This week’s Risk Radar covers a disruptive ransomware attack against a major US payment processor, a widening breach disclosure from a government technology supplier, and new reporting on how threat actors are operationalising AI to improve their tradecraft.

The common thread this week is escalation through dependency. Organisations are being hit not only through their own weaknesses, but through critical service providers and rapidly evolving attacker capability.

‍

Ransomware Disruption: BridgePay

‍
BridgePay, a widely used US payment processor and merchant services provider, suffered a ransomware attack this week that forced multiple services offline. At the time of recording, systems remain unavailable, with the company indicating it hopes to restore operations within the week.

No ransomware group has formally claimed responsibility yet, but the operational impact is already significant. When a payment processor goes down, it doesn’t just affect one organisation. It cascades across every merchant and service dependent on that infrastructure.

What this means in practice:
Resilience planning cannot stop at your own perimeter. CISOs need a clear view of which third-party providers are operationally critical and what contingency options exist if they fail. That includes documented fallback procedures, alternative providers where feasible, and tested business continuity plans. If a single vendor outage can halt revenue generation, that is a concentration risk that needs executive visibility.

‍

Breach Disclosure Expansion: Conduent

‍
Conduent, a major US government technology supplier, disclosed a breach in January of last year and later reported in an SEC filing that over 4 million individuals were affected.

This week, new reporting indicates the scale was significantly larger, with more than 15 million individuals in Texas and another 10 million in an additional state reportedly impacted. The incident appears materially broader than initially communicated.

Beyond the breach itself, this highlights a second issue: visibility and transparency. When a supplier’s disclosure evolves months later, downstream organisations may be left reassessing their own exposure long after initial mitigation steps were taken.

What this means in practice:
Supplier risk management cannot rely solely on initial breach notifications. Organisations need clear contractual expectations around disclosure timelines, impact updates, and ongoing communication. Just as importantly, there should be an internal process for reassessing exposure when new information emerges. Waiting passively for perfect information is not a strategy.

‍

AI in Threat Operations: Google Threat Intelligence Report

‍
Google’s Threat Intelligence Group released a report this week detailing how both nation-state actors and criminal groups are incorporating AI into their operations.

The findings are not surprising. AI is being used to enhance phishing campaigns, refine social engineering content, accelerate code development, and improve operational efficiency. In short, attackers are adopting AI the same way legitimate software companies do: to move faster and scale output.

More notably, the report describes attempts by at least one state actor to exploit the Gemini large language model through what appears to be a distillation-style attack. The objective is to extract knowledge from the model in order to replicate or repurpose it, potentially for use in non-English environments.

What this means in practice:
AI is not introducing entirely new categories of risk, but it is increasing speed and volume. Phishing becomes more convincing. Malware development cycles shorten. Language barriers diminish. Defensive controls must assume higher throughput and more polished social engineering. For organisations building or deploying AI systems, model security and abuse monitoring now form part of the core risk surface.

‍

Closing Perspective

‍
None of these stories hinge on novel techniques. They reflect scale, dependency, and acceleration.

Ransomware continues to target high-impact service providers because disruption creates leverage. Supplier breaches continue to expand beyond initial estimates because real-world investigations are complex and evolving. AI is being integrated into malicious workflows because it improves efficiency, just as it does in legitimate development environments.

The lesson remains consistent: understand your dependencies, validate your resilience, and reassess risk as new information emerges. Control maturity is measured under stress, not in policy documents.

This is about operational clarity. Knowing which vendors you rely on, how you will function without them, how you receive breach intelligence, and how attacker capability is evolving. The fundamentals still apply. The pace is what’s changing.