A

You're listening to the Cyberwire Network, powered by N2K.

B

It's not just something you made, it's

A

the privilege that you get to work with your hands. It's building something that serves a purpose, proof that you have the grit to keep going. At Timberland, we understand you take your

B

craft seriously, and we do too, which

A

is why our products are built to the highest quality. We put in the work so you can perfect yours with purpose, in every

B

detail and crafted with intention. Timberland built on Craft Visit timberland.com to shop. Trump tells diplomats to fight digital sovereignty Deepseek allegedly trains on banned Nvidia chips Google knocks out Gallium Hackers tamper with patient records in New Zealand Popular mental health apps leak data Wynn confirms a shiny hunter's breach Telecoms dodge New York cyber rules Russia targets Telegram's founder and a defense insider heads to prison for selling cyber weapons to Moscow Our guest is Andrew Dunbar, CISO of Shopify, discussing how identity and trust become the new perimeter and how commerce needs both and barking backlash brews beneath a big game BROADC. Foreign. It's Wednesday, February 25, 2026. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great as always to have you with us. The Trump administration has directed U.S. diplomats to oppose foreign efforts to regulate how American technology companies handle citizens data, according to a State department cable dated February 18 and signed by Secretary of State Marco Rubio. The cable argues that data sovereignty and localization laws could disrupt global data flows, increase costs and cybersecurity risks, and limit artificial intelligence and cloud services. It specifically criticizes the EU's GDPR, calling its cross border data transfer restrictions unnecessarily burdensome. The directive reflects a more confrontational US Stance as Europe and others push tighter controls on data storage and sharing. The cable instructs diplomats to counter such regulations and promote the Global Cross Border Privacy Rules Forum, a multilateral group supporting cross border data flows. It also links restrictive data policies, including those in China, to expanded government control and potential surveillance. US officials say Chinese AI startup DeepSeek trained its upcoming model on Nvidia's most advanced Blackwell chips, which are barred from export to China. A senior Trump administration official told Reuters the chips were likely clustered at Deepsea's data center in Inner Mongolia and suggested their use could violate U.S. export controls. The official added that Deepseek may remove technical indicators revealing the chip's origin. Nvidia Deepseek and the Commerce Department declined to comment. The confirmation intensifies debate in Washington over chip policy. Some argue limited exports discourage Chinese rivals like Huawei, while others warn advanced chips could bolster China's military. Officials also said the model likely used distillation, drawing on leading US AI systems. The case underscores concerns about enforcement gaps and China's continued reliance on American semiconductor technology. Google says it disrupted a Chinese linked hacking group that breached at least 53 organizations across 42 countries. The group, tracked as UNC 2814 or Gallium, has spent nearly a decade targeting government and telecommunications entities, according to Google's Threat Intelligence Group. Google and unnamed partners terminated the group's Google Cloud projects, dismantled its infrastructure and disabled accounts used to run operations through Google Sheets. Google said the attackers used Google Sheets to blend into normal network traffic, not by exploiting a flaw in Google products. In one case, the group deployed a backdoor called Grid Tide on a system holding sensitive personal data. Google said the activity reflects broad surveillance efforts. The Chinese embassy denied wrongdoing. Google noted the campaign is separate from the China linked Salt typhoon operation Metamap, a New Zealand medication management portal used across aged care, disability, hospice and community health settings, has been taken offline after a cyber breach on Sunday. Health New Zealand says the company is responsible for securing its systems and must manage the fallout while national cyber authorities and police have been notified. What makes this incident especially unusual is that patient data was not only accessed but altered. Some living patients were incorrectly marked as deceased and other details were changed. In healthcare systems, records are typically treated as immutable clinical histories. Altering course status data raises patient safety and data integrity concerns beyond a typical data theft. Facilities have reverted to manual paper based processes, in some cases doubling nursing staff for medication rounds, officials say. Care continues, but the outage has increased pressure on frontline teams. The breach follows a recent major health data incident, intensifying scrutiny on New Zealand's healthcare cybersecurity posture. Security researchers at oversecured found over 1500 vulnerabilities across 10 popular mental health apps on Google Play, with more than 14.7 million combined downloads. The flaws include 54 high severity issues that could expose therapy transcripts, login credentials, session tokens and other sensitive data. Some apps improperly validate user input, store data in ways accessible to other apps or or use insecure random number generation for tokens. Several also lack root detection, increasing risk on compromised devices. Researchers warn that mental health records are especially valuable on the dark Web app names were withheld while vulnerabilities are being disclosed, and it's unclear whether patches have been issued. Wynn Resorts confirmed that the data extortion group Shiny hunters stole roughly 800,000 employee records in September 20and demanded $1.5 million in Bitcoin to prevent a leak. The compromised data reportedly included names, Social Security numbers, email addresses, phone numbers and birth dates. Winn said. The unauthorized party claimed the stolen data has been deleted and the group removed its threat from its dark Web site. The company did not say whether a ransom was paid. Shiny Hunters told the Register it accessed Win's systems through an Oracle PeopleSoft vulnerability using an employee's credentials. Wynn says it activated incident response protocols and is offering credit monitoring to affected employees. A federal class action lawsuit filed in California alleges inadequate data protection, though Wynn maintains no customer information was accessed. New York's Public Service Commission has removed wireless providers and broadcast TV companies from proposed cybersecurity rules after heavy industry lobbying. The original June proposal would have required annual third party audits, three day incident reporting and regular vulnerability assessments. Verizon and Optimum argued the commission lacked statutory authority to regulate telecom cybersecurity and met repeatedly with regulators and the governor's office. Although commission staff said those legal arguments were considered and rejected, the companies were ultimately exempted, citing distinct differences between telecom firms and traditional utilities. Critics, including a Cornell cybersecurity expert and a state lawmaker, called the move concerning and questioned the rationale. The scaled back rules will now apply only to gas, water and electric utilities. While debate continues over whether federal or state authorities should regulate telecom cybersecurity standards, Russian authorities have opened a criminal investigation into Telegram founder Pavel Durov on suspicion of abetting terrorist activities, raising the prospect of a nationwide ban on the messaging app. State linked newspapers, citing federal security service materials, accused Telegram of enabling sabotage, extremism and foreign intelligence operations tied to Ukraine. Kremlin officials said the app has committed numerous violations and failed to cooperate with authorities. Lawmakers warned Telegram could be labeled an extremist organization if it does not comply within a month. Telegram has already faced traffic throttling in Russia, and officials claim more than 150,000 content removal requests were ignored. Durav denied the allegations, calling them an attack on privacy and free speech. The move comes as Russia pushes users toward its state backed messaging platform Max, amid broader restrictions on foreign apps. Peter Williams, age 39, has been sentenced to more than seven years in prison for stealing classified cyber tools from a US Defense contractor subsidiary and selling them to a Russian zero day exploit broker. The former senior trenchant employee admitted taking eight components described as national security software intended only for the US and its allies. He transferred the data over encrypted channels in exchange for up to $4 million in cryptocurrency. The Department of Justice said Williams must serve 87 months, followed by three years of supervised release and forfeit luxury assets purchased with the proceeds. Officials stated the stolen tools could have enabled foreign adversaries to access millions of devices, resulting in $35 million in losses and damage to US and Australian intelligence interests. Coming up after the break, Andrew Dunbar from Shopify discusses how identity and trust become the new perimeter and barking backlash brews beneath the big game broadcast. Stay with us. No, it's not your imagination. Risk and regulation really are ramping up and customers expect proof of security before they'll sign that deal. That's where Vanta comes in. Vanta automates your compliance process and brings compliance, risk and customer trust together on one AI powered platform. Whether you're preparing for SoC2 or managing an enterprise governance risk and compliance program, Vanta helps keep you secure and keeps your deals moving. Companies like Ramp and RYTR spend 82% less time on audits with Vanta. That's not just faster compliance, that's more time for growth. Take it from me, if you're thinking about compliance, take the time to check out Vanta. Get started@vanta.com cyber. Andrew Dunbar is chief information security officer at Shopify. I recently caught up with him for a discussion on how identity and trust become the new perimeter and how commerce needs both to be engineered into the platform.

A

AI agents are really transforming a lot of things about everyone's life, and shopping is certainly one of those. But you know, the introduction of generative AI, the ability to create content, is something that a lot of people use on a daily basis. And it's really changed, especially from the commerce lens. A lot of the ways people think about product discovery, you know, what is it that they want to buy? What's the right fit for them? And I think people have really attached themselves to the idea that they have, you know, a personalized, conversational way that they can discover, you know, the things they want to buy, the places they want to travel, the hotels they want to stay at, all those kind of things.

B

You know, I can imagine myself using a tool like this to do exactly what you describe. You know, figure out what flight I want to take or hotel I want to stay in or what product I want to buy. I feel like it's an extra leap to give it the ability to spend money on my behalf. Is that a common hesitation that folks have?

A

I mean, it's interesting. I think some people definitely do. But really, you know, what we want to optimize for is, is the intentional shopping experience where it's not go off, buy a bunch of things for me and then tell me later and I wait until it shows up at my door. What we've built at Shopify is really the protocol that allows merchant stores to communicate with agents. And so it doesn't just cover, you know, put my credit card into a checkout and then a purchase appears. It's the whole product catalog, the product discovery, the authentication that's layered into that and also the post purchase experience. So any kind of returns or you know, subscriptions and things like this that you may be taking on. And so commerce is inherently a two way relationship of trust. This is not just something where merchants open their doors and they want anyone who shows up online with a credit card to be able to buy from them. They want confidence that the purchaser is authentic as well. And so I think what we've aimed to do is really establish trust on the buyer side as well as trust on the merchant side so that they know that the customers that they're interacting with are authentic people on the other side of the agent and that the buyers have the same degree of confidence that the merchants that they're shopping from are accurately representing the pricing. And you know, there's no hidden fees and things like this built in as dark patterns into the commerce experience.

B

Now is this the universal commerce protocol that you're referring to, this, this open standard you and your colleagues have developed?

A

Yes, that's right. So last month we launched the universal commerce protocol. It was something that we built alongside Google and really what we want wanted to do was identify all of the aspects of commerce that needed to be made in a way that can work with agents. A lot of great work has been done on the payments side of things. So tokenization and authentication of a specific payment. But really what we found is what merchants want and what buyers want is not just a one time, you know, securely figure out a way to pass credit card details from one spot to another. This is something where we want that end to end commerce experience. And so this is what we've launched as this open protocol. And it's become a significant area of interest for us and all of the people that are adopting it.

B

What were some of the particularly interesting problems that you all had to solve here?

A

So I think one of the things that is very challenging is we are dealing with an intermediated space. And so a typical online store, you Know, it is built on top of HTTP and you know, the idea is that on one end is a person with a credit card, on the other end is a merchant. Here, neither the merchant or the customer are really directly talking to each other. They're working through this intermediary and in a very real time way. And so one of the biggest challenges that we have is ensuring that merchants are able to structure their product data, any of the kind of offers or you know, buy one, get one free coupons, things like this in a way that represents like a true shopping experience as opposed to this something just being kind of a form that you would enter, enter into. And so the ability for merchants to have that set up and the ability for buyers to interact with it and interrogate that is something that was very challenging. But it, it allows to, it unlocks so much and it's, it's very exciting the fact that that is now in place and can be used, you know, to support many, many commerce experiences.

B

Why was it important for you all to make this an open standard?

A

Well, we always want to take the path that leads to more entrepreneurs. And so whether or not people are building on Shopify, we prefer the open Internet. And we always take decisions that lead to proliferation of the open Internet. It leads to choice on behalf of businesses. And we feel like we are experts in this field. You know, we run millions of online stores and retail experiences and so we wanted to take everything that we've learned, embed that into a protocol, and then make that available and open. I think a lot of, lot of naivety can be brought into potentially thinking about shopping online. Is it just take their credit card and figure out how to insert it into a form. But really that end to end is something that we thought we were uniquely positioned to build. And what we want are people to be able to build apps, build experiences, embed this protocol so that all of the kind of things that we've learned get used to the benefit of everyone that's out there in the market.

B

Can you tell us about some of the security considerations here? What are some of the challenges there?

A

So the traditional checkout experience, it's an unauthenticated experience, which is kind of weird. The fact that you are buying from a website, it's layering the idea of just using a form, typing in a credit card number and you know, a name and address is sufficient to identify yourself and then make a purchase. But you know, clearly that has limitations. There is no true authentication of the person on the other side. We're not Going to go around and layer in HTTP basic auth in front of every website on the Internet in order to know who people are. And a lot of things have been done to try to make proliferation of OpenID and different open identity standards available. But those things are challenging if they're not done in a global way. And so what we really wanted to lean into was the idea that we can have people authenticate themselves into this agentic experience.

B

How do you go about future proofing something like this to make sure that, you know, it's, it's adaptable to what is yet to come?

A

Yeah, we've, we've partnered with some, you know, very mature teams that build open source protocols. Obviously, Google is no stranger to doing this in many different ways. Our company participates in lots of different industry working groups and we're moving a lot of standards forward at the same time. But it is, for us, it's a collaboration that needs to involve as many parties as possible. And so what we love about establishing a protocol is any, anyone who's interested in this has a place to have their voice heard, have their specific commerce concerns addressed. And we can evolve it in a way where it can become the thing that is existing today and be ready to launch. But every time there's a new version, every time there's a new thought of here's a good way to enhance security, we can just embed that into the protocol and then everyone can benefit. I think there's a lot of evolution that has already happened, but what we're certainly seeing is a maturation around the concept of building a cart. This is something that when you buy online, you may not even think about it of, you know, I'm putting items into my cart and eventually I will check out. But for a lot of merchants, that act of generating that cart, storing that, allowing people to interact with that, interrogating that have, you know, discounting rules or other logic applied to that, that is kind of an entire protocol on and of itself that, you know, we now need to layer into the way that we think about universal commerce protocol. And so we really support this open mindset and the open nature of collaborating in these types of open source initiatives. Because again, it just traces back to our fundamental belief of creating, you know, more entrepreneurship, more openness and everything that we do as a company is designed to make that happen.

B

Is this something that's designed to operate quietly behind the scenes or, or is it something that, for example, merchants would use as a stamp of approval for,

A

for consumer confidence so people are already shopping this way. And so that reality is there whether people want to face it or not. And so what we are really trying to do is make sure that our merchants are prepared for how they show up and you know, what those discoverable surfaces look like. So for a merchant, they're not necessarily needing to be so focused on the details of how the protocol works, but we do want to make sure that the important product details that they may need to be disclosing the things that are important for them to make themselves most discoverable. Things like sizing and genders and product variants and all the kinds of attributes of their products do have to be structured in a way that can be consumed by an LLM. And so we really have done a lot to try to optimize the data entry and the ability for merchants to provide that level of customization so that they show up in the way that they want to show up. People aren't, you know, getting disappointed that they misunderstood, you know, what certain words might mean when they were trying to buy something. And so the, the work really becomes on the curation of your catalog and making sure that you understand how you show up in all of these surfaces. But we make that as easy as possible for people to do it, for merchants to do so that they are, it's not that different than just merchandising they may do on their own online store. And a lot of our merchants, it's their omnichannel to begin with. So they may be concurrently selling through different marketplaces and through their online store, they may have physical retail. Our shop app is a big source of discovery on its own. So the ability and the need for merchants to be always on when it comes to customizing and being aware of how their products are described is something that is really important for them. But the idea is that the rest of that we take care of.

B

That's Andrew Dunbar from Shopify. No, it's not your imagination. Risk and regulation really are ramping up and customers expect proof of security before they'll sign that deal. That's where Vanta comes in. VANTA automates your compliance process and brings compliance, risk and customer trust together on one AI powered platform. Whether you're preparing for SoC2 or managing an enterprise governance risk and compliance program, VANTA helps keep you secure and keeps your deals moving. Companies like Ramp and RYTR spend 82% less time on audits with Vanta. That's not just faster compliance, that's more time for growth. Take it from me, if you're thinking about compliance take the time to check out Vanta. Get started@vanta.com cyber.

A

This episode is brought to you by Indeed. Stop waiting around for the perfect candidate. Instead, use Indeed Sponsored Jobs to find the right people with the right skills fast. It's a simple way to make sure your listing is the first candidate. C According to Indeed data, Sponsored Jobs have four times more applicants than non sponsored jobs. So go build your dream team today with Indeed. Get a $75 sponsored job credit at Indeed.com podcast terms and conditions appreciate and

B

finally, if you watched the super bowl, you may have seen Ring's heartstring tugging ad for its new search party feature, where the neighborhood doorbells band together to find a missing dog. The idea is simple. AI scans nearby camera footage to track down Fido, which is sweet kind of Viewers quickly pointed out that if cameras can identify a lost Labrador, they can probably identify you. Social media lit up with privacy concerns, Reddit rants, and even a few dramatic device smashings. Enter the Fulu foundation, which is now offering a $10,000 bounty to anyone who can make Ring cameras run locally, keeping footage off Amazon's cloud. The debate lands awkwardly in light of Ring's prior privacy problems, including a 2023 Federal Trade Commission case over employee access to customer videos. A lingering question when you buy the camera, who really owns the footage? And that's the CyberWire4Link stall of today's stories. Check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producer is Liz Stokes were mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazes. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Foreign. If you only attend one cybersecurity conference this year, make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands on learning and real innovation. I'll say this plainly, I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders, tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26 I'll see you in San Francisco.