Cybersecurity Today: "Staples Slips Up On Data Removal"

Host: David Shipley
Date: January 16, 2026
Theme:
This episode explores the latest cybersecurity lapses impacting businesses, focusing on notable cases involving consumer data mismanagement, emerging threats through AI and cloud, and the recurrent role of organizational processes in security failures.

Episode Overview

David Shipley covers four major stories in the cybersecurity landscape:

Staples Canada’s repeated failure to properly wipe data from recycled laptops
A new class of attack using Microsoft Copilot as an unwitting accomplice
A critical vulnerability in ServiceNow’s AI-powered virtual agents
The emergence of an advanced Linux malware targeting cloud infrastructure

Shipley emphasizes how these incidents are not technical surprises, but rather ongoing failures in operational discipline and culture.

Key Discussion Points and Insights

1. Staples Canada Resells Laptops with Customer Data (00:18–03:42)

Incident Summary:
A Privacy Commissioner investigation found Staples Canada resold returned laptops containing customer data, an issue previously flagged for the retailer 15 years ago.
Operational – Not Technical – Problem:
“Different decade, same failure. That points to an operational problem, not a technical one.” (David Shipley, 00:56)
Regulatory Environment:
Canada’s privacy laws “lag behind much of the world… no meaningful fines, no GDPR style multimillion dollar or higher penalties, no revenue-based consequences.” (01:19)
Broader Impact:
Such breaches undermine public trust in electronics recycling.
“Stories like this… affect how people feel about recycling computing devices. If consumers believe recycling their laptop might mean their personal data ends up in someone else's hands, some will choose the worst alternatives, hoarding old devices or throwing them into the landfill.” (01:48)
Staples’ Response & Cultural Point:
“Staples says it's updating its practices. That's good news. But when the same issues resurface 15 years later, it's a reminder that privacy failures don't just erode trust in companies, they erode trust in systems we actually need people to use.” (02:27)

2. New Attack Class: Reprompt Targeting Microsoft Copilot (03:43–05:16)

Attack Description:
Researchers showed that a single click on a crafted link could inject hidden instructions into Copilot, which executes them using the victim’s authenticated session.
Guardrail Weakness:
“In some cases, researchers were able to bypass Copilot's guardrails simply by asking the same question twice. No exploit chain, no technical gymnastics, just persistence.” (04:13)
Fundamental Design Issue:
“This isn’t just a typical bug. It's a fundamental design problem with these large language models. Large language models don’t reliably distinguish between content and instructions.” (04:29)
Industry Reluctance:
Vendors act swiftly on accuracy issues but slow-walk security fixes:
“When accuracy and error rates affect revenue, they're relentless in stamping out problems. When abuse and security are the issue, we're told to wait.” (05:02)
Call to Action:
This problem “will keep coming back until it hits vendors in the pocketbook. … Not until we demand it. Not until there’s real consequences.” (05:12)

3. Critical Flaw in ServiceNow’s Virtual Agent (05:17–06:52)

Details:
A vulnerability allowed attackers to impersonate legitimate users with minimal verification (in some cases, just an email address).
Weak Authentication:
“Passwords and robust multi factor authentication were not always enforced. That authentication gap is the central issue.” (05:40)
Automation Risk:
“What automation changes here and AI agents do, is they amp up the scale. Once an AI enabled agent is acting on behalf of a user, actions that might normally require multiple manual steps can be executed quickly and consistently.” (06:13)
Patch and Broader Takeaway:
ServiceNow patched the issue; no active exploitation reported.
“Getting identity and access management right for both humans and machines is even more important today, in the age of AI.” (06:39)

4. Advanced Linux/Cloud Malware Framework (06:53–08:27)

Malware Features:
Newly discovered framework with over 37 modules; designed for stealth, reconnaissance, and persistence.
“It gathers extensive information about its environment and… can identify which major cloud provider it's running on and adjust its behavior accordingly.” (07:02)
Cloud Environment Context:
“Cloud providers have strong security architectures, but the cloud is also notorious for customer mistakes… attackers only need a few missteps.” (07:26)
Changing Threat Model:
“A sophisticated Linux framework like this doesn't need to break the cloud, it just needs to wait for mistakes.” (07:38)
Counter-Intuitive Insight:
“Ironically, a small, tightly managed standalone Linux environment might actually be harder to compromise these days than some things hosted on massive cloud platforms.” (07:48)

Notable Quotes & Memorable Moments

On Regulatory Ineffectiveness:
“Canada's privacy laws lag behind much of the world. They don't really have much teeth.” (01:09)
On the Growing Scale of AI Automation Threats:
“Once an AI enabled agent is acting on behalf of a user, actions that might normally require multiple manual steps can be executed quickly and consistently.” (06:13)
On Fundamental Security Flaws:
“None of these are zero days. None of these are surprises. They're the predictable result of convenience and complacency outrunning control.” (08:44)
On Root Causes:
“Security failures today aren’t happening because we don’t know better… They go back to people, process, and culture failures. They happen because of the basics.” (08:56)

Timestamps of Key Segments

00:18: Staples Canada’s data removal failure
03:43: Microsoft Copilot reprompt attack methodology and industry response
05:17: ServiceNow AI agent authentication vulnerability
06:53: Advanced Linux malware in the cloud—modular design and customer error risks
08:44: Unifying theme: Security failures rooted in process, not technology

Conclusion: The Unifying Thread

Shipley closes by emphasizing that none of the week’s cybersecurity incidents are technical surprises—they all stem from a “predictable result of convenience and complacency outrunning control.” The true challenge ahead is not in anticipating novel threats, but in fixing the basic organizational, procedural, and cultural weaknesses that allow familiar risks to persist.

Cybersecurity Today: "Staples Slips Up On Data Removal"

Episode Overview

David Shipley covers four major stories in the cybersecurity landscape:

Staples Canada’s repeated failure to properly wipe data from recycled laptops
A new class of attack using Microsoft Copilot as an unwitting accomplice
A critical vulnerability in ServiceNow’s AI-powered virtual agents
The emergence of an advanced Linux malware targeting cloud infrastructure

Shipley emphasizes how these incidents are not technical surprises, but rather ongoing failures in operational discipline and culture.

Key Discussion Points and Insights

1. Staples Canada Resells Laptops with Customer Data (00:18–03:42)

Incident Summary:
A Privacy Commissioner investigation found Staples Canada resold returned laptops containing customer data, an issue previously flagged for the retailer 15 years ago.
Operational – Not Technical – Problem:
“Different decade, same failure. That points to an operational problem, not a technical one.” (David Shipley, 00:56)
Regulatory Environment:
Canada’s privacy laws “lag behind much of the world… no meaningful fines, no GDPR style multimillion dollar or higher penalties, no revenue-based consequences.” (01:19)
Broader Impact:
Such breaches undermine public trust in electronics recycling.
“Stories like this… affect how people feel about recycling computing devices. If consumers believe recycling their laptop might mean their personal data ends up in someone else's hands, some will choose the worst alternatives, hoarding old devices or throwing them into the landfill.” (01:48)
Staples’ Response & Cultural Point:
“Staples says it's updating its practices. That's good news. But when the same issues resurface 15 years later, it's a reminder that privacy failures don't just erode trust in companies, they erode trust in systems we actually need people to use.” (02:27)

2. New Attack Class: Reprompt Targeting Microsoft Copilot (03:43–05:16)

Attack Description:
Researchers showed that a single click on a crafted link could inject hidden instructions into Copilot, which executes them using the victim’s authenticated session.
Guardrail Weakness:
“In some cases, researchers were able to bypass Copilot's guardrails simply by asking the same question twice. No exploit chain, no technical gymnastics, just persistence.” (04:13)
Fundamental Design Issue:
“This isn’t just a typical bug. It's a fundamental design problem with these large language models. Large language models don’t reliably distinguish between content and instructions.” (04:29)
Industry Reluctance:
Vendors act swiftly on accuracy issues but slow-walk security fixes:
“When accuracy and error rates affect revenue, they're relentless in stamping out problems. When abuse and security are the issue, we're told to wait.” (05:02)
Call to Action:
This problem “will keep coming back until it hits vendors in the pocketbook. … Not until we demand it. Not until there’s real consequences.” (05:12)

3. Critical Flaw in ServiceNow’s Virtual Agent (05:17–06:52)

Details:
A vulnerability allowed attackers to impersonate legitimate users with minimal verification (in some cases, just an email address).
Weak Authentication:
“Passwords and robust multi factor authentication were not always enforced. That authentication gap is the central issue.” (05:40)
Automation Risk:
“What automation changes here and AI agents do, is they amp up the scale. Once an AI enabled agent is acting on behalf of a user, actions that might normally require multiple manual steps can be executed quickly and consistently.” (06:13)
Patch and Broader Takeaway:
ServiceNow patched the issue; no active exploitation reported.
“Getting identity and access management right for both humans and machines is even more important today, in the age of AI.” (06:39)

4. Advanced Linux/Cloud Malware Framework (06:53–08:27)

Malware Features:
Newly discovered framework with over 37 modules; designed for stealth, reconnaissance, and persistence.
“It gathers extensive information about its environment and… can identify which major cloud provider it's running on and adjust its behavior accordingly.” (07:02)
Cloud Environment Context:
“Cloud providers have strong security architectures, but the cloud is also notorious for customer mistakes… attackers only need a few missteps.” (07:26)
Changing Threat Model:
“A sophisticated Linux framework like this doesn't need to break the cloud, it just needs to wait for mistakes.” (07:38)
Counter-Intuitive Insight:
“Ironically, a small, tightly managed standalone Linux environment might actually be harder to compromise these days than some things hosted on massive cloud platforms.” (07:48)

Notable Quotes & Memorable Moments

On Regulatory Ineffectiveness:
“Canada's privacy laws lag behind much of the world. They don't really have much teeth.” (01:09)
On the Growing Scale of AI Automation Threats:
“Once an AI enabled agent is acting on behalf of a user, actions that might normally require multiple manual steps can be executed quickly and consistently.” (06:13)
On Fundamental Security Flaws:
“None of these are zero days. None of these are surprises. They're the predictable result of convenience and complacency outrunning control.” (08:44)
On Root Causes:
“Security failures today aren’t happening because we don’t know better… They go back to people, process, and culture failures. They happen because of the basics.” (08:56)

Timestamps of Key Segments

00:18: Staples Canada’s data removal failure
03:43: Microsoft Copilot reprompt attack methodology and industry response
05:17: ServiceNow AI agent authentication vulnerability
06:53: Advanced Linux malware in the cloud—modular design and customer error risks
08:44: Unifying theme: Security failures rooted in process, not technology

wavePod

Staples Slips Up On Data Removal

Powered by Wave AI

Summary

Cybersecurity Today: "Staples Slips Up On Data Removal"

Episode Overview

Key Discussion Points and Insights

1. Staples Canada Resells Laptops with Customer Data (00:18–03:42)

2. New Attack Class: Reprompt Targeting Microsoft Copilot (03:43–05:16)

3. Critical Flaw in ServiceNow’s Virtual Agent (05:17–06:52)

4. Advanced Linux/Cloud Malware Framework (06:53–08:27)

Notable Quotes & Memorable Moments

Timestamps of Key Segments

Conclusion: The Unifying Thread

Summary

Cybersecurity Today: "Staples Slips Up On Data Removal"

Episode Overview

Key Discussion Points and Insights

1. Staples Canada Resells Laptops with Customer Data (00:18–03:42)

2. New Attack Class: Reprompt Targeting Microsoft Copilot (03:43–05:16)

3. Critical Flaw in ServiceNow’s Virtual Agent (05:17–06:52)

4. Advanced Linux/Cloud Malware Framework (06:53–08:27)

Notable Quotes & Memorable Moments

Timestamps of Key Segments

Conclusion: The Unifying Thread