Jordan: A medical device company gets hit so hard that thousands of internal devices get wiped clean. Their ordering systems are still dark a week later. And there's a reasonable case that Tehran had something to do with it. That's not a threat model exercise. That's this morning.

Alex: It's Monday, March 16th, 2026. Welcome to Cleartext. I'm Alex Chen.

Jordan: And I'm Jordan Reeves.

Alex: Today we're covering a threat environment that's getting messier by the hour. Iran-linked cyber operations are no longer background noise — they're hitting critical infrastructure and medical supply chains in the same week. We've also got a major BPO breach courtesy of ShinyHunters, a ransomware economy that's quietly changed its business model, a landmark GDPR ruling that may have just softened Europe's biggest enforcement stick, and a conversation that I suspect many of you have had privately: what happens when the CISO becomes the fall guy. Let's get into it.

Jordan: So let's start with the geopolitical picture, because it's the frame for everything else today. The U.S.-Israel-Iran conflict has a cyber dimension that is actively expanding. We're not talking about nuisance-level defacement or credential theft. We're talking about destructive operations. The Stryker attack is the clearest example in the news this week — thousands of devices wiped, digital ordering systems down for over a week at one of the largest medical device manufacturers in the world. The company is saying its physical products are safe for patient use, and I'll take them at their word on that, but the operational disruption is real and it's ongoing.

Alex: And that framing matters for CISOs, especially in healthcare, defense, and critical infrastructure. This isn't ransomware-as-a-business. This is a nation-state or a nation-state proxy trying to impose costs. The playbook is fundamentally different. You're not negotiating with anyone. There's no decryptor key waiting at the end of a Bitcoin transaction. The objective is damage, not revenue.

Jordan: Right. And the Stryker incident forces a supply-chain conversation that healthcare security leaders need to have at the board level this week. If a critical supplier's ordering infrastructure goes dark for ten days, what does your hospital system's contingency plan look like? Most organizations have mapped their software supply chain reasonably well at this point. Far fewer have mapped their operational supply chain — the vendors whose systems you depend on to get equipment, consumables, and devices into clinical settings.

Alex: The broader Iran conflict coverage also flagged something worth noting: the Pentagon's posture around AI governance is getting complicated, specifically with Anthropic. We don't need to litigate that today, but the signal for enterprise security leaders is that military AI procurement and governance is becoming contested terrain, and that has downstream implications for how AI vendors prioritize security controls versus capability. Watch that space.

Jordan: Let's talk about the ransomware evolution story, because Google's Threat Intelligence Group put out a report that codifies something practitioners have been sensing for about eighteen months. The ransomware economy is pivoting from encryption to pure data extortion. No encryption, no recovery-focused ransom demand. Just: we have your data, pay us or we publish it.

Alex: This is actually a more dangerous model in some respects. Traditional ransomware gave defenders a visible signal — systems go down, operations stop, you know you've been hit. Data-only extortion can sit undetected for far longer. The attacker has time to stage, to identify the most sensitive material, to maximize leverage before they ever announce themselves.

Jordan: And it completely reframes what "recovery" means. Your backup and recovery program, however mature it is, does nothing to address this threat. The controls that actually matter now are exfiltration detection, data classification, DLP with teeth, and network monitoring that can catch large-scale staging activity before it leaves your environment.

Alex: The Google report also notes that this shift is obscuring the true scale and impact of ransomware collectively, because incidents that don't involve encryption often don't get reported or categorized the same way. That's a data problem for the industry, but it's also a board communication problem. When you're reporting ransomware risk to your board, make sure you're framing it as a data exposure risk, not just an availability risk.

Jordan: ShinyHunters is back, and this time the target is Telus Digital — major Canadian BPO, serves a lot of large enterprises across North America. The company has confirmed the attack. What they haven't confirmed is the scope of what was taken, which is its own kind of answer.

Alex: If you are a customer of Telus Digital, you should be having that conversation with your vendor relationship today, not waiting for their breach notification letter. The question you need answered is: what data did we share with them, under what agreements, and what were the contractual security requirements we imposed? If the answer to that last question is vague, that's the real problem this breach is exposing.

Jordan: BPOs are a structural vulnerability that I think the industry underweights. They sit at the intersection of your customer data, your internal processes, and often your network. ShinyHunters has proven repeatedly that they are patient, they are effective, and they know how to monetize what they take. This one is worth treating as a first-party incident until you know otherwise.

Alex: Now let's talk about something that hits closer to home for this audience. The personal liability question for CISOs is not theoretical anymore. Regulators are pursuing individual accountability after major breaches. We've seen it. And it's producing behavioral changes that are not good for security culture overall.

Jordan: The perverse incentive is real. If you document risk clearly and push it to the board, and they defer or underfund, and then you have a breach, you've essentially created a paper trail that implicates you. Some CISOs are starting to soften how they communicate risk as a form of self-protection. That is a deeply bad outcome.

Alex: My take on this: the answer is not to obscure risk documentation. The answer is to protect yourself structurally. D&O coverage that specifically names you. Employment agreements that define your authority and your reporting obligations. Board minutes that reflect the risk decisions being made above your level. If you don't have those things, stop what you're doing this week and get them. The CISO liability trend is not reversing. You need to operate accordingly.

Jordan: One governance story that cuts the other direction — Luxembourg's court just overturned Amazon's 858 million dollar GDPR fine. The original case was about how Amazon obtained consent from European consumers, going back to 2018. This ruling is going to ripple through the privacy community in Europe for a while.

Alex: My read: don't use this as an excuse to dial back your GDPR program. Enforcement is still real, the accountability framework hasn't changed, and the reputational cost of a public regulatory action is often worse than the fine itself. What this ruling might indicate is that the largest fines, the ones that reach into the hundreds of millions, are more legally contestable than they appeared. That's useful to know for risk quantification, but it's not a green light to loosen consent practices.

Jordan: Quick note on the AWS Bedrock vulnerability. Researchers found a DNS-based exfiltration path out of the Bedrock AgentCore sandbox — meaning AI agents running in what you assume is an isolated environment can potentially be used to leak data. AWS has been notified and is working on it. But the architectural lesson here is the one that matters.

Alex: If you're deploying agentic AI workflows on any cloud platform, your sandbox isolation assumptions need to be validated, not assumed. DNS is often treated as a trusted, low-risk channel, which is exactly why it gets exploited. Make sure your AI deployment architecture gets the same network egress scrutiny you'd apply to any other workload.

Jordan: Thirty seconds on Bold Security, which came out of stealth with forty million dollars to focus on AI-era endpoint security. The thesis is that existing endpoint controls weren't designed for a world where AI agents are accessing local files and apps at scale. Worth watching if you're deploying agentic tools broadly across your workforce. The gap they're describing is real, even if the product is unproven.

Alex: So what's the theme of the week? Jordan, what are you watching?

Jordan: The intersection of geopolitical escalation and critical infrastructure. The Stryker incident will not be the last one in this conflict cycle. Iran has demonstrated willingness to use destructive cyber operations against economic and logistical targets. If you're in energy, healthcare, defense, or financial services and you haven't pressure-tested your destruction scenario — not ransomware, actual destruction — do it this week.

Alex: For me it's the liability and governance layer. The CISO role is getting structurally more dangerous at the exact moment that the threat environment is getting more complex. The executives who will survive and lead effectively through what's coming are the ones who have protected themselves legally, built explicit board-level accountability structures, and stopped acting as though being technically correct about risk is the same as being protected from consequences. It isn't.

Jordan: Know the difference.

Alex: That's Cleartext for Monday, March 16th. We'll be back tomorrow. If this episode was useful, share it with a peer who needs the signal without the noise. I'm Alex Chen.

Jordan: And I'm Jordan Reeves. Stay sharp.