The FTC has issued an order against General Motors for collecting and selling drivers’ precise location and behavior data, gathered every few seconds and marketed as a safety feature. That data was sold into insurance ecosystems and used to influence pricing and coverage decisions — a clear reminder that how organizations collect, retain, and share data now carries direct security, regulatory, and financial risk.

In this episode of Cyberside Chats, we explain why the GM case matters to CISOs, cybersecurity leaders, and IT teams everywhere. Data proliferation doesn’t just create privacy exposure; it creates systemic risk that fuels identity abuse, authentication bypass, fake job applications, and deepfake campaigns across organizations. The message is simple: data is hazardous material, and minimizing it is now a core part of cybersecurity strategy.

Key Takeaways:

1. Prioritize data inventory and mapping in 2026

You cannot assess risk, select controls, or meet regulatory obligations without knowing what data you have, where it lives, how it flows, and why it is retained.

2. Reduce data to reduce risk

Data minimization is a security control that lowers breach impact, compliance burden, and long-term cost.

3. Expect that regulators care about data use, not just breaches

Enforcement increasingly targets over-collection, secondary use, sharing, and retention even when no breach occurs.

4. Create and actively use a data classification policy

Classification drives retention, access controls, monitoring, and protection aligned to data value and regulatory exposure.

5. Design identity and recovery assuming personal data is already compromised

Build authentication and recovery flows that do not rely on the secrecy of SSNs, dates of birth, addresses, or other static personal data.

6. Train teams on data handling, not just security tools

Ensure engineers, IT staff, and business teams understand what data can be collected, how long it can be retained, where it may be stored, and how it can be shared.

Resources:

1. California Privacy Protection Agency — Delete Request and Opt-Out Platform (DROP)

https://privacy.ca.gov/drop/

2. FTC Press Release — FTC Takes Action Against General Motors for Sharing Drivers’ Precise Location and Driving Behavior Data

https://www.ftc.gov/news-events/news/press-releases/2025/01/ftc-takes-action-against-general-motors-sharing-drivers-precise-location-driving-behavior-data

3. California Delete Act (SB 362) — Overview

https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202320240SB362

4. Texas Attorney General — Data Privacy Enforcement Actions

https://www.texasattorneygeneral.gov/news/releases

5. Data Breaches by Sherri Davidoff

https://www.amazon.com/Data-Breaches-Opportunity-Sherri-Davidoff/dp/0134506782

When Venezuela experienced widespread power and internet outages, the impact went far beyond inconvenience—it created a perfect environment for cyber exploitation.

In this episode of Cyberside Chats, we use Venezuela’s disruption as a case study to show how cyber risk escalates when power, connectivity, and trusted services break down. We examine why phishing, fraud, and impersonation reliably surge after crises, how narratives around cyber-enabled disruption can trigger copycat or opportunistic attacks, and why even well-run organizations resort to risky security shortcuts when normal systems fail.

We also explore how attackers weaponize emergency messaging, impersonate critical infrastructure and connectivity providers, and exploit verification failures when standard workflows are disrupted. The takeaway is simple: when infrastructure collapses, trust erodes—and cybercrime scales quickly to fill the gap.

The December release of the Epstein files wasn’t just controversial—it exposed a set of security problems organizations face every day. Documents that appeared heavily redacted weren’t always properly sanitized. Some files were pulled and reissued, drawing even more attention. And as interest surged, attackers quickly stepped in, distributing malware and phishing sites disguised as “Epstein archives.”

In this episode of Cyberside Chats, we use the Epstein files as a real-world case study to explore two sides of the same problem: how organizations can be confident they’re not releasing more data than intended, and how they can trust—or verify—the information they consume under pressure. We dig into redaction failures, how AI tools change the risk model, how attackers weaponize breaking news, and practical ways teams can authenticate data before reacting.