Privacy Please

S7, E275 - Choose Wisely: GigaWiper, Your New Delete Button & The Gold Bar Grift

A Problem Lounge Show

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 9:37

Send us Fan Mail


Full Show Notes

This week on Privacy Please, Cam breaks down four stories that all come back to one theme: choice.

GigaWiper — Microsoft researchers uncovered a new backdoor malware built from pieces of older malware families, giving attackers the ability to decide after they're already inside a network how they want to cause damage — from low-level disk wipes to fake ransomware with encryption keys that are never even saved. Multiple security firms are independently tracking it, with no group attribution yet.

Connecticut's new AI disclosure law — As of July 1st, companies covered by Connecticut's privacy law must clearly disclose whether their data is used to train large language models like ChatGPT, Gemini, DeepSeek, or Grok. Cam digs into why "disclosure" doesn't always mean "clarity," and what to actually look for in a privacy policy update.

California's Delete Act (DROP) — A correction and a deep dive: DROP has been live since January 1st, not launching in August as previously stated. What actually changes on August 1st is enforcement — the date data brokers become legally required to act on deletion requests. Cam walks through exactly how to submit one at privacy.ca.gov.

The Phantom Hacker gold bar scam — A 78-year-old Phoenix woman nearly lost $600,000 in gold bars to a scammer posing as a federal official — until she turned the tables and called the FBI herself. Cam covers the arrest, the courier-for-hire business model behind it, and the billion-dollar scale of phantom hacker scams since 2024.

Tips for this episode:

  • Back up your data offline — wipers don't negotiate, there's no ransom to pay your way out
  • Search privacy policy updates for "train," "AI," or "language model" before skimming past them
  • California residents: submit a DROP request now at privacy.ca.gov so it's queued before enforcement begins on August 1st
  • No real government agency will ever tell you to convert your money to gold, crypto, or gift cards — hang up and call the agency back yourself

Sources referenced:

  • Microsoft Security research on GigaWiper
  • Connecticut Data Privacy Act (CTDPA) amendment, effective July 1, 2026
  • California Delete Act / DROP platform, cppa.ca.gov
  • FBI IC3 reporting on Phantom Hacker and gold bar scams
  • AZFamily coverage of the Gary Christopher arrest, Phoenix Sky Harbor Airport


Chapter Timestamps

00:00 – Cold Open 01:30 – GigaWiper: Choose-Your-Own-Destruction Malware 04:00 – Connecticut's LLM Data Disclosure Law 06:15 – California's Delete Act & DROP Platform 08:30 – The Phantom Hacker Gold Bar Scam 11:30 – Recap & Close

Support the show

Choice, Privacy, And A Quick Ask

SPEAKER_00

Righty then, ladies and gentlemen, welcome back to another episode of Privacy Please. I am your host, Cameron Ivey, and today we have a theme of choice. That is the theme, my friends. Because it turns out that everybody is making one right now. Or at least we think we are. Hackers are choosing how they want to destroy your data. Lawmakers are finally giving you a choice about who gets to keep your data. And one very unlucky woman in Phoenix almost made the choice that might have been the worst of her life over a bag of gold bars. Quick reminder before we dig in if you're listening on a podcast app, go follow us, hit subscribe, whatever it's called in the app or wherever you're listening to us. Cost you nothing. Helps us a huge ton. A huge ton. That sounds terrible. Helps us a lot. And if there is a video version, it'll be on our YouTube. Not all of them are always uh released on YouTube, but you can go there as well as the problemlounge.com for all of our episodes as well on our website. So this week, Microsoft finds malware that lets attackers pick their own destruction method a la carte. It's fancy. Actually, not that fancy. Two new privacy laws just handed you tools nobody is talking about. And the FBI catches a scammer trying to flee the country mid-heist. Let's get into it, people.

GigaWiper And Destruction On Demand

SPEAKER_00

Alright, first up, Microsoft just published research on something called GigaWiper. And it's not what you think it is. It's a nasty little shift in how destructive malware works. So here's some quick context for you. Normal ransomware wants your money. It just wants you gone. No negotiation, nothing to pay for. GigaWiper takes that and makes it worse. It's a backdoor built from pieces of at least three older malware families. And once it's inside your network, the attacker doesn't even have to decide how they're going to destroy you until they're already in. Overwrite the hard drive at the physical level, deploy fake ransomware with an encryption key that's randomly generated and never saved. So even if you paid, there's nothing to unlock. Or just quietly sabotage the system. Nobody's been named as the group behind it yet. Microsoft, Google, and another security firm are all independently tracking it under different names, which honestly makes it way creepier. Multiple serious researchers converging on the same thing at once. Here's a quick tip. This is squarely a your backups are the only thing that saves you story. If you run a business, offline or otherwise, resilient backups aren't optional anymore. Wipers don't negotiate. There's no ransom to pay your way out of this one. Alright, so here's the second story, and this one's actually good news, which I know is weird for

Connecticut Forces AI Training Disclosures

SPEAKER_00

this show. As of July 1st, Connecticut quietly flipped on a new requirement for us. Companies now have to clearly disclose their privacy notices whether your data is being used or sold to train large language models. ChatGPT, Gemini, DeepSeek, and Grok are named specifically. This is one of the first privacy laws written for the AI moment instead of retrofitted onto old ones. Here's the catch though. And the part, of course, no one mentions. Almost no one knows this exists yet. And I'd bet real money, most companies are technically complying by burying it in 12 paragraphs of legal boilerplate that tells you nothing. Here's what that probably looks like in practice. Somewhere around paragraph 11 of a privacy policy you've never read, a line like aggregated user data may be utilized to enhance machine learning capabilities across afflated services. Something like that. Technically discloses it, tells you absolutely nothing. That's the gap. This law has not closed yet. It says disclose, it didn't say in English though. Here's a tip. Next time you get a privacy policy update email, and I'm sure you're going to get one soon. Actually search it for train or AI or language model. Takes 30 seconds. You might learn something you didn't expect.

California Delete Act And Data Brokers

SPEAKER_00

Sticking with the actually good news theme, California's Delete Act is already live. Drop, the delete request and opt-out platform, has been up and taking requests since January 1st, if you weren't aware. What actually happens August 1st is enforcement. That's the date data brokers become legally required to check Drop and act on the request already in the queue. Before that, they just had to register. Here's how it works: you go to privacy.ca.gov, verify you're a California resident, and submit your name, email, and phone number. Drop hashes that and sends it out to every registered broker at once. Over 600 of them as of this year. Brokers have to check Drop at least every 45 days and report back on the status of your request. And if they don't comply, $200 a day per request and fines. That's real teeth. That's good. That's a great update. That's so good to hear. Now here's a tip. If you're in California, submit your request right now. It's sitting there cued and ready. So the second enforcement kicks in on August 1st, you're already in the front of the line. Get going.

The Phoenix Gold Bar Scam Takedown

unknown

Act now.

SPEAKER_00

Alright, last one here, and this is a story that's gonna make you want to call your parents tonight. A 78-year-old woman in Phoenix gets a call. Ring ring. Hello. I don't know why that was like Mrs. Doubtfire. Guy on the other line says he's from the U.S. Attorney's Office. Tells her she's a victim of identity theft connected to a federal investigation. And I mean he goes there. He tells her it's tied to a child exploitation case. Pure fear, straight to the gut. He walks her through protecting her money, which somehow means converting it to gold and having it picked up. She's in the process of handing over $600,000 in gold bars when something in her clicks, and she calls the actual authorities herself instead. FBI tracks the guy down, his name's Gary Christopher, never trust the guy with two first names, and catches him at a Phoenix Sky Harbor Airport mid-scam, trying to board a flight to none other than Florida. Wait a minute, that's my state. Why am I making fun of it? Ah, we all know what it means. Alright, here's the thing. This isn't a one-off wild story. The FBI says phantom hacker scams have pulled in over a billion dollars since 2024, and gold bar scams specifically took $219 million last year alone. Most victims are 60 and older, and the courier in our story wasn't some criminal mastermind. Court documents say Christopher actually left his job to travel the country picking up gold for scammers, $5,000 a box. That's the business model now. Regular people getting recruited as couriers for cash, no idea or no care what they're actually a part of. Here's a tip: no government agency will ever tell you to move your money into gold, crypto, or stupid gift cards to protect it. Ever. If you get this call, or your parents do, or your grandparents, hang up. I don't even know who answers calls anymore if you don't know their who's calling you, anyways. Call the actual agency back using a number you look up yourself, not one that they gave you. Alright, so quick recap here.

Recap, Listener Requests, And Sign Off

SPEAKER_00

Attackers are now choosing their destruction method, a la carte. Connecticut and California just quietly handed you tools most people don't know exist yet, and a phone call almost cost one woman her life savings and gold bars. Choose wisely, people, because this week, everybody else sure is. Listen, if you have topics, stories, or guests that you want me to dig into, I would love to hear from you. Um I love doing these kind of stories. Obviously, this is a shorter episode this week. Things have been a little hectic in life and all those things, so appreciate the patience. I know I haven't had as many episodes like we usually do, so thanks for sticking through. Uh, things will pick back up soon. We have tons of guests in the queue and a lot of good things to cover. So thank you so much for the support. Thank you for listening to Privacy Please. And if this was your first time, thank you for joining us. I hope you hit subscribe and continue with us. Um, stay safe out there, and we will see you guys on the next one. Cameron Ivy. Over and out of the