(In)Secure Digest: Burger King Breach, Kid Hackers, and a $1M Chainsaw Thief
01.10.2025

Here’s our latest roundup of unusual insider-driven security incidents and other cybersecurity stories we followed last month. This digest icnludes: new details in the Coinbase insider case, yet another leaky AI platform, and fresh discoveries by researchers in the U.S. fast-food sector.

Porridge and Passwords: When Students Become Insiders

What happened:More than half of insider-driven information security incidents in UK schools were caused by students.

How it happened: On September 11, 2025, the UK Information Commissioner’s Office (ICO) released an unusual study. The regulator reviewed 215 insider-related personal data breach reports in the education sector and concluded that 57% were the work of the pupils themselves.

One striking case involved a student who accessed the school’s information system using an employee’s login credentials. Once inside, he viewed, altered, and even deleted personal data belonging to more than 9,000 individuals. How exactly he obtained the staff member’s credentials remains unclear. However, ICO statistics suggest it could have been the result of an employee error — for example, leaving a work laptop unattended.

In another case, three sixth-graders (!) gained unauthorized access to records of more than 1,400 students. They later admitted they did it out of curiosity about cybersecurity and a desire to test their abilities. For the intrusion, they simply downloaded a publicly available password-bypass tool from the internet.

Karma Catches Up: Coinbase Contractor Accused of Hiding Insider Breach

What happened: An outsourcing partner of Coinbase is accused of covering up an insider incident.

How it happened: We reported earlier this year on the Coinbase insider case. The crypto exchange fell victim to outsourced support staff who photographed client data from their screens and sold it to criminals — over 69,000 people were affected.

On September 16, victims filed a class-action lawsuit against TaskUs, the outsourcing company Coinbase had hired. The lawsuit names one employee, Ashita Mishra, as a key figure. She allegedly began taking photos of Coinbase customer data in September 2024, up to 200 photos a day, earning $200 per image.

Mishra then shared her “easy money” scheme with colleagues, who also joined in. According to court documents, TaskUs management knew of the illegal activity. Investigators even found more than 10,000 confidential Coinbase client photos on Mishra’s phone.

When the scandal surfaced, TaskUs dismissed the entire team working with Coinbase, hoping the issue would disappear. It didn’t — former employees leaked information, and now the company faces accusations of deliberately concealing the breach.

TaskUs has chosen a controversial defense strategy: claiming only two insiders were involved and suggesting some Coinbase employees were also complicit. How the court battle ends is unclear, but the odds don’t seem in TaskUs’s favor. For now, the industry is watching the legal drama unfold.

The Gadget Inspector: IT Employee Defrauds Former Employer for $1M

What happened: A former IT worker defrauded his previous employer, Milwaukee Electric Tool, stealing goods worth more than $1 million.

How it happened: From March 2024 to March 2025, ex-employee Matthew Youngused his access to the company’s IT systems to create fraudulent product orders. He would generate a delivery request, have the goods shipped to an address he controlled, and then erase the order records to cover his tracks. Naturally, no payments were ever made.

In total, Young created and deleted 115 orders. He resold the stolen equipment to Milwaukee Electric Tool’s actual clients, pocketing more than $1 million.

His scheme collapsed when coworkers noticed anomalies and reported them. Police investigators conducted an internal audit, questioned staff, and recovered deleted order logs. Young now faces 14 charges. If convicted on all counts, he could spend up to 98 years in prison and pay a hefty fine.

Fast-Food Flaws: Burger King Platform Exposed Employee and Customer Data

What happened: A vulnerability in the internal systems of Burger King’s parent company, Restaurant Brands International (RBI), exposed employee data and audio recordings of customer orders.

How it happened: Ethical hacker BobDaHacker, already known from previous discoveries in the food sector, teamed up with “BobTheShoplifter” to probe RBI systems. RBI owns Burger King, Tim Hortons, and Popeyes.

The findings were alarming:

  • Registration on the Assistant platform was still open. New accounts received passwords in plain text by email — just as researchers had previously observed with McDonald’s systems.
  • By analyzing GraphQL APIs, the researchers exploited the createToken function to escalate privileges, turning a test account into a full administrator account. This gave them system-wide access to store records and employee profiles.
  • Diagnostic pages were “protected” with a hardcoded password — literally “admin.”

Most shocking, however, was their ability to access drive-thru audio recordings. These files, which often contained personal customer data, were stored for service quality analysis and training AI models to assess customer mood, staff performance, and sales efficiency.

The hackers disclosed the vulnerabilities within an hour. To RBI’s credit, the company patched the flaws the same day — faster than some competitors have reacted in similar situations.

Unsecured AI: Vyro AI Leaves 116GB of User Data Exposed

What happened: AI app developer Vyro AI left more than 116 GB of sensitive user data exposed online.

How it happened: On April 22, 2025, Cybernews researchers reported finding Vyro’s databases publicly accessible. The leak contained continuously updated logs from three applications:

  • ImagineArt (10M+ downloads)
  • Chatly (100K+ downloads)
  • Chatbotx (~50K monthly visitors)

The exposed data included user requests, authentication tokens, and details of devices and browsers. Such information could enable account takeovers, user tracking, and extraction of private chat content.

Search engines had indexed the databases as early as February 2025. Researchers discovered them in April but withheld public disclosure until the issue was fixed. Vyro, however, took even longer to notify regulators — the company only reported the incident to its national CERT at the end of summer, and the news became public in September.

The Vyro case is far from unique. Even industry leaders stumble: in August 2025, users of ChatGPT and Grok discovered their private chats exposed in Google search results due to poorly designed link-sharing features.

Once again, the race to release new features overshadowed basic security.

Letter Subscribe to get helpful articles and white papers. We discuss industry trends and give advice on how to deal with data leaks and cyber incidents.