How AI could help criminals to steal personal data

Over the last few years, an elite group of software companies have been locked in a headlong sprint to see who can develop the most powerful generative AI models.

And while the rate of progress has been quite astonishing, some of the consequences are profoundly alarming.

Recent developments have caused everyone from the Pope to Tony Blair to break cover and issue warnings, while even senior staff at the AI giants have publicly expressed concerns.

Then again, that’s unsurprising when you consider Claude Mythos Preview.

Developed by Anthropic at vast cost, it has effectively been sandboxed by its developer because of its ability to independently identify and exploit software vulnerabilities.

These vulnerabilities might have eluded the finest programmers, but Mythos has found them – potentially damaging or fatally undermining the services, access and devices we all rely on.

Anthropic’s casual declaration of Mythos’s capabilities caused a furore a few weeks ago, particularly after they admitted they’d already shared access with a load of other tech firms.

Despite Mythos apparently being too powerful to release publicly because of the carnage it could wreak, it’s now being used by an estimated 50 organisations – almost all American.

It’s reportedly found high-severity vulnerabilities in every major operating system and web browser it’s explored.

In the wrong hands, Mythos’s power might be existential in scope and scale.

However, while the likes of Microsoft and Cisco play about with Mythos, there are numerous other ways in which today’s (publicly available) AI may be used to steal personal data.

And while consumers have no power over how companies handle the sensitive data we entrust them with on a daily basis, we should maximise our own levels of safety.

How could AI steal personal data?

AI is very good at generating content, so it could manufacture authentic-looking phishing emails which are personalised and sent in their billions to unwitting recipients.

A variation on this might include instant-distribution malware, exploiting antivirus software’s zero-day weaknesses to raid personal file systems or storage.

AI could run brute-force assaults on account login credentials (especially if the hosts aren’t well protected against bots), churning through lists of possible passwords at blistering speed.

Even worse, AI systems are often refined and developed by real people, whose own data might be acquired in what’s known as a model inversion attack.

We won’t get too technical here. Suffice it to say criminals will harvest any personally identifiable information they can, including demographic or biometric data, contact details or bank accounts.

Meanwhile, some foreign states would like to sow as much discord and carnage in western nations as possible.

One or two reportedly employ teams of cybercriminals to crash foreign systems, steal data, corrupt records and destabilise their supposed enemies in any way they can.

We know China is developing its own sophisticated AI tools to compete with Anthropic, OpenAI and ChatGPT, but other hostile states like Russia might also be doing likewise.

Unlike Anthropic, they probably wouldn’t sandbox their technology to avoid unleashing digital anarchy.

What should I do about this?

Consumers still need to trust the organisations they provide data to, despite a stream of high-profile hacks and data losses by companies like Ticketmaster and Yahoo.

However, there are some steps we can all take to reduce the likelihood of AI software being able to steal personal data from us.

Although the UK is leading the world in abolishing passwords in favour of biometric identification, strong passwords remain a key safety tool.

Write your passwords down in a notebook which remains inaccessible even if an electronic device is compromised.

Install antivirus software with automatic updates turned on, reset your broadband router’s password, avoid insecure public WiFi networks and always log out of sensitive apps or sites.

Above all, remain vigilant.

If an email sounds suspicious, delete it. If your computer seems slow, report it. If a password is reportedly compromised, change it. And if two-factor authentication is available, use it.