Threats Without Borders - Issue 294
Cybersecurity Investigation Newsletter, week ending July 5, 2026
Every company that’s sustained a data breach, or worse, had a vendor lose customer data on their behalf, eventually meets the same angry customer. It might be weeks, months, or years later, but the accusation is always the same.
I’m a victim of identity theft. You lost my data. This is your fault.
In their mind, it’s simple. A to B. Cause and effect.
William of Ockham laid out the logic back in the 14th century. You know it as Occam’s razor: the simplest explanation is usually the right one. So the company with the most recent breach must be the cause of Jane’s identity theft crisis. Of course, it’s so simple.
Except probably not.
Let me introduce you to Dr. John Hickam. In medicine, Occam’s razor tells doctors to look for one diagnosis that explains all the symptoms. Hickam pushed back and declared that a “patient can have as many diseases as they damn well please”. Multiple symptoms don’t require a single cause; they might just mean multiple things are wrong at once.
Maybe the comparison between disease and identity theft isn’t the best, but the theory transfers cleanly. We’ve all lived through so many breaches, across so many companies, that most of us have PII scattered across the internet and the dark web several times over. When Jane’s identity gets used, the cause might not be any single breach. It might be all of them, or one nobody’s found yet.
Of course, Hickam’s dictum is not a liability shield. You can’t say “sure we lost your data, but so did six other companies, so technically it’s not our fault.” That’s hardly taking responsibility its hiding behind statistics. If your breach exposed something unique such as an account number, a specific internal identifier, something that shows up nowhere else and that exact detail turns up in the fraud, then William of Ockham was right all along.
Hickam’s dictum applies in just about everything else. The ones where five different breaches all exposed the same email, social security number, and phone number, and there’s no way to trace which leak was actually used. That’s when multiple causes are not just possible, they’re probable.
People without investigative training tend to follow Occam’s razor. Those with experience know that attribution is hard and that most patients... have a lot of disease.
The News
“For more than a decade, EagleBank knowingly allowed favored clients to operate a check kiting scheme, even as compliance personnel repeatedly tried to stop it,” Ah, yeah, thats not something you want to hear a U.S. Attorney say about your business. EagleBank agreed to pay over $9.7 million to resolve a Justice Department investigation into violations of the Bank Secrecy Act. The bank admitted to willfully failing to establish an anti-money laundering program and to allowing a check-kiting scheme to persist for over a decade. https://www.justice.gov/opa/pr/eaglebank-agrees-pay-more-97-million-resolve-bank-secrecy-act-investigation
Snapchat holds significant account data and metadata, generating content through proper processes despite its temporary design. The key difficulty is obtaining the correct data from the right source within the limited window before it disappears. https://lucidtruthtechnologies.com/snapchat-evidence-subpoena/
I believe the SCOTUS got this correct. Location data from a third party is protected by the Fourth Amendment. In the case Chatrie V. United States, the Supreme Court ruled that “geofence warrants” are a constitutional “search” under the Fourth Amendment. https://reason.com/2026/06/29/in-big-win-for-fourth-amendment-advocates-the-supreme-court-says-geofence-warrants-count-as-a-search/
End-to-end encryption means the data is secure while in transit. That protection ends once its unencrypted on the device. Something some anti-ICE agitators learned the hard way. https://theintercept.com/2026/06/17/signal-messages-minneapolis-ice-protests/
iOS 27’s new Trust Insights feature claims to protect users from scams by analyzing interaction patterns, timing, context, and sensor data. If suspicious activity is detected, the feature will flag it, slow down the process, or require additional verification before allowing actions like payments. https://www.cultofmac.com/news/ios-27-trust-insights-feature
"For nearly four years, Le Van Hung oversaw an operation that stole the identities of thousands of Americans for use in a sprawling money laundering conspiracy," said United States Attorney Jay Clayton. https://thefederalnewswire.com/vietnamese-national-pleads-guilty-in-67-million-identity-theft-and-money-laundering-case
Feedback
“Matt, I just read your explanation of how attackers are using traffic distribution systems and want to thank you for the effort you put into the email each week. When most people are just creating noise, you add value.” - Ken.
Send Feedback to matt(at)threatswithoutborders.com
Training and Events
IAFCI International Conference: August 25-27, 2026, Nashville, Tennessee https://iafci.connectedcommunity.org/event-home/registration-page
Cool Jobs
Dream job alert: Head of Fraud Intelligence, SentiLink. https://jobs.ashbyhq.com/sentilink/3aa87c92-1dfa-4959-ad79-c87ec55f4b4c
Cool Tools
Check your files and URLs through a free malware analysis service from Crowdstrike. https://hybrid-analysis.com/
Irrelevant
Sign Off
In response to the forecast of storms over the Fourth of July weekend, I repeatedly mentioned, “Yeah, but we really could use a good soaker.” When the rain finally arrived, it was no doubt a soaker. My region received about 4 to 5 inches of rain in just one hour. Such a large amount of water in a short period, especially over a small area, is an uncontrollable force. These storms affected a broad area across the mid-Atlantic and northeast. I pray everyone is able to recover from the impact.
Matt
Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.


Thanks for your post, https://www.threatswithoutborders.com/p/threats-without-borders-issue-294/
FWIW, the comparison between disease and identity theft works well enough. There's a danger in only fixing the blame on technical (operational) failure. One could argue that operational failure is itself a symptom of a different disease: lack of accountability. Most orgs only spend on secure operations what is necessary to satisfy a nominal risk tolerance (which includes liability, which is itself typically a low risk proposition). "We meet the industry recommended practice" may be a defensible argument but if you can fall back on this, what's the incentive or motivation to do better?