The reality of the increasing risk of AI hacks on governments and businesses
Today we’re focusing on the risks of AI, including a recent rare public warning that AI could launch harmful attacks on the government and businesses.
Five Eyes warn of devastating AI hacks
Intelligence agencies making up the Five Eyes have given a rare public warning in a joint statement that Artificial Intelligence (AI) models capable of devastating attacks on governments and businesses are only months away.

They have warned that business leaders should be prepared. “Cyber risk can no longer be treated as a purely technical issue. This is a core business risk and leadership responsibility,” the statement said.
The intelligence agencies, such as GCHQ in the UK, along with Australia, the US, New Zealand and Canada, have warned that it should be assumed that malicious actors will soon have access to engineered and supercharged hacking tools designed by already-existing AI models and businesses must prepare for ‘an onslaught’ of sophisticated attacks.
The warning came a week after the US government ordered Anthropic to block access by foreign nationals to its most sophisticated AI models, labelling their export a security risk but also putting allies on the back foot.
The statement added that while AI would help improve cyber defence over time, it also accelerates the speed, scale, and sophistication of cyber threats.
The Five Eyes is an intelligence alliance set up between the five countries after the Second World War.
The full statement can be found at https://www.ncsc.gov.uk/news/the-ai-shift-in-cyber-risk-why-leaders-must-act-now
Further AI troubles
Two other recent news stories may give businesses pause for thought in their plans for an AI rollout.
21,000 lose jobs
Buried in its annual report, software giant Oracle has admitted that it has made 13% of its global workforce redundant, or 21,000 jobs, last year through the implementation of AI systems.
Oracle told investors that the, “… deployment of AI technologies across our operations has resulted, and may continue to result, in reductions to our workforce”.
The company is one of the few to explicitly link headcount cuts to automation rather than corporate euphemisms such as ‘streamlining’.
The database group, which was founded by Larry Ellison, has set aside additional cash to cover ‘restructuring’ costs. The firm said the cuts have led to about £1.36 billion in severance payments and other restructuring costs in the past year, up from the £284 million restructuring bill in the previous financial year.
Meta can’t control AI
Two months into a trial that tracks its employees’ computer keystrokes and mouse movements using AI, Meta has had to switch the system off. Its Model Capability Initiative (MCI) was discovered to be leaking sensitive company and personnel data to anyone on the system.
According to Meta, the system was designed to gather data on how people use computers and train AI models.
The company had ignored staff concerns about privacy issues and a petition signed by over 2,000 Meta employees but has now suspended its use after realising data collected had been left potentially accessible to anyone inside the company.
Warning to UK companies using Fortinet products
Fortinet firewalls and VPN gateways have been targeted as part of a global campaign, with some indications that UK companies were affected, the National Cyber Security Centre (NCSC) have warned.
A database of credentials has been leaked by a threat actor following brute-force, dictionary and credential stuffing attempts against internet-facing FortiGate and VPN portals. Credential stuffing is a method where attackers use passwords stolen from one web service to try to access accounts on other services, taking advantage of any reuse of username and password combinations.
What actions should be taken?
UK organisations using Fortinet edge devices with SSL VPN enabled should investigate potentially malicious activity on the device and monitor their network for unusual activity.
Fortinet has published a blog post providing guidance and an analysis. https://www.fortinet.com/blog/psirt-blogs/analysis-of-reported-credential-compromise-of-fortigate-devices
The NCSC has also published nine steps to check your systems, and they can be found here: https://www.ncsc.gov.uk/news/advice-following-global-targeting-of-fortinet-firewalls-and-vpn-gateways
