online. (It's not clear whether the captive portals used to hack Turla's victims were in fact legitimate ones routinely used by the target embassies or ones that Turla somehow imposed on users as part of its hacking technique.)

By taking advantage of its control of the ISPs that connect certain foreign embassy staffers to the internet, Turla was able to redirect targets so that they saw an error message that prompted them to download an update to their browser's cryptographic certificates before they could access the web. When an unsuspecting user agreed, they instead installed a piece of malware that Microsoft calls ApolloShadow, which is disguised—somewhat inexplicably—as a Kaspersky security update.

That ApolloShadow malware would then essentially disable the browser's encryption, silently stripping away cryptographic protections for all web data the computer transmits and receives. That relatively simple certificate tampering was likely intended to be harder to detect than a full-featured piece of spyware, DeGrippo says, while achieving the same result.

“It's a creative approach: ‘What if we just got on the ISP they’re connecting through and use that control to turn off encryption?'" she says, describing what she believes to be Turla's thinking. “This path gives them a massive amount of plaintext traffic that can likely be used for espionage purposes, because it's coming from highly sensitive individuals and organizations like embassies and diplomatic missions.”

The details of how Turla's ISP-based redirection technique works remain far from clear. But Microsoft writes in its report that it likely uses the Kremlin's SORM system for ISP- and telecom-based communications interception and surveillance, a decades-old system initially created by the FSB and now widely used in Russian domestic intelligence and law enforcement.

Microsoft declined to comment on which countries' embassies in Moscow were targeted in the campaign or how many there were, though DeGrippo notes that Microsoft warned the victims it identified. Turla's use of Kaspersky software as a cover for its malware installation technique suggests that the US embassy may not have been a target, given that Kaspersky software is banned on US government systems. Microsoft declined to comment on whether the US embassy was targeted.

Microsoft didn't say how it had linked the hacking campaign to Turla specifically—a typical tightlipped approach from the company's security team, which often declines to divulge its sources and methods to avoid helping hackers evade detection. “This is a threat actor that we have watched closely for a very long time,” DeGrippo says.

Turla has a decades-old a reputation for innovating hacking methods, from USB-based worms designed to penetrated air-gapped systems to piggybacking on cybercriminals' botnets—and ApolloShadow likely isn't the first time the group has hijacked ISPs to plant malware. Slovakian cybersecurity firm ESET has pointed to what may have been a similar technique used to infect victims with fake Flash installers. The same company has also documented what it believed was likely a similar trick likely used by the Belarusian KGB's hackers, and how the commercial spyware FinFisher was likely installed on targets' devices using that same ISP-level access. But Turla's latest campaign would represent the first time that ISP-based infection has been used to disable encryption on target computers, a potentially stealthier form of espionage.

Microsoft's DeGrippo notes that Turla's technique is effective in part because it doesn't take advantage of any particular software vulnerability, so it can't be patched. “It doesn't leverage any zero-day or other vulnerability,” DeGrippo says. “It's about getting onto the network infrastructure your target is using and controlling things from there.”

That said, there are defenses Microsoft recommends for potential victims of Turla's style of ISP-based espionage technique: Use a VPN, for instance, to shield your internet traffic from your internet service provider, or even a satellite connection to bypass an untrusted ISP altogether. Multifactor authentication, too, can limit hackers' access even when they've successfully stolen a victim's username and password.

DeGrippo argues that Turla's use of the technique for domestic spying inside Russia should serve as a warning to anyone traveling, living, or working in a country that has untrusted communications infrastructure. Similar ISP-level hacking, she notes, could easily be adopted by other cyberespionage groups around the world and used anywhere national internet and telecom infrastructure are potentially bent to the will of that country's intelligence agencies.

“If you're a target of interest traveling or working in countries that have these state-aligned ISPs that perhaps have surveillance powers or lawful intercept capabilities,” DeGrippo says, “you need to concern yourself with this.”

The Kremlin's Most Devious Hacking Group Is Using Russian ISPs to Plant Spyware

A law requiring UK internet users to verify their age to access adult content has led to a huge surge in VPN downloads—and has experts worried about the future of free expression online.

After the United Kingdom’s Online Safety Act went into effect on Friday, requiring porn platforms and other adult content sites to implement user age verification mechanisms, use of virtual private networks (VPNs) and other circumvention tools spiked in the UK over the weekend.

Experts had expected the surge, given that similar trends have been visible in other countries that have implemented age check laws. But as a new wave of age check regulations debuts, open internet advocates warn that the uptick in use of circumvention tools in the UK is the latest example of how an escalating cat-and-mouse game can develop between people looking to anonymously access services online and governments seeking to enforce content restrictions.

The Online Safety Act requires that websites hosting porn, self-harm, suicide, and eating disorder content implement “highly effective” age checks for visitors from the UK. These checks can include uploading an ID document and selfie for validation and analysis. And along with increased demand for services like VPNs—which allow users to mask basic indicators of their physical location online—people have also been playing around with other creative workarounds. In some cases, reportedly, you can even use the video game _Death Stranding_’s photo mode to take a selfie of character Sam Porter Bridges and submit it to access age-gated forum content.

For proponents of the law, there is progress to point to as well. The UK’s communications regulator Ofcom says that more than 6,600 porn websites have introduced age checks so far. And major social platforms like Reddit, X, and Bluesky have also added age verification for content that is now restricted in the UK or are in the process of doing so. Microsoft has even started rolling out voluntary age checks for Xbox users in the UK. But even if this movement is satisfactory for now, digital rights advocates point out that normalizing such mechanisms creates the possibility that they will be enforced more aggressively in the future.

“I think people just want to show that we can make some progress on this without thinking about what the consequences of the progress will be,” says Daniel Kahn Gillmor, a senior staff technologist at the American Civil Liberties Union. “We do know that there are some things that you can do to help kids have a better relationship with digital tools. And that involves having an adequate social support network; it involves listening when kids run into problems and making sure that they have functioning emotional relationships with adults who can respond to them. But instead what we’re looking for is a quick technological fix, and those technological fixes have consequences.”

Seema Shah, VP of research and insights at the market intelligence firm Sensor Tower, says five VPN apps have experienced particularly “explosive growth” and reached the top 10 free apps on Apple’s UK App Store by Monday.

“According to Sensor Tower estimates, iOS devices have seen a greater spike in VPN downloads in the UK, as downloads across the selected VPN apps are up an average of 100 percent day-over-day over the past four days on iOS versus a 5 percent day-over-day increase for Android devices,” Shah says.

Multiple VPN makers have also reported spikes in visitors and sign-ups in recent days. In a post on X on Friday, Proton VPN claimed that “just a few minutes after the Online Safety Act went into effect last night, Proton VPN sign-ups originating in the UK surged by more than 1,400%.” David Peterson, general manager of Proton VPN, told WIRED that since then there has been a sustained 1,800 percent increase in daily sign-ups.

Also on Friday, the Windscribe VPN service posted a screenshot on X claiming to show a spike in new subscribers. The makers of the AdGuard VPN claimed that they have seen a 2.5X increase in install rates from the UK since Friday.

Nord Security, the company behind the NordVPN app, says it has seen a “1,000 percent increase in purchases” of subscriptions from the UK since the day before the new laws went into effect. “Such spikes in demand for VPNs are not unusual,” Laura Tyrylyte, Nord Security’s head of public relations, tells WIRED. She adds in a statement that “whenever a government announces an increase in surveillance, internet restrictions, or other types of constraints, people turn to privacy tools.”

People living under repressive governments that impose extensive internet censorship—like China, Russia, and Iran—have long relied on circumvention tools like VPNs and other technologies to maintain anonymity and access blocked content. But as countries that have long claimed to champion the open internet and access to information, like the United States, begin considering or adopting age verification laws meant to protect children, the boundaries for protecting digital rights online quickly become extremely murky.

“There will be a large number of people who are using circumvention tech for a range of reasons” to get around age verification laws, the ACLU’s Kahn Gillmor says. “So then as a government you’re in a situation where either you’re obliging the websites to do this on everyone globally, that way legal jurisdiction isn’t what matters, or you’re encouraging people to use workarounds—which then ultimately puts you in the position of being opposed to censorship-circumvention tools.”

Age Verification Laws Send VPN Use Soaring—and Threaten the Open Internet

Starting today, UK adults will have to prove their age to access porn online. Experts warn that a global wave of age-check laws threatens to chill speech and ultimately harm children and adults alike.

Beginning today, millions of adults trying to access pornography in the United Kingdom will be required to prove that they are over the age of 18. Under sweeping new online child safety laws coming into force, self-reporting checkboxes that allow anyone to claim adulthood on porn websites will be replaced by age-estimating face scans, ID document uploads, credit card checks, and more. Some of the biggest porn websites—including Pornhub and YouPorn—have said that they will comply with the new rules. And social media sites like BlueSky, Reddit, Discord, Grindr, and X are introducing UK age checks to block children from seeing harmful content.

Ultimately, though, it's not just Brits who will see such changes. Around the world, a new wave of child protection laws are forcing a profound shift that could normalize rigorous age checks broadly across the web. Some of the measures are designed to specifically block minors from accessing adult material, while others are meant to stop children from using social media platforms or accessing harmful content. In the UK, age checks are now required by websites and apps that host porn, self-harm, suicide, and eating disorder content.

Protecting children online is a consequential and urgent issue, but privacy and human rights advocates have long warned that, while they may be well-intentioned, age checks introduce a range of speech and surveillance issues that could ultimately snowball online.

“Age verification impedes people’s ability to anonymously access information online,” says Riana Pfefferkorn, a policy researcher at Stanford University. “That includes information that adults have every right to access but might not want anyone else knowing they’re consuming—such as pornography—as well as information that kids want to access but that for political reasons gets deemed inappropriate for them, such as accurate information about sex, reproductive health information, and LGBTQ content.”

Efforts that have been mounting over the past decade to introduce strong age checks online have recently gained traction. Last month, the United States Supreme Court paved the way for states to require porn websites to check that visitors are at least 18 using age-verification technologies. Pornhub, for example, has already blocked access to visitors in at least 20 states as laws have been passed. Meanwhile, courts in France ruled last week that porn sites can check users' ages. Ireland implemented age checking laws for video websites this week. The European Commission is testing an age-verification app. And in December, Australia’s strict social media ban for children under 16 will take effect, introducing checks for social media and people logged in to search engines.

“If people choose not to log on \[to search engines\] to avoid age assurance checks, this could have a wide-reaching impact on the streamlined, integrated ways people search for online information,” says Lisa Given, a professor of information sciences at RMIT University in Australia who has been closely following the country’s age-checking policies. “It will also affect the level of privacy people have come to expect from being able to search freely online, which may change how and where they search for information.”

****Coming of Age****

Though the recent wave of court decisions and legislation around age verification is new, multiple online platforms and services have required some form of age checking for years. The British age-verification company Yoti, which works on multiple digital identity technologies including face scanning to estimate ages, says it has done more than 850 million age checks and completes more than 1 million per day. “Brands around the world in different sectors are using this technology, including social media, gaming, adult, dating, retail, and vaping,” a Yoti spokesperson told WIRED in an email.

Age-verification mechanisms come in multiple forms. The UK’s Online Safety Act, which is being overseen by communications regulator Ofcom, lists seven “highly effective” approaches that websites can use. Typically websites will employ third-party companies from the growing age-assurance industry rather than checking ages directly themselves.

Standard age verification is done by uploading a form of government identification and a selfie, using a digital identity service, or submitting credit records or other financial documentation. There are also age estimation services. For example, “email-based” age estimation, according to the UK’s Ofcom, will analyze data on where your email address has been used and for how long as part of a calculation of how old you are. Age estimation services that try to predict someone’s age from a selfie or a video are also increasingly common. Their performance varies, though, depending on how accurate the underlying algorithms are. Many systems offer accuracy of “plus or minus 18 months.” Some physical stores in France that sell tobacco already use facial estimation systems as well.

There are potential privacy and security risks that come with all the approaches, though, such as excessive data gathering, government surveillance, and the threat of data breaches. And opponents of age verification argue that the technologies are not reliable and can be circumvented. Last year, for example, an Israeli ID-verification company exposed driver's licenses and other sensitive data because of a technical oversight. A study commissioned by Green politicians in Europe last year concluded that, while there were some “promising” privacy-preserving methods for age checks, there is ultimately “misalignment between the urgency with which governments are pushing for age assurance and the time needed to develop robust, safe, and trustworthy age assurance technology.” Preliminary results released in June from a study in Australia found multiple problems with age-checking systems.

“The question isn't whether there will be a data breach connected to age verification, it's when,” says Alison Boden, executive director of Free Speech Coalition, a US-based adult entertainment industry trade association. “So, people circumvent the laws. In the best case, they use VPNs to protect their identities. And in the worst case, they turn to websites that flout the law, and then risk being exposed to illegal content like child sexual abuse material and nonconsensual intimate imagery. And this is all in service of policies that have clearly been shown to be ineffective.”

In general, many porn sites and other adult content platforms say that they are in favor of age checks but don’t agree with current approaches.

Proponents of age verification say that it is possible to minimize data collection. Third-party providers can limit the personal information that is shared with individual sites conducting age verification. And, particularly, these third parties can use what are known as authentication tokens, so people can confirm their age once and then produce this credential across multiple sites and providers as verification.

“Our members do over a billion anonymized age checks a year, so our best argument is our track record—and we know that will just continue to improve because of the strict application of data minimization principles,” says Iain Corby, the executive director of the industry group Age Verification Providers Association. “There is no need to retain any personal data after an age check is completed, and if you don’t keep data, it can’t be lost or stolen.”

****Aging Out****

The practical realities of widespread age verification are messy, though. For one thing, sites and services may not comply with regulations. Ofcom, the UK regulator, says that it may issue fines to websites that do not put age checks in place. It already has 11 investigations open. Additionally, not all people have the proper ID or other documents to prove their age when signing up for sites.

“No solution to this is perfect,” says Rachel Coldicutt, the executive director of Careful Industries and a former Ofcom nonexecutive director. “Age verification assumes that all services and platforms that host harmful content are good and lawful actors and that devices don’t get shared. In lots of families, someone aged under 16 or 18 would easily be able to log in to a device that belongs to one of their parents, so unless age verification is required on every login to a site or app it would be quite easy to get access to age-restricted content by using an adult’s device.”

In general, too, many experts note that age verification is broadly unpopular. People feel uncomfortable scanning their face or handing over personal details to view content or participate in online discourse, especially when they are trying to use a service or view content that is intimate or otherwise personal in nature. As a result, age verification can have a chilling effect on speech and the free flow of information online.

And since people can use circumvention tools like VPNs to skirt national laws, there are limits to how effective these policies can be in isolation, which has the potential to tip off a sort of validation and surveillance arms race. There is often a spike in VPN interest when a country introduces new age-check laws.

“A critical point is that while these measures are intended to keep children safe from harmful content, my concern is that these measures will give parents and other members of the public a false sense of security,” says Given, the Australian academic. She adds that there should be greater government investment in education for young people, parents, and teachers about potential online harms, plus more support for people who use social media to access critical information.

As Stanford’s Pfefferkorn puts it, “Ultimately, age verification tech actually poses a risk to the kids it is supposed to protect. It chills their ability to access information, and it can put them at risk of privacy violations, identity theft, and other security issues.”

The Age-Checked Internet Has Arrived

Security flaws in Airportr, a door-to-door luggage checking service used by 10 airlines, let hackers access user data and even gain privileges that would have let them redirect or steal luggage.

An airline leaving all of its passengers’ travel records vulnerable to hackers would make an attractive target for espionage. Less obvious, but perhaps even more useful for those spies, would be access to a premium travel service that spans 10 different airlines, left its own detailed flight information accessible to data thieves, and seems to be favored by international diplomats.

That's what one team of cybersecurity researchers found in the form of Airportr, a UK-based luggage service that partners with airlines to let its largely UK- and Europe-based users pay to have their bags picked up, checked, and delivered to their destination. Researchers at the firm CyberX9 found that simple bugs in Airportr's website allowed them to access virtually all of those users' personal information, including travel plans, or even gain administrator privileges that would have allowed a hacker to redirect or steal luggage in transit. Among even the small sample of user data that the researchers reviewed and shared with WIRED they found what appear to be the personal information and travel records of multiple government officials and diplomats from the UK, Switzerland, and the US.

“Anyone would have been able to gain or might have gained absolute super-admin access to all the operations and data of this company," says Himanshu Pathak, CyberX9's founder and CEO. “The vulnerabilities resulted in complete confidential private information exposure of all airline customers in all countries who used the service of this company, including full control over all the bookings and baggage. Because once you are the super-admin of their most sensitive systems, you have have the ability to do anything.”

Airportr’s CEO Randel Darby confirmed CyberX9's findings in a written statement provided to WIRED but noted that Airportr had disabled the vulnerable part of its site’s backend very shortly after the researchers made the company aware of the issues last April and fixed the problems within a few day. “The data was accessed solely by the ethical hackers for the purpose of recommending improvements to Airportr’s security, and our prompt response and mitigation ensured no further risk,” Darby wrote in a statement. “We take our responsibilities to protect customer data very seriously.”

CyberX9's researchers, for their part, counter that the simplicity of the vulnerabilities they found mean that there's no guarantee other hackers didn't access Airportr's data first. They found that a relatively basic web vulnerability allowed them to change the password of any user to gain access to their account if they had just the user's email address—and they were also able to brute-force guess email addresses with no rate limitations on the site. As a result, they could access data including all customers' names, phone numbers, home addresses, detailed travel plans and history, airline tickets, boarding passes and flight details, passport images, and signatures.

By gaining access to an administrator account, CyberX9's researchers say, a hacker could also have used the vulnerabilities it found to redirect luggage, steal luggage, or even cancel flights on airline websites by using Airportr's data to gain access to customer accounts on those sites. The researchers say they could also have used their access to send emails and text messages as Airportr, a potential phishing risk. Airportr tells WIRED that it has 92,000 users and claims on its website that it has handled more than 800,000 bags for customers.

Within the data CyberX9 accessed in its testing, the researchers found and shared with WIRED examples of passengers traveling with diplomatic passports, several of which had front-page images included in the data. These included four from the UK, two from the US, and three from Switzerland. One of the individuals, the researchers determined, was at the time of their travel a UK ambassador and another was a US executive branch cybersecurity official. “This is a premium service,” says Pathak. “We consider that a good chunk of their users are government officials and other people of a sensitive nature.”

Airportr advertises that it's the “official bag check in partner” of American Airlines, British Airways, Lufthansa, and Virgin Atlantic, along with half a dozen other major airlines, though it appears to only offer its services on flights to and from airports in the UK, Germany, Switzerland, and Austria. American Airlines, British Airways, and Virgin Atlantic didn't respond to WIRED's requests for comment, but a Lufthansa spokesperson responded in a statement. “We are dedicated to investigating any indications of a third-party data breach thoroughly and promptly," the spokesperson writes. "We take these matters seriously and are committed to maintaining the integrity and security of our data.”

CyberX9's researchers first became curious about Airportr last April, after a member of the team saw the service advertised to him for flights to Europe from the United Arab Emirates, where the company is based, and heard that other staff at the company had used it. “They're handling such a sensitive task of delivering the baggage and collecting so much sensitive information, I thought we should see where they actually stand in terms of security,” says the research team's lead, who asked to remain anonymous due to privacy concerns. “When I got some time to actually test it out, I found these vulnerabilities quite quickly.”

The researchers found that they could monitor their browser's communications as they signed up for Airportr and created a new password, and then reuse an API key intercepted from those communications to instead change another user's password to anything they chose. The site also lacked a “rate limiting” security measure that would prevent automated guesses of email addresses to rapidly change the password of every user's account. And the researchers were also able to find email addresses of Airportr administrators that allowed them to take over their accounts and gain their privileges over the company's data and operations.

In his response statement, Darby, the Airportr CEO, writes that “while data exposure could theoretically allow administrative access, the ability to act on such information without triggering alarms would be highly difficult.” He also emphasized that the data the researchers found to be vulnerable was Airportr's alone, not that of its airline partners. “We do not have any ability to alter or influence airline operations or customers' flight details via our APIs, which are designed with read-only permissions and are tightly restricted to reduce risk to airline systems and customer data,” Darby writes. (CyberX9 points out that the administrative access it gained was not in fact, “theoretical,” and Airportr didn't appear to be aware of the access until the researchers notified the company.)

Darby adds that Airportr didn't tell airlines about the vulnerability at the time. “Given the low-risk nature of the incident, as determined by our investigation, we did not at the time notify data subjects, airline partners, or supervisory authorities,” he writes. “Subsequently, and given the potential visibility generated by the publication of the research and subsequent media coverage, we have decided to notify the Information Commissioner's Office (ICO) as a precautionary measure.”

Airportr's airline partners shouldn't be entirely let off the hook, CyberX9's CEO Pathak says. He argues they, too, are responsible for ensuring the security of their customers' travel plans and other sensitive personal information when they recommend another service to them—a responsibility at which they “failed miserably," he says.

He argues, too, that Airportr's security flaws should serve as a warning about how third-party services, contractors and little-known partner services are often a hidden source of data leakage. “The real risk isn’t always the airline itself but the small add‑on services we overlook which often get promoted to us, as passengers, by the airlines and airports—services we assume are safe because we trust the airline’s endorsement,” says Pathak. “Your data is only as secure as the least‑protected partner that touches it.”

_Update: 7/24/2025, 2:00 PM EDT: Wired has clarified the timing of when Airportr disabled the vulnerability in relation to being contacted by CyberX9's researchers._

A Premium Luggage Service’s Web Bugs Exposed the Travel Plans of Every User—Including Diplomats

Multiple hacking groups—including state actors from China—have targeted a vulnerability in older, on-premises versions of the file-sharing tool after a flawed attempt to patch it.

Hundreds of organizations around the world suffered data breaches this week, as an array of hackers rushed to exploit a recently discovered vulnerability in older versions of the Microsoft file-sharing tool known as SharePoint. The string of breaches adds to an already urgent and complex dynamic: Institutions that are longtime SharePoint users can face increased risk by continuing to use the service, just as Microsoft is winding down support for a platform in favor of newer cloud offerings.

Microsoft said on Tuesday that, in addition to other actors, it has seen multiple China-linked hacking groups exploiting the flaw, which is specifically present in older versions of SharePoint that are self-hosted by organizations. It does not impact the newer, cloud-based version of SharePoint that Microsoft has been encouraging customers to adopt for many years. Bloomberg first reported on Wednesday that one of the victims is the United States National Nuclear Security Administration, which oversees and maintains US nuclear weapons.

“On-premises” or self-managed SharePoint servers are a popular target for hackers, because organizations often set them up such that they are exposed on the open internet and then forget about them or don't want to allocate budget to replace them. Even if fixes are available, the owner may neglect to apply them. That's not the case, though, with the bug that sparked this week's wave of attacks. While it relates to a previous SharePoint vulnerability discovered at the Pwn2Own hacking competition in Berlin in May, the patch that Microsoft released earlier this month was itself flawed, meaning even organizations that did their security diligence were caught out. Microsoft scrambled this week to release a fix for the fix, or what the company called “more robust protections” in its security alert.

“At Microsoft, our commitment—anchored in the Secure Future Initiative—is to meet customers where they are,” said a Microsoft spokesperson in an emailed statement. “That means supporting organizations across the full spectrum of cloud adoption, including those managing on-premises systems.”

Microsoft still supports SharePoint Server versions 2016 and 2019 with security updates and other fixes, but both will reach what Microsoft calls “End of Support” on July 14, 2026. SharePoint Server 2013 and earlier have already reached end of life and receive only the most critical security updates through a paid service called “SharePoint Server Subscription Edition.” As a result, all SharePoint server versions are increasingly part of a digital backwater where the convenience of continuing to run the software comes with significant risk and potential exposure for users—particularly when SharePoint servers sit exposed on the internet.

“Years ago, Microsoft positioned SharePoint as a more secure replacement for old school Windows file-sharing tools, so that's why organizations like government agencies invested in setting up those servers. And now they just run at no additional cost, versus a Microsoft365 subscription in the cloud that involves a subscription,” says Jake Williams, a longtime incident responder who is vice president of research and development at Hunter Strategy. “So Microsoft tries to nudge the holdouts by charging for extended support. But if you are exposing a SharePoint server to the internet, I would emphasize that you also have to budget for incident response, because that server will eventually get popped.”

The United States Cybersecurity and Infrastructure Security Agency said in guidance about the vulnerability on Tuesday that, “CISA recommends disconnecting public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS). For example, SharePoint Server 2013 and earlier versions are end-of-life and should be discontinued if still in use.”

The ubiquity of Microsoft’s Windows operating system around the world has led to other situations in which a long goodbye has created security issues for holdout users—and other organizations or individuals with connections to a vulnerable entity. Microsoft struggled to deal with the long tail of users on extremely popular Windows editions including Windows XP and Windows 7. But legacy software is a challenge for any software or digital infrastructure provider. Earlier this year, for example, Oracle reportedly notified some customers about a breach after attackers compromised a “legacy environment” that had been largely retired in 2017.

The challenge with a service like SharePoint is that it often acts as an ancillary tool without ever being the center of attention.

“For on-premises software like SharePoint, which is deeply integrated into the Microsoft identity stack, there are multiple points of exposure that need to be continuously monitored in order to know, expose, and close critical gaps,” says Bob Huber, chief security officer at the cybersecurity company Tenable.

When asked about the alleged breach at the National Nuclear Security Administration, the Department of Energy emphasized that the incident did not impact sensitive or classified data. “On Friday, July 18, the exploitation of a Microsoft SharePoint zero-day vulnerability began affecting the Department of Energy, including the NNSA,” a DOE spokesperson told WIRED in a statement. “The Department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable cybersecurity systems. A very small number of systems were impacted. NNSA is taking the appropriate action to mitigate risk and transition to other offerings as appropriate.”

Microsoft did not immediately return WIRED’s requests for comment about the process of sunsetting SharePoint Server. The company wrote in a blog post on Tuesday that customers should keep supported versions of SharePoint Server updated with the latest patches and turn on Microsoft's “Antimalware Scan Interface” as well as Microsoft Defender Antivirus.

Microsoft Put Older Versions of SharePoint on Life Support. Hackers Are Taking Advantage

On this episode of Uncanny Valley, we dive into the differences between what the US government said about a Jeffrey Epstein video it released and the story told by its metadata.

How WIRED Analyzed the Epstein Video

Of those, more than 200 appear to have had outages of services related to patient care following CrowdStrike’s disastrous crash, researchers have revealed.

When, one year ago today, a buggy update to software sold by the cybersecurity firm CrowdStrike took down millions of computers around the world and sent them into a death spiral of repeated reboots, the global cost of all those crashed machines was equivalent to one of the worst cyberattacks in history. Some of the various estimates of the total damage worldwide have stretched well into the billions of dollars.

Now a new study by a team of medical cybersecurity researchers has taken the first steps toward quantifying the cost of CrowdStrike's disaster not in dollars, but in potential harm to hospitals and their patients across the US. It reveals evidence that hundreds of those hospitals' services were disrupted during the outage, and raises concerns about potentially grave effects to patients’ health and well-being.

Researchers from the University of California San Diego today marked the one-year anniversary of CrowdStrike's catastrophe by releasing a paper in JAMA Network Open, a publication of the Journal of the American Medical Association Network, that attempts for the first time to create a rough estimate of the number of hospitals whose networks were affected by that IT meltdown on July 19, 2024, as well as which services on those networks appeared to have been disrupted.

A chart showing a massive spike in detected medical service outages on the day of CrowdStrike’s crashes.

Courtesy of UCSD and JAMA Network Open

By scanning internet-exposed parts of hospital networks before, during, and after the crisis, they detected that at minimum 759 hospitals in the US appear to have experienced network disruption of some kind on that day. They found that more than 200 of those hospitals seemed to have been hit specifically with outages that directly affected patients, from inaccessible health records and test scans to fetal monitoring systems that went offline. Of the 2,232 hospital networks they were able to scan, the researchers detected that fully 34 percent of them appear to have suffered from some type of disruption.

All of that indicates the CrowdStrike outage could have been a “significant public health issue,” argues Christian Dameff, a UCSD emergency medicine doctor and cybersecurity researcher, and one of the paper's authors. “If we had had this paper's data a year ago when this happened," he adds, “I think we would have been much more concerned about how much impact it really had on US health care.”

CrowdStrike, in a statement to WIRED, strongly criticized the UCSD study and JAMA’s decision to publish it, calling the paper “junk science.” They note that the researchers didn’t verify that the disrupted networks ran Windows or CrowdStrike software, and point out that Microsoft’s cloud service Azure experienced a major outage on the same day, which may have been responsible for some of the hospital network disruptions. “Drawing conclusions about downtime and patient impact without verifying the findings with any of the hospitals mentioned is completely irresponsible and scientifically indefensible,” the statement reads.

“While we reject the methodology and conclusions of this report, we recognize the impact the incident had a year ago,” the statement adds. “As we’ve said from the start, we sincerely apologize to our customers and those affected and continue to focus on strengthening the resilience of our platform and the industry.”

In response to CrowdStrike’s criticisms, the UCSD researchers say they stand by their findings. The Azure outage that CrowdStrike noted, they point out, began the previous night and affected mostly the central US, while the outages they measured began at roughly midnight US east coast time on July 19—about the time when CrowdStrike’s faulty update began crashing computers—and affected the entire country. (Microsoft did not immediately respond to a request for comment.) “We are unaware of any other hypothesis that would explain such simultaneous geographically-distributed service outages inside hospital networks such as we see here” other than CrowdStrike’s crash, writes UCSD computer science professor Stefan Savage, one of the paper’s co-authors, in an email to WIRED. (JAMA declined to comment in response to CrowdStrike’s criticisms.)

In fact, the researchers describe their count of detected hospital disruptions as only a minimum estimate, not a measure of the real blast radius of CrowdStrike's crashes. That's in part because the researchers were only able to scan roughly a third of America's 6,000-plus hospitals, which would suggest that the true number of medical facilities affected may have been several times higher.

The UCSD researchers' findings stemmed from a larger internet-scanning project they call Ransomwhere?, funded by the Advance Research Projects Agency for Health and launched in early 2024 with the intention of detecting hospitals' ransomware outages. As a result of that project, they were already probing US hospitals using the scanning tools ZMap and Censys when CrowdStrike's July 2024 calamity struck.

For the 759 hospitals in which the researchers detected that a service was knocked offline on July 19, their scans also allowed them to analyze which specific services appeared to be down, using publicly available tools like Censys and the Lantern Project to identify different medical services, as well as manually checking some web-based services they could visit. They found that 202 hospitals experienced outages of services directly related to patients. Those services included staff portals used to view patient health records, fetal monitoring systems, tools for remote monitoring of patient care, secure document transfer systems that allow patients to be transferred to another hospital, “pre-hospital” information systems like the tools that can share initial test results from an ambulance to an emergency room for patients requiring time-critical treatments, and the image storage and retrieval systems that are used to make scan results available to doctors and patients.

“If a patient was having a stroke and the radiologist needed to look at a scan image quickly, it would be much harder to get it from the CT scanner to the radiologist to read,” Dameff offers as one hypothetical example.

The researchers also found that 212 hospitals had outages of “operationally relevant” systems like staff scheduling platforms, bill payment systems, and tools for managing patient wait times. In another category of “research relevant” services, the study found that 62 hospitals faced outages. The biggest fraction of outages in the researchers' findings was an “other” category that included offline services that the researchers couldn't fully identify in their scans at 287 hospitals, suggesting that some of those, too, might have been uncounted patient-relevant services.

“Nothing in this paper says that someone's stroke got misdiagnosed or there was a delay in the care of someone getting life-saving antibiotics, for instance. But there might have been,” says Dameff. “I think there's a lot of evidence of these types of disruptions. It would be hard to argue that people weren't impacted at a potentially pretty significant level.”

The study’s findings give a sprawling new sense of scope to anecdotal reports of how CrowdStrike’s outage affected medical facilities that already surfaced over the last year. WIRED reported at the time that Baylor hospital network, a major nonprofit health care system, and Quest Diagnostics were both unable to process routine bloodwork. The Boston-area hospital system Mass General Brigham reportedly had to bring 45,000 of its PCs back online, each of which required a manual fix that took 15 to 20 minutes.

In their study, researchers also tried to roughly measure the length of downtime of the hospital services affected by the CrowdStrike outage, and found that most recovered relatively quickly: About 58 percent of the hospital services were back online within six hours, and only 8 percent or so took more than 48 hours to recover.

That's a far shorter disruption than the outages from actual cyberattacks that have hit hospitals, the researchers note: Mass-spreading malware attacks like NotPetya and WannaCry in 2017 as well as the Change Healthcare ransomware attack that struck the payment provider subsidiary of United Healthcare in early 2024 all shut down scores of hospitals across the US—or in the case of WannaCry, the United Kingdom—for days or weeks in some cases. But the effects of the CrowdStrike debacle nonetheless deserve to be compared to those intentionally inflicted digital disasters for hospitals, the researchers argue.

“The duration of the downtimes is different, but the breadth, the number of hospitals affected across the entire country, the scale, the potential intensity of the disruption is similar,” says Jeffrey Tully, a pediatrician, anesthesiologist, and cybersecurity researcher who coauthored the study.

A map showing the duration of the apparent downtime of detected medical service outages in hospitals across the US.

Courtesy of UCSD and JAMA Network Open

A delay of hours, or even minutes, can increase mortality rates for heart attack and stroke patients, says Josh Corman, a cybersecurity researcher with a focus on medical cybersecurity at the Institute for Security and Technology and former CISA staffer who reviewed the UCSD study. That means that even a shorter-duration outage in patient related services across hundreds of hospitals could have concrete and seriously harmful—if hard to measure—consequences.

Aside from drawing a first estimate of the possible toll on patients' health in this single incident, the UCSD team emphasizes that the real work of their study is to show that, with the right tools, it's possible to monitor and learn from these mass medical network outages. The result may be a better sense of how to prevent—or in the case of more intentional downtime from cyberattacks and ransomware—protect hospitals from experiencing them in the future.

At Least 750 US Hospitals Faced Disruptions During Last Year’s CrowdStrike Outage, Study Finds

Plus: Secret IRS data-sharing with ICE, a 20-year-old hackable vulnerability in train brakes, and more.

After reporting last week that the “raw” Jeffrey Epstein prison video posted by the FBI was likely modified in at least some ways (though there is no evidence that the footage was deceptively manipulated), WIRED reported on Tuesday that metadata analysis of the video shows approximately 2 minutes and 53 seconds were removed from one of two stitched-together clips.

The United States Department of Homeland Security is facing controversy over DNA samples taken from approximately 133,000 migrant children and teens that the department added to a criminal database. Meanwhile, researcher Jeremiah Fowler published findings this week that more than 2 GB of extremely sensitive adoption-related data—including information about biological parents, children, and adoptive parents—was exposed and publicly accessible on the open internet.

Roblox’s new Trusted Connections feature includes age verification that uses AI to scan teens’ video selfies and determine whether they can be granted access to unfiltered chatting with people they know. And as video deepfake capabilities mature—including AI tools that can even manipulate live video footage—AI “nudify” platforms are drawing millions of users and generating millions of dollars in revenue using tech from US companies.

And there’s more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**China’s Salt Typhoon Hackers Breached the US National Guard for Nearly a Year**

The Chinese state-sponsored hacking group known as Salt Typhoon has already shocked the US once with the revelation last year that it had deeply penetrated American telecom systems, even targeting the text messages and phone conversations of citizens including then-candidates Donald Trump and JD Vance in real time. Now it appears the group’s espionage has included the US military, and it spent much of the last year inside the network of the US National Guard in at least one state. NBC News this week reported on a DHS memo, obtained by the national security transparency nonprofit Property of the People, that warned the Chinese hacker group had breached that state-level National Guard network from March to December of last year. It didn’t identify which state had been targeted. According to the memo, Salt Typhoon’s access “likely provided Beijing with data that could facilitate the hacking of other states’ Army National Guard units, and possibly many of their state-level cybersecurity partners.”

**IRS Blueprint Reveals Secret Plan to Let ICE Pull Taxpayer Data in Real Time**

The Trump administration is developing a new digital system designed to grant Immigration and Customs Enforcement near-real-time access to sensitive data of taxpayers, including their home addresses. Internal blueprints, revealed by ProPublica on Tuesday, show that the system is designed to automate and expedite data exchanges “on demand,” bypassing traditional IRS safeguards that normally require case-by-case review and legal justification. The system represents a major shift in how IRS data is accessed, and it is already raising concerns among civil liberties experts who say the process may violate privacy laws and further accelerate ICE's ability to obtain tax data for deportation purposes.

**US Trains’ Brakes Can Be Hacked With a 20-Year-Old Security Vulnerability**

A zero-day vulnerability that allows a trains’ brakes to be triggered by malicious hackers is a troubling notion. A 7,300-plus-day vulnerability that leaves trains exposed to that brake hack is a shocking level of negligence for a piece of critical US infrastructure. The Cybersecurity and Infrastructure Security Agency last week released an advisory about a lack of authentication in a protocol that allows a device in the head of a train (HOT) to send a braking signal to another device in the end of a train (EOT) for coordinated braking across long trains such as freight trains. That meant that hackers could send their own unauthenticated commands to disrupt trains, shut down rail networks, or even cause derailments, one of the researchers credited in the advisory told SecurityWeek. The issue is made all the more egregious by the fact that the researchers discovered the vulnerability had first been reported in 2005 but was never taken seriously or fixed. Tens of thousands of the vulnerable HOT and EOT devices are set to be replaced in a process that will begin next year.

**Google Sues Creators of a 10-Million-Device TV-Based Botnet**

Hackers who want to build a botnet of malware-controlled internet-of-things devices can scour those devices for vulnerabilities—which are plentiful enough—and remotely exploit them. Or better yet, they can infect them before they’re even shipped. Google announced this week it would be filing a lawsuit against the administrators of the so-called BadBox 2.0 botnet, which consisted of 10 million Android-powered TVs that were somehow infected with malware before being sold to consumers. The botnet operators, which Google describes as Chinese cybercriminals, then sold access to those devices to be used as proxy machines or to fake advertising views in a vast click-fraud scheme. BadBox 2.0 “is already the largest known botnet of internet-connected TV devices, and it grows each day. It has harmed millions of victims in the United States and around the world and threatens many more,” Google’s complaint reads.

Source

Wired