A DarkSword and privacy on the back foot

Danny Brugmann

5 min read
A DarkSword and privacy on the back foot
Millions of iPhones may be at risk from DarkSword.

Five Cyber Stories - March 22, 2026 - Issue 001

Welcome to the inaugural Five Cyber Stories newsletter!

Every Sunday, I'll share my favorite stories from the previous week about how cybersecurity affects our non-digital, every day lives. In this issue (#001!), we'll discover a DarkSword, a system of mass surveillance and more.

Thanks for being here! Let's dive in.

1. Millions of iPhones (Maybe yours?) are vulnerable to attack

Run down: Google this week, with two partners, announced the second of two recently discovered hacking kits that allow hackers to steal iPhone users' data — photos, Messages, iCloud, you name it — when victims simply visit a compromised website. The exploit kit that makes all this possible is called DarkSword.

See more in depth reporting from TechCrunch, Wired (sorry, they don't support gift links) and an especially technical dive from Lookout.

The good news: There is something you can do to keep yourself safe (and it's not that hard) - update your iPhone. If your iPhone is running the latest version of iOS 26, Darksword will bounce off your phone's digital armor. Need help installing iOS updates? Check out this quick tutorial from Apple.

Hospitals have increasingly been hit with cyberattacks endangering patient care.

2. Truth can be stranger than fiction

Synopsis: The TV show, The Pitt's eighth episode of its second season features the consequences of a cyberattack hitting hospitals. In this piece from Politico, Dana Nickel writes,

Experts have praised “The Pitt,” now in its second season, for its medical accuracy and for portraying the fast-moving and often overlooked consequences of a cyberattack across hospital networks.

My diagnosis: I, admittedly, haven't seen The Pitt. (Medical dramas aren't really my genre of choice, please forgive me.) That said, I think an Emmy award winning show featuring cyberattacks on healthcare centers shows the threat is no longer niche. In fact, a recent poll from Politico revealed that residents of a number of NATO countries (including the U.S.) believe that such attacks should be viewed as an act of war, and there was even one death in the U.K. attributed to an cyberattack in 2024.

According to Politico, the Senate is currently working on the Health Care Cybersecurity and Resiliency Act to potentially help address this national issue. (This is not a political newsletter, so I won't put odds on that passing.)

Chatbot conversations can go public.

3. Chatbot chattermouth

The tea: While Sears department stores are nearly no more, their appliance repair brand, Sears Home Services, is very much alive. So alive, in fact, the service provider also decided to join in the AI fun with a customer service chatbot named Samantha. The trouble is that Samantha is not so good at maintaining privacy. A good samaritan, Jeremiah Fowler, discovered databases of Samantha's conversations, text and audio, publicly available on the internet. On some audio calls, the chatbot continued recording long after the customer was aware. (Yikes.) Thankfully, "...the databases were quickly secured," after Fowler notified the company. 

My work order: We should all be extremely careful what information we share with AI chat bots. This is new technology, and even the major players, like OpenAI and Meta, have made big mistakes when it comes to privacy. AI companies can also have a large incentive to harvest your data according to a co-founder of the Signal Foundation. So, whether you're making a to-do list or seeking tax advice, please be aware that these chats may not stay private.

P.S. Above all, please don't share your health data. Pretty please!

The FBI is buying Americans' location data to circumvent the Fourth Amendment.

4. Breaking the fourth amendment?

Admin admission: The FBI shared with Congress on Wednesday that it was purchasing Americans' location data from what are known as data brokers. This is a change from the FBI's stated practices circa 2023. Critics say this blatantly jumps over the Fourth Amendment. Meanwhile, advocates argue it keeps Americans safe and is legal based on the Electronic Communications Privacy Act because the information is commercially available.

My position: Society's safety and freedom constantly play a tug of war, and I believe it's a debate worth having. That said, I think most of us fail to realize the scope of the location data in question, which makes it hard for the average person to assess the government’s claim that acquiring the location data is in the best interest of our safety.

According to the Electronic Frontier Foundation, one such data broker, Mobilewalla, has collected "data on over a billion people," and interested parties can access and connect this intel to people like you and me. That's just one company. And while this may sound hypothetical, the Wall Street Journal reported this location data led to real arrests back in 2020.

Maybe you, dear reader, are comfortable if some people - maybe even some bad people - are arrested in part because of the data the government has acquired through these means. But I'd remember any apparatus of mass, unchecked surveillance that is used against people we don’t like could be used against the people we do like. What's stopping that from happening?

Strava knows where a lot of us have been.

5. Walking on water

The sign: It's incredible that the workout app, Strava, is still revealing military positions years after this "feature" was revealed. The New York Times reported in 2018 how the app's "global 'heat map'" could show the locations of military bases around the world from workout data, and this week it revealed the location of the French aircraft carrier Charles de Gaulle. Though far from top secret, I'd classify the "breach" as not so good. This isn’t the first time workout data has revealed if not classified, then surely sensitive French government information. The French president Emmanuel Macron's location was revealed in 2024 because a body guard logged a workout in the app. 

My call: If you're wondering how the location data in story number four is harvested for data brokers, it's from apps just like Strava. Fitness apps like this one make their location data collection more obvious, but the same data can be covertly collected from dating, shopping, and even religious apps.

I believe we all need a few more speed bumps in terms of sacrificing our privacy for convenience, though it's an uphill battle when self discipline is the only prescription for real digital privacy. We're all bound to slip up eventually. That's, in part, why I'm convinced we need tougher data protections for the everyday consumer, by default. These protections would help protect our privacy and (just maybe) our national security too.

To wrap up...

I hope you've enjoyed this week's stories. A few honorable mentions for this week include the fallout from Iran's hacking of Strykera cyberattack preventing cars from starting, and recommendations for Dark Web Monitoring services.

Last but not least, let me know what you thought about this newsletter or if I missed a big story by write. I read every response, and this newsletter can only get better with your feedback.

See ya next week!

Danny

Read more