Here’s our latest roundup of unusual insider-driven security incidents and other cybersecurity stories we followed last month. This digest icnludes: new details in the Coinbase insider case, yet another leaky AI platform, and fresh discoveries by researchers in the U.S. fast-food sector.
How it happened: On September 11, 2025, the UK Information Commissioner’s Office (ICO) released an unusual study. The regulator reviewed 215 insider-related personal data breach reports in the education sector and concluded that 57% were the work of the pupils themselves.
One striking case involved a student who accessed the school’s information system using an employee’s login credentials. Once inside, he viewed, altered, and even deleted personal data belonging to more than 9,000 individuals. How exactly he obtained the staff member’s credentials remains unclear. However, ICO statistics suggest it could have been the result of an employee error — for example, leaving a work laptop unattended.
In another case, three sixth-graders (!) gained unauthorized access to records of more than 1,400 students. They later admitted they did it out of curiosity about cybersecurity and a desire to test their abilities. For the intrusion, they simply downloaded a publicly available password-bypass tool from the internet.
What happened: An outsourcing partner of Coinbase is accused of covering up an insider incident.
How it happened: We reported earlier this year on the Coinbase insider case. The crypto exchange fell victim to outsourced support staff who photographed client data from their screens and sold it to criminals — over 69,000 people were affected.
On September 16, victims filed a class-action lawsuit against TaskUs, the outsourcing company Coinbase had hired. The lawsuit names one employee, Ashita Mishra, as a key figure. She allegedly began taking photos of Coinbase customer data in September 2024, up to 200 photos a day, earning $200 per image.
Mishra then shared her “easy money” scheme with colleagues, who also joined in. According to court documents, TaskUs management knew of the illegal activity. Investigators even found more than 10,000 confidential Coinbase client photos on Mishra’s phone.
When the scandal surfaced, TaskUs dismissed the entire team working with Coinbase, hoping the issue would disappear. It didn’t — former employees leaked information, and now the company faces accusations of deliberately concealing the breach.
TaskUs has chosen a controversial defense strategy: claiming only two insiders were involved and suggesting some Coinbase employees were also complicit. How the court battle ends is unclear, but the odds don’t seem in TaskUs’s favor. For now, the industry is watching the legal drama unfold.
What happened: A former IT worker defrauded his previous employer, Milwaukee Electric Tool, stealing goods worth more than $1 million.
How it happened: From March 2024 to March 2025, ex-employee Matthew Youngused his access to the company’s IT systems to create fraudulent product orders. He would generate a delivery request, have the goods shipped to an address he controlled, and then erase the order records to cover his tracks. Naturally, no payments were ever made.
In total, Young created and deleted 115 orders. He resold the stolen equipment to Milwaukee Electric Tool’s actual clients, pocketing more than $1 million.
His scheme collapsed when coworkers noticed anomalies and reported them. Police investigators conducted an internal audit, questioned staff, and recovered deleted order logs. Young now faces 14 charges. If convicted on all counts, he could spend up to 98 years in prison and pay a hefty fine.
What happened: A vulnerability in the internal systems of Burger King’s parent company, Restaurant Brands International (RBI), exposed employee data and audio recordings of customer orders.
How it happened: Ethical hacker BobDaHacker, already known from previous discoveries in the food sector, teamed up with “BobTheShoplifter” to probe RBI systems. RBI owns Burger King, Tim Hortons, and Popeyes.
The findings were alarming:
Most shocking, however, was their ability to access drive-thru audio recordings. These files, which often contained personal customer data, were stored for service quality analysis and training AI models to assess customer mood, staff performance, and sales efficiency.
The hackers disclosed the vulnerabilities within an hour. To RBI’s credit, the company patched the flaws the same day — faster than some competitors have reacted in similar situations.
What happened: AI app developer Vyro AI left more than 116 GB of sensitive user data exposed online.
How it happened: On April 22, 2025, Cybernews researchers reported finding Vyro’s databases publicly accessible. The leak contained continuously updated logs from three applications:
The exposed data included user requests, authentication tokens, and details of devices and browsers. Such information could enable account takeovers, user tracking, and extraction of private chat content.
Search engines had indexed the databases as early as February 2025. Researchers discovered them in April but withheld public disclosure until the issue was fixed. Vyro, however, took even longer to notify regulators — the company only reported the incident to its national CERT at the end of summer, and the news became public in September.
The Vyro case is far from unique. Even industry leaders stumble: in August 2025, users of ChatGPT and Grok discovered their private chats exposed in Google search results due to poorly designed link-sharing features.
Once again, the race to release new features overshadowed basic security.
Subscribe to our newsletter and receive a bright and useful tutorial Explaining Information Security in 4 steps!
Subscribe to our newsletter and receive case studies in comics!