The TikTok deal finally happened. Headlines declared victory, politicians exhaled, and millions of Americans kept scrolling. The story is reassuring: TikTok is now in U.S. hands, safely divorced from its Chinese parent company, ByteDance. The national security problem, we’re told, has been solved.

That conclusion is comforting—and premature.

In intelligence work, paperwork is easy. Influence is harder to uproot. And when it comes to TikTok, the most valuable assets—data and algorithms—don’t automatically follow congressional intent.

On paper, the shift looks decisive. TikTok has formed a U.S.-based joint venture. ByteDance’s stake is capped just below 20 percent. Enforcement of the 2024 divestment law, long delayed, has finally begun. These steps matter. But they don’t answer the question that put TikTok in Washington’s crosshairs: who has insight into what this platform collects and how it shapes behavior at scale?

That concern explains the rare bipartisan agreement around TikTok. Lawmakers weren’t reacting to dance videos or teenage trends. They were reacting to the quiet accumulation of pattern-of-life data on roughly 170 million Americans—where people go, what they watch, how long they linger. This is the kind of intelligence foreign services spend years trying to assemble. TikTok users hand it over daily.

Congress acted on that risk. The Supreme Court upheld the law. Yet enforcement stalled until delay was no longer possible. That history alone should temper any rush to declare the danger resolved.

Then came the ownership transfer—and an immediate rewrite of TikTok’s privacy policy. The backlash was swift. Users noticed that TikTok had expanded what it says it can collect.

Under its old policy, TikTok claimed it did not collect precise GPS location data from U.S. users. I never fully trusted that assurance. More troubling is that the new, American-controlled TikTok now says it can collect precise location if users allow it. That’s not a city or ZIP code. That’s where you live, where you go every day, sometimes even where you are inside a building. In intelligence terms, that’s valuable data.

The new policy also loosens how TikTok describes its handling of sensitive personal information, including health data, immigration status, and government IDs. Where the old language emphasized necessity, the new version promises compliance with “applicable law.” That may satisfy lawyers. It tells users little about restraint.

Defenders note that other platforms collect similar data. That misses the point. TikTok was scrutinized because of its scale, its reach, and its leverage. Expanding data collection only increases the platform’s strategic value, regardless of who holds the majority stake.

This matters most when considering TikTok’s algorithm. The company says its U.S. entity will retrain and update the recommendation engine using American user data. That sounds reassuring. It remains opaque. Algorithms decide what is amplified, what is buried, and what disappears altogether.

Recent events offered a reminder of how fragile that system is. A power outage at an Oracle data center triggered a cascading failure that disrupted users’ “For You” pages. Oracle, which hosts TikTok’s U.S. data and owns a significant stake, blamed weather-related power issues—and given the storm, that explanation is plausible.

Still, intelligence professionals study stress tests. When an algorithm breaks loudly, users notice. When it shifts quietly, they don’t.

As for China’s ability to exert influence: even capped below 20 percent, control is not required. Influence flows from access, insight, and time. Firewalls are promises until they are independently verified and enforced.

TikTok may be trying to prove it has changed. But in national security, trust must be earned. Anyone convinced the risk has been sidelined hasn’t spent much time watching how espionage actually works.

In my experience, the most effective operations are the ones that convince you the danger has already passed.

Years ago, when I worked in Silver Spring, Maryland, one of my daily escapes was Panera. Midday walk. Cup of coffee. Cup of soup in a bread bowl. For twenty minutes, the world slowed down. No meetings. No cases. Just soup, caffeine, and a small illusion of control.

Fast forward, and Panera is back in the news—for reasons far less comforting.

Panera Bread was reportedly hit by a significant data breach that exposed roughly 14 million customer records. According to reporting, the notorious hacking group ShinyHunters claims it accessed Panera’s systems through a compromised Microsoft Entra single sign-on (SSO) account. The stolen data allegedly includes names, email addresses, phone numbers, postal addresses, and account details—about 760 MB of it, quietly exfiltrated.

This attack appears linked to a broader campaign targeting Okta, Microsoft, and Google single sign on (SSO) systems using voice phishing—deceiving employees to hand over authentication codes over the phone. Panera joins a growing list of companies caught this way, including Betterment and Crunchbase.

What makes this breach unsettling isn’t technical sophistication. It’s the opposite. Modern cybercriminals aren’t hacking machines with lines of code—they’re running espionage-style operations against people. A phone call. A convincing voice. A moment of trust exploited.

It’s faster than writing malware. Cheaper than ransomware. And it doesn’t rely on a single line of code. When criminals can talk their way past security controls, no firewall in the world can save you.

When a crisis hits and your spouse or partner isn’t available to tell you the login to critical accounts—banking, investments, primary email, social media, even Netflix or Amazon Prime—you need a backup plan. Emergencies are the worst time to discover you don’t have one.

Here are secure, practical ways to do it—without creating new risks:

Bottom line: encrypt everything, limit access, and plan ahead. Convenience is the enemy of security, especially in a crisis.

Please Leave a 5-star review on Amazon or on Goodreads.

🎤  I’m on the road doing speaking events. If your company or organization is interested in bringing me to a stage in 2026, book me to speak at your next event.

If you’ve ever paused at an email, login alert, or message and thought, “Could this happen to me?”—my Linkedin Learning course is for you! Login and start learning here.

Picture this: the CEO of WD-40 is escorted into a bank vault in California. Not a server room. Not a lab. A literal vault. Heavy doors. Controlled access. Silence. It’s the kind of moment that feels less like corporate governance and more like Harry Potter being shown his vault at Gringotts—solemn, guarded, and a little surreal.

Inside is a single, handwritten document: the original WD-40 formula.

More than 70 years old, it remains one of the best-kept trade secrets in American business. Almost no one has seen it. Most employees never will. Even chemists who work on the product don’t know the full recipe. The company deliberately never patented it, knowing patents expire and secrets don’t—if you protect them properly.

According to a recent Wall Street Journal report, the formula is kept in an undisclosed California bank, removed only on rare occasions and viewed by a tiny, trusted circle. For everyone else, access is segmented, partial, and intentional. No single person holds the whole picture.

In an age obsessed with cloud storage and zero-trust networks, WD-40’s most valuable technology is protected the old-fashioned way: physical security, human limits, and secrecy by design.

Sometimes the smartest cybersecurity strategy isn’t digital at all.

ChatGPT is a superpower if you know how to use it correctly.

Discover how HubSpot's guide to AI can elevate both your productivity and creativity to get more things done.

Learn to automate tasks, enhance decision-making, and foster innovation with the power of AI.

Download the free guide

Don’t miss a newsletter! Subscribe to Spies, Lies & Cybercrime for our top espionage, cybercrime and security stories delivered right to your inbox. Always weekly, never intrusive, totally secure.