The insider threat that cybersecurity teams train for just became real — and the target was one of the most guarded pieces of technology in consumer electronics: Google’s Tensor processor, the custom silicon inside every Pixel phone.

The U.S. Department of Justice has indicted three people — two sisters who worked at Google and the husband of one of them — for an alleged scheme to systematically steal trade secrets from Google and at least two other major tech companies, and transfer them to unauthorized locations, including Iran.

The defendants: Samaneh Ghandali, 41, a former Google engineer; her husband Mohammadjavad Khosravi, 40; and her sister Soroor Ghandali, 32, also a former Google engineer. All three are Iranian nationals who were living in San Jose. All three were arrested on Thursday and appeared in federal district court the same day.

The Anatomy of the Scheme

This wasn’t a sophisticated cyberattack from the outside. It was patient, methodical betrayal from the inside — and the operational security the defendants used makes it more alarming, not less.

The exfiltration method: Both sisters used their legitimate employee access at Google to pull hundreds of files — including trade secrets related to processor security, cryptography, and chip architecture — and transferred them to a third-party communications platform. The channels they used were named after each defendant’s first name.

The cover-up: When Google’s internal security systems flagged Samaneh Ghandali’s activity in August 2023 and revoked her access, she signed a sworn affidavit claiming she had never shared Google’s confidential information with anyone outside the company. She had.

The analogue workaround: After digital channels were closed off, the defendants pivoted. Rather than electronically transferring files — which would leave a clear forensic trail — they manually photographed computer screens containing trade secret documents with their phones. The night before the couple traveled to Iran in December 2023, Samaneh allegedly photographed approximately 24 screens of her husband’s work computer, which contained trade secrets from his employer. Those photographs were later accessed from a device associated with her — in Iran.

The cleanup attempt: The defendants searched online for how to delete communications and how long cellular providers retain messages. They then destroyed exfiltrated files from their electronic devices.

Why This Case Matters Beyond the Headlines

The Ghandali case doesn’t exist in isolation. Less than a month ago, former Google engineer Linwei Ding was convicted for stealing thousands of Google’s confidential AI documents to build a startup in China. Now this.

Two separate insider theft cases. Two different nation-state destinations. Both targeting Google’s most strategically sensitive technologies.

The pattern forces a hard question: If Google — with its world-class security team, internal monitoring systems, and vast resources — can have trade secrets photographed off a screen and walked to Iran, what does that mean for everyone else?

The answer is uncomfortable. Google’s systems did detect Samaneh Ghandali’s digital exfiltration. What they couldn’t fully prevent was the human workaround — the pivot to photographing screens, the signed false affidavit, the physical transport. No DLP system catches a phone camera aimed at a monitor.

The Charges and What’s at Stake

Each defendant faces up to 10 years per count of trade secret theft and up to 20 years for the obstruction of justice charge, plus a $250,000 fine per count.

The trade secrets at the center of this case — Tensor processor security architecture and cryptographic implementations — are not abstract intellectual property. They are the technical foundation of how Google secures its hardware at the silicon level. In the wrong hands, that knowledge could inform attacks on Pixel devices at scale, or accelerate a foreign nation’s semiconductor development program.

CodeAIntel Insight: The analog pivot is the most chilling detail in this indictment. These defendants got caught digitally — and responded by picking up a phone and photographing screens. That is a threat vector that lives entirely outside the reach of most enterprise DLP, CASB, and endpoint monitoring tools. The lesson for security leaders: insider threat programs can’t stop at the network edge. Physical data exfiltration — cameras, printed documents, verbal disclosure — requires a different detection model entirely. The fact that a signed false affidavit almost worked as a cover story suggests the human element of your insider threat program matters as much as the technical one. Who is reviewing those exit certifications? Who is cross-referencing them against behavioral anomalies?

Sources:

https://www.courtlistener.com/docket/72303995/united-states-v-ghandali-etal/

The Hacker News

PayPal has disclosed a data breach that is, in many ways, more alarming than a headline-grabbing hack. There was no sophisticated adversary. No nation-state exploit. No dark web auction. Just a software bug in a loan application that quietly exposed the sensitive personal information of small business customers for nearly six months before anyone noticed.

The affected product is PayPal Working Capital (PPWC) — a financing tool designed to give small businesses fast access to cash. The window of exposure: July 1 to December 13, 2025. PayPal discovered the issue on December 12th and reversed the faulty code change the following day. The data left in the wind: names, email addresses, phone numbers, business addresses, Social Security numbers, and dates of birth.

For the people affected, that is essentially the full identity theft starter pack.

The Anatomy of the Exposure

This wasn’t a smash-and-grab. It was a door left quietly ajar.

• The Root Cause: An error introduced through a code change made the PII of a “small number” of PPWC customers visible to unauthorized parties.

• The Duration: 165 days. Five and a half months of exposure before PayPal’s own systems flagged it.

• The Damage: PayPal confirmed unauthorized transactions occurred on a subset of affected accounts as a direct result of the incident and has issued refunds to those customers.

• The Response: The faulty code was rolled back within 24 hours of discovery. Affected users are being offered two years of free three-bureau credit monitoring and identity restoration services through Equifax, with enrollment required by June 30, 2026.

PayPal stated it has not delayed notification due to a law enforcement investigation — which is notable, suggesting no criminal referral is currently in play.

This Is Not PayPal’s First Rodeo

Context matters here. This breach doesn’t exist in a vacuum.

In December 2022, PayPal suffered a large-scale credential stuffing attack exposing roughly 35,000 accounts — including Social Security numbers and tax identification data. That incident eventually cost the company a $2 million settlement with the New York State Department of Financial Services in January 2025 for failing to comply with cybersecurity regulations. The DFS found that PayPal lacked proper CAPTCHA protections, rate limiting, and mandatory multi-factor authentication at the time.

Now, less than a year after that settlement was announced, PayPal is back in breach territory — this time not from an external attacker exploiting weak controls, but from an internal code change that bypassed its own data protection framework.

The pattern is hard to ignore: PayPal keeps putting sensitive data at risk through process failures, not just external threats.

What Small Business Owners Need to Do Now

If you use or have used PayPal Working Capital, treat this as a confirmed identity risk:

• Enroll immediately in the Equifax credit monitoring offer PayPal is providing. Do not wait.

• Place a fraud alert or credit freeze with all three bureaus (Equifax, Experian, TransUnion) if you want to go further.

• Monitor your business and personal accounts for unauthorized transactions — PayPal has already confirmed some accounts were fraudulently accessed.

• Watch for follow-on phishing. Attackers who obtained this data now have everything they need to craft highly convincing impersonation attempts. PayPal will never ask for your password, one-time codes, or authentication credentials via phone, text, or email.

• File with the FTC at IdentityTheft.gov if you believe your Social Security number has been misused.

CodeAIntel Insight: The 165-day exposure window is the real story here. Modern breach detection should catch anomalous data access in hours or days — not months. The fact that a code-level error in a loan application could silently expose Social Security numbers for five and a half months points to a deeper problem: insufficient data-access monitoring at the application layer. For enterprises, the lesson is not “don’t write buggy code” — that’s a given. The lesson is: if sensitive PII is being touched by any application, you need runtime visibility into who is accessing it, when, and whether that access pattern looks normal. PayPal didn’t have that. Do you?

Sources:

https://www.bleepingcomputer.com/news/security/paypal-discloses-data-breach-exposing-users-personal-information/

https://www.documentcloud.org/documents/27345193-paypal-february-2026-breach-notification/