A recent study has revealed that nearly 70% of Britain’s workforce is experimenting with AI rather than having any formal training on how to use it.
This informal approach could undermine an organisation’s competency, accountability and security. Two AI news stories bookend this month’s newsletter and underline the importance of a structured organisational approach to AI governance. First, we examine how non-technical teams could be exposing organisational data by letting AI choose their passwords. We later look at how a recent Copilot data leak points to inherent risks of using generative AI in the work environment.
There’s news of (another) PayPal data breach and what you need to do now to keep accounts safe. We also look at the government’s cyber security advice for UK organisations that might be at risk of collateral damage from the conflict in the Middle East.
Why you shouldn’t trust AI to generate your passwords
Researchers from Irregular AI security lab are warning non-technical and software development teams against using LLMs (Large Language Models) to generate passwords. The reason? LLM-generated passwords might look impressive, but they are easy to crack.
Experts say the problem with the passwords is similar to many AI-generated outputs: they are plausible but wrong.
According to researchers, LLM-generated passwords are inherently weak because the models are designed to predict tokens (calculate the probability of the most likely next unit of text based on the previous context). This approach goes against the basic principle of strong password generation, which is to securely and uniformly sample random characters.
Analysts tested the strength of passwords generated by a variety of LLMs such as Claude Opus 4.6, Gemini 3 and GPT‑5.2. They found that all three LLMs created passwords that had predictable character patterns, reused old passwords and created new ones that looked strong but were easy to crack when put through the paces.
In spite of these serious security flaws, LLM-generated passwords are becoming increasingly common. Non-technical users who are starting to ‘vibe code’ (instruct AI to write code for specific programs, but without technical oversight) are at risk, and so are development teams who rely heavily on coding agents to create passwords for their projects.
There is a danger that LLM-generated passwords are more vulnerable to brute force attacks (where hackers try all possible combinations of letters, digits and symbols to guess the right password).
The research found that such passwords have much lower bits of entropy (a measure of how many brute-force attempts would be needed to crack a password) compared to a conventionally generated password.
The advice from experts is clear: ditch any LLM-generated passwords and instead use more traditional and secure generation methods, such as password managers. And for even more robust security, opt for passwordless authentication such as passkeys.
More details on the latter on our blog here.
PayPal code change causes data breach that went undetected for five months
PayPal users’ data was stolen by hackers over a five-month period before the payment giant discovered that its systems had been compromised.
PayPal’s security team only found out about the breach in December 2025 and then realised that their systems had been accessed since July.
Hackers are thought to have targeted about 100 PayPal users, stealing money and personal information from some accounts.
While the company has now secured its access and compensated customers, they haven’t been forthcoming about why such a serious hack went undetected for so long.
In an official statement, PayPal said that the breach was caused by “…an error in its PayPal Working Capital Loan Application” service and that a code change was responsible for potentially exposing customers’ PII (Personally Identifiable Information).
Being the world’s biggest online payment platform has made PayPal a juicy target for hackers. Back in 2023, over 34,000 customer accounts were hacked in a credential stuffing attack. Then late last year, there was a flurry of phishing emails masquerading as legitimate PayPal support emails.
PayPal has issued the following security advice for shoring up customer accounts:
- Use a different password and username for every website and online account
- Immediately change your password and any security questions if you notice suspicious activity on your account
- Hover over any email links before clicking to see the actual URL destination. If unsure, do not click!
- Be wary of any messages that sound urgent and demand immediate action. Always verify emails by visiting your PayPal account first and viewing messages there instead of clicking on anything in your email.
Read the full list of advice here.
Middle East war: UK government advises organisations to review cyber security
The National Cyber Security Centre has asked British organisations to examine their cyber defences as the conflict in the Middle East intensifies.
The Centre has warned that “there is almost certainly a heightened risk of indirect cyber threat for those organisations and entities who have a presence, or supply chains, in the Middle East.”
It also warned that “Iran state and Iran-linked cyber actors almost certainly currently maintain at least some capability to conduct cyber activity.”
The Police Digital Service (PDS) has also alerted organisations that phishing emails from Iranian threat actors pose a persistent danger. The PDS has recommended that organisations remain cautious about phishing lures masquerading as job offers, webinars and emails with strongly emotive content on Israel and Palestine. There is also a threat of Iran state-linked hackers targeting individuals with higher system privileges within an organisation. The PDS is calling for leadership teams to be trained to spot such lures.
The NCSC has further warned of specific threats to UK organisations, such as DDoS attacks, phishing and ICS Targeting from Iran-backed hacktivists. There is more specific advice for organisations with a physical presence or supply chains in the region here.
All organisations have been encouraged to sign up to the NCSC’s Early Warning Service, which offers free notifications of network security issues.
Microsoft Copilot snoops on confidential emails
Microsoft has admitted that a coding error caused its work assistant tool, Copilot, to access confidential user emails.
The tech giant revealed last month that Copilot had inadvertently summarised confidential emails that some users had stored in their draft and sent folders in Outlook.
Even though the emails were created by the users themselves, Copilot should never have had access to them because Microsoft applies sensitivity labels and data protection polices to content marked as confidential in order to prevent unauthorised access and sharing.
A spokesperson for Microsoft told the BBC that “While our access controls and data protection policies remained intact, this behaviour did not meet our intended Copilot experience, which is designed to exclude protected content from Copilot access.” Microsoft also clarified that the glitch “did not provide anyone access to information they weren’t already authorised to see”.
A worldwide configuration update has been deployed to fix the issue for enterprise customers.
The news was also shared on an NHS IT support portal, indicating that NHS workers might have been affected. However, the BBC reports that patient information has not been exposed.
Jake Ives, Intersys’ Head of Security, says that the issue could lead to compliance breaches.
“Many industries trust Copilot for Work to index information which is made available to it, but in a highly regulated industry that has obligations under frameworks such as HIPAA (e.g. the healthcare sector), there is a direct knock-on effect. Even if no unauthorised person accessed the data, the fact it was processed by its AI could constitute a breach of data handling policy and cause headaches for the compliance team.
Organisations should make sure that they know what data they hold in their environment, understand their compliance obligations, and test the roll out of Copilot in phases. Hold off buying licenses and rolling out in one big bang, as tempting as it is.”
Security experts say that such leaks are going to become inevitable given the breakneck speed of AI innovation. New features are constantly being rolled out, and organisations can struggle to stay on top of data security.
Our Copilot readiness service recognises the AI challenges facing organisations today. We offer in-depth reviews of user access and use cases, privacy and permissions, correct configuration, and user awareness training. We’ve also got more general advice on responsible use of AI in the workplace here.
Other vulnerabilities
Windows Admin Centre Vulnerability