TL;DR

This week saw Nike confirm a 1.4 TB data theft by the WorldLeaks cybercrime group, while Canada Life disclosed a breach affecting 70,000 customers via a compromised employee account. These incidents share a common thread: attackers exploited identity and vendor gaps that most small businesses still ignore. Fix three things this weekend — MFA on every admin account, supplier access reviews, and offline backups — and you avoid becoming next week's headline.​‌‌​​‌‌​‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌‌​​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

This Week's Major Incidents

1. Nike — 1.4 TB of Supply Chain and Design Data Stolen

What happened: The cybercrime group WorldLeaks claimed responsibility for stealing approximately 1.4 TB of internal data from Nike, comprising over 188,000 files related to product design, manufacturing processes, supply chain logistics, and operational information. Nike confirmed it is investigating a potential security incident after the group publicly threatened to leak the data.

How bad was it: Critical. This is not just customer PII — it is intellectual property, vendor pricing, factory specifications, and multi-year product roadmaps. For a business of Nike's scale, the competitive damage an

d potential supply chain disruption easily reach eight figures. For a smaller manufacturer or retailer, losing equivalent proprietary data to a competitor or ransomware group is often an extinction-level event.​‌‌​​‌‌​‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌‌​​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

How it could have been prevented: File theft at this volume suggests either long-undetected lateral movement inside the network or compromised credentials with broad file-share access. Prevention requires:

  • Principle of least privilege on file shares and design repositories
  • Data Loss Prevention (DLP) monitoring bulk file exfiltration
  • Network segmentation separating design systems from general corporate IT
  • Privileged Access Management (PAM) with session recording for high-value data stores

Your weekend action item: Audit your file server and cloud storage admin permissions. Remove "everyone" or "domain users" access from sensitive folders. Enable DLP alerts on SharePoint, Google Drive, or your NAS for bulk downloads.

2. Canada Life — 70,000 Customer Records Exposed via Compromised Employee Account

What happened: In April 2026, Canada Life disclosed that attackers accessed personal information of approximately 70,000 individuals after compromising a single employee account. The ShinyHunters threat actor group was linked to the breach. Exposed data included names, dates of birth, addresses, gender, and income details — a full identity-theft kit.

How bad was it: Severe. A compromised employee account is the most common initial access vector for SMBs, yet it is also the most preventable. For a financial services firm, the regulatory fines (PIPEDA in Canada, equivalent to GDPR penalties in structure) plus customer churn and credit monitoring costs can run into millions.

How it could have been prevented: The breach started with one compromised identity. Stopping it requires:

  • Phishing-resistant MFA (FIDO2/WebAuthn hardware keys or passkeys) on all remote-access and email accounts, not just SMS
  • Conditional access policies that block logins from unexpected geographies or devices
  • Endpoint Detection and Response (EDR) to catch credential theft and unusual data access patterns
  • Regular access reviews to ensure terminated or transferred employees lose access immediately

Your weekend action item: Enable MFA on every business-critical account today — email, CRM, accounting software, and remote desktop. If any account still uses SMS-only, upgrade it to an authenticator app or hardware key. Review active users in your Microsoft 365 or Google Workspace admin panel and deactivate stale accounts.

3. J Grennan & Sons — Agri-Trading Firm Hit by Akira Ransomware

What happened: Irish agri-trading company J Grennan & Sons was listed as a victim by the Akira ransomware group. The attackers claimed to have exfiltrated over 1 TB of data tied to more than 20 million individuals, including names, contact details, national identity numbers, energy contract information, and in some cases bank IBANs. The company confirmed significant operational disruption and engaged external incident responders.

How bad was it: Devastating for a mid-sized agribusiness. Akira operates a double-extortion model: encrypt systems and threaten to leak stolen data. Operational downtime in agriculture trading during peak season means rotting inventory, broken contracts, and cash-flow collapse. The 20-million-record data exposure also triggers GDPR liability for any EU-linked entity.

How it could have been prevented: Akira typically gains entry via unpatched VPN appliances, stolen credentials sold on dark-web markets, or phishing. Defenses include:

  • Patching internet-facing VPN and firewall firmware within 48 hours of advisory release
  • No direct RDP or VPN access without MFA and IP allowlisting
  • Immutable offline backups (3-2-1 rule: 3 copies, 2 media types, 1 offsite/air-gapped)
  • Network segmentation between IT and operational technology (OT) systems

Your weekend action item: Test your backups. Actually restore a file from your cloud backup and from your local backup. If you cannot restore in under an hour, you do not have a backup — you have a prayer. Move one full backup copy to an offline or immutable destination.

What Your Business Should Do Differently This Week

Most SMB owners treat cybersecurity like insurance: set it once and hope for the best. This week's breaches prove that approach is fatal. Here is a 48-hour action checklist:

  • Identity Lockdown: Enable MFA on every admin and finance account. Remove legacy protocols (IMAP/POP without MFA, basic auth).
  • Vendor Hygiene: List every third-party supplier with access to your data. Email them asking for their incident response contact and last penetration test date. Drop vendors who cannot answer.
  • Backup Integrity: Restore one critical file from each backup tier. Verify immutability on cloud backups (ransomware cannot encrypt what it cannot modify).
  • Phishing Drill: Send a fake phishing email to your team using a free tool. Anyone who clicks gets 10 minutes of training, not punishment.
  • Incident Response Card: Write one page with "If we get ransomware, call [number], disconnect [device], and do NOT touch [system]." Print it and tape it to the router.

FAQ

Q: We are too small for hackers to target — does this really apply to us?

A: Yes. Ransomware is automated and scalable. ShinyHunters and Akira do not hand-pick Fortune 500 targets; they scan the internet for unpatched VPNs and leaked credentials. A 20-person business with a $50,000 annual revenue is just as likely to be encrypted as a global brand — and far less likely to survive the downtime.

Q: We already have antivirus. Is that enough?

A: No. Traditional antivirus catches known malware signatures. Modern attackers use "living off the land" techniques — legitimate tools like PowerShell and remote management software — that antivirus ignores. You need EDR, MFA, network segmentation, and backup immutability layered together.

Q: How much does it cost to fix after a ransomware attack?

A: The average ransomware recovery cost for SMBs in 2026 is approximately $1.85 million, including downtime, data recovery, legal fees, and reputation damage. The ransom demand itself is often only 10-20% of the total cost. Prevention is orders of magnitude cheaper.

Q: Should we pay the ransom if we are hit?

A: Law enforcement and cybersecurity agencies universally advise against paying. Payment does not guarantee decryption key delivery, funds further criminal activity, and may expose you to sanctions liability. Build immutable backups and rehearse recovery instead.

Conclusion

This week's digest is a warning, not entertainment. Nike, Canada Life, and J Grennan & Sons all suffered breaches that started with basic identity, access, or vendor controls failing. The difference between a headline and a near-miss is rarely a million-dollar security appliance — it is MFA, patching, backups, and segmentation applied consistently.

Your weekend action items are concrete: enable MFA everywhere, test your backups, and review supplier access. If you need help prioritizing, visit consult.lil.business for a free cybersecurity assessment tailored to your business size and risk profile.

References

  1. Nike Probing Potential Security Incident as Hackers Threaten to Leak Data — SecurityWeek
  2. Hackers Accessed Personal Information of 70,000 People in Canada Life Data Breach — The Globe and Mail
  3. J Grennan & Sons Advises Customers It Was Victim of Cyber Attack — Agriland
  4. The State of Ransomware 2026 — BlackFog
  5. ACSC Essential Eight Maturity Model — Australian Cyber Security Centre

TL;DR

  • Some bad people use AI to pretend to be computer workers and get hired by companies
  • They use robot voices, fake photos, and computer-generated resumes
  • They don't actually do the work—they steal secrets
  • Companies need new ways to check if people are who they say they are

What's Happening?

Imagine this: Someone sends a job application to a company. They have a nice photo, a good resume, and they do great in the interview. The company hires them.

But there's a problem: That person doesn't really exist.

A group of bad people used AI (artificial intelligence) to create a fake person, trick the company, and get hired. Then they use their job to steal secrets and money.

This is happening RIGHT NOW with computer programming jobs.

Who's Doing This?

Microsoft (a really big computer company) found out that some people from North Korea are doing this [1]. They use special names:

  • Jasper Sleet
  • Coral Sleet (used to be called Storm-1877)

They're like teams of tricksters using computers to fake being workers.

How Do They Trick Companies?

Step 1: Creating a Fake Person

They use AI to make everything up:

  • Fake names - The computer suggests names that sound real
  • Fake photos - Computer-generated pictures that look like real people
  • Fake resumes - Computer-written work history that looks perfect for the job
  • Fake emails - Email addresses that match the fake name

It's like playing dress-up, but with computers instead of clothes.

Step 2: Tricking the Interview

When it's time for a video call, they use special tricks:

  • Robot voices - Computers that change their voice to sound like someone else
  • Chat helper - AI that helps them answer questions during the interview
  • Maybe pre-recorded videos - Sometimes they just play a video instead of talking live

The company thinks they're talking to a real person. But they're actually talking to a trickster using computer tools.

Step 3: Getting Hired (and Stealing)

Once they're "hired":

  • They get paid salary money (which goes to the bad people)
  • ️ They get access to company computers and secrets
  • They steal important information
  • They sell passwords or secrets to other bad people

They might do a little work—using AI to help them write computer code so they don't get caught. But the real goal is stealing, not working. [1]

Why Can't Companies Tell They're Fake?

Good question! Here's why regular background checks don't work:

  • Background check passes - Fake people have no criminal history because they don't exist!
  • References check - Fake references from computer-made people
  • Skills test passes - AI helps them answer technical questions
  • Looks normal on video - Computer voices and fake photos look real

It's like a really, really good costume.

Signs Someone Might Be Fake

Microsoft found some clues that can give away fake workers [1]:

Weird Things in Their Computer Code

  • Using emojis as checkmarks () inside code
  • Writing comments that sound like they're explaining themselves too much
  • Using way too many complicated words for simple things
  • Code that's more complicated than it needs to be

Weird Things About Their "Life"

  • Hardly any photos or posts on social media before a certain date
  • The same face shows up with slightly different names
  • Jobs or schools that are hard to check really exist
  • Generic stories that could be about anyone

Weird Things When Working

  • Working at strange hours
  • Asking for access to things they don't really need
  • Moving files around for no clear reason
  • Doing very little real work

How Companies Can Stay Safe

Good companies are fighting back with new rules:

Better Checking

  • Multiple video calls - Not just one interview, but lots of talking
  • Real work tests - Watch them actually do work, not just answer questions
  • Meeting in person - Sometimes you just have to see someone face-to-face
  • Checking their whole internet life - Seeing if they exist in more than one place online

Watching for Weird Stuff

  • Strange computer access - Looking at files they shouldn't need
  • Weird hours - Working at 3am when nobody else is awake
  • Moving data around - Sending files to places they shouldn't go

Being Extra Careful

  • Not giving too much power - Only giving access to what they really need
  • Checking on contractors too - Not just full-time workers, but anyone with access
  • Using computers to watch computers - AI helpers that look for fake workers

What Does This Mean for Us?

This might sound scary, but here's the good news:

Smart people are figuring this out - Companies like Microsoft are finding these tricks Better rules are being made - New ways to check if people are real Good AI is fighting bad AI - Using computer helpers to catch the tricksters

And for us regular people:

  • Learn about internet safety - Knowing tricks helps you avoid them
  • Build real relationships - Fake people can't do friendship or teamwork well
  • Ask questions - If something seems weird, it's okay to ask why

FAQ for Curious Kids

They try! But the fake people are really good at tricking. It's like when someone wears a really good Halloween costume—you can't tell who's underneath until they take it off.

Yes! Microsoft found thousands of fake accounts and stopped them [1]. But the bad people keep trying new tricks.

Maybe. That's why companies are being extra careful now. It's like locking doors—not because you expect burglars, but because you want to be safe.

No, AI is just a tool. Think of it like a hammer. You can use a hammer to build a birdhouse OR break a window. AI can help bad people do bad things, but it also helps good people catch them!

TELL A GROWNUP. Don't try to figure it out yourself. If someone online seems weird or too good to be true, that's a grownup problem to solve.

Remember

The internet has good people and bad people, just like the real world. The difference is:

  • Real world - You can see people's faces
  • Online world - People can hide who they really are

That's why we need to be extra careful and use smart rules to stay safe. ️

Want to learn more about staying safe online? Ask your parents or teachers about internet safety, or check out resources from CISA—they're the experts on keeping computers safe!

Sources

  1. Microsoft Security Blog. "AI as tradecraft: How threat actors operationalize AI." https://www.microsoft.com/en-us/security/blog/2026/03/06/ai-as-tradecraft-how-threat-actors-operationalize-ai/

  2. Microsoft Security Blog. "Jasper Sleet: North Korean remote IT workers' evolving tactics to infiltrate organizations." https://www.microsoft.com/security/blog/2025/06/30/jasper-sleet-north-korean-remote-it-workers-evolving-tactics-to-infiltrate-organizations/

  3. CISA. "Cybersecurity for Kids." https://www.cisa.gov/news-events/news/cisa-launches-cybersecurity-awareness-month-kids

  4. FBI. "North Korean IT Workers Warning." https://www.fbi.gov/ic3/alertr/north-korean

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation