Smashing Security podcast #461: This man hid $400 million in a fishing rod. Then it vanished

Imagine that you were a fan and you had this hacking access. Could you not add to the list of banned people who aren't allowed to the stadium the strikers for Ajax? And so they would not be able to compete.

That is a very cunning plan.

That's what I do.

That's what I do.

Smashing Security, Episode 461.

This man hid $400 million in a fishing rod.

Then it vanished. With Graham Cluley and special guest Danny Palmer. Hello, hello, and welcome to Smashing Security, Episode 461. My name's Graham Cluley.

And I'm Danny Palmer.

Danny, great to have you back on the show. Now, of course, last week was the RSA conference in San Francisco. Now, I know you weren't out there, but as a cybersecurity reporter, you're probably having to churn out a few words regarding that.

Well, I was actually on leave last week and I came back and my inbox was extremely full of emails about RSA, which was, yeah, there's a lot of those to get through, a lot of announcements, a lot of thoughts people are having, some interesting things in there, some less so, let's say, is a lot of your sort of standard sort of, our product is the greatest ever thing. But, no, it's really interesting to see what people are talking about in the industry. There's always so many things happening, especially in 2026. It's all go.

What do you think are the big themes which are coming out in 2026 so far?

I did see the story I found very interesting from RSA where the UK National Cybersecurity Centre was talking about security around agentic AI and saying how, ooh, actually, lads, you know, people making these systems, you should probably put a bit more thought into making sure these can't be hacked or exploited. Personally, I'm not entirely 100% sure that organizations making this stuff have that in mind. We've seen it so many times over the years. Remember when IoT was first a big major thing? And then it seemed every day there was, here's your new fancy IoT connected electric toothbrush. Next day, your IoT connected toothbrush has been hacked.

It's going to happen with AI and agentic AI as well, isn't it? Because so many companies are going to be trying to embed AI into things and quite often the stuff which they're producing may itself be vibe-coded, so they don't really understand the code that they've written. And it may have vulnerabilities and flaws which could cause all kinds of problems.

Future's great, isn't it?

Well, before we kick off, let's thank this week's wonderful sponsors, Meta, Action One, and Vanta. We'll be hearing more about them later on in the podcast. This week on Smashing Security. We won't be talking about how Iranian hackers leaked the personal emails of FBI Director Kash Patel. You'll hear no discussion of how a new study claims that Windows PCs remain unpatched for longer and crash 3 times more often in enterprise environments compared to Apple Macs. And we won't even mention how Mann has accused his former wife of stealing $176 million worth of cryptocurrency by using a CCTV camera to record his password. So Danny, what are you going to be talking about this week?

I'm going to be talking about an own goal at a major football team which has allowed hackers to access personal data of hundreds of thousands of supporters.

And I'm going to be phishing, and unusually for this podcast, that's with an F, not with a PH, for a long-lost bitcoin fortune. All this and much more coming up in this episode of Smashing Security. Well, we've got time now to chat about one of the sponsors of this week's show, Action1. Now then, if you are a systems administrator managing endpoints every day, you've probably postponed patching at least once, not because you forgot, but because you didn't feel like gambling with uptime.

Meanwhile, the backlog grows, vulnerabilities pile up, and patching stays stuck in manual mode.

Well, Action1 fixes that. Action1 is a cloud-native patch management platform for Windows, macOS, Linux, and third-party apps, all from one place. No VPN needed.

Curious on how easy it is to start with Action1? Well, you can use it on your first 200 endpoints for free forever with no functional limits.

First 200 endpoints for free forever. That's bonkers. Incredible, Joe.

So if you're looking to automate patching at scale and get weeks, even months of your time back, go to smashingsecurity.com/action1 and sign up for patching that just works.

That's right. It's not a disguise-free trial. There's no credit card required. There's no hidden limits. All you have to do is visit smashingsecurity.com/action1 and get started today. And thanks to Action1 for supporting the show. And also, thank you, Joe, for helping me with the ad.

You're welcome.

Now, chums, chums, let me tell you about somebody called Clifton Collins. That's quite a cool name, isn't it, Clifton Collins?

It is. It is a good name. It does sound like something you'd get in a crime novel, to be honest.

Well, yes, he may have a slight connection with crime, as we'll find out. He's a man of many talents. He is a beekeeper, an apiarist, I believe they're called, aren't they? He's an award-winning beekeeper, no less. His honey won a prize at the 2017 Galway County Show, my research discovered.

That sounds highly prestigious, that does.

Doesn't it? Yeah, so he's a master honey maker, I would say. He's also a security guard. He's a licensed pilot. He even bought himself a two-seater plane, you know, like you do. I mean, when I heard about this, I looked into what kind of plane or gyrocopter or whatever it was that he— Do you have— Did you ever see that James Bond movie, You Only Live Twice?

I think I must have at some point. No, it's bound to be on ITV4 at some point.

It's the one with Little Nelly, which is where Sean Connery has got this one-seater helicopter, and he's sort of buzzing around. This was a real gyrocopter, which they created back in the early '70s or late '60s. And anyway, it looks like this guy, Clifton Collins, he has one of them, but for two people. So it's just like a tiny little thing which buzzes. I mean, it's fantastic if you like that kind of thing.

Does he use that to deliver his honey then, or?

Well, maybe not the honey. Because it turns out he's also into delivering and dealing in something else, which is drugs.

Oh, that's not as fun as honey.

Yeah. So for 12 years, Clifton was quietly growing cannabis in Ireland, which isn't legal, of course, in Ireland. And he was selling it on for a tidy profit. And, you know, being an enterprising sort of chap, he didn't just stuff the cash into a building society or under his mattress. In 2011, Clifton made possibly the wisest financial decision any criminal has ever made because he invested his cash in this brand newfangled thing called bitcoin.

Oh, I think I've heard of that, yeah.

Yeah, right. So at the time, he could buy a bitcoin for between £1 and £31.

$1,000.

Yeah. You can see where this is going. Now, he bought 6,000 bitcoins with this.

That's quite a hefty sum even then, but now, oh wow.

At the moment, that is worth in the region of $400 million, making him one of the richest people in Ireland.

He doesn't really need his jobs then, does he?

You would think not, wouldn't you? You would think not. There he's going to be pretty high up on the Irish rich list if he declares his income and his savings. He's going to be above the Woggans. He's going to be above the Graham Nortons, above the guy who owns Ryanair. He's doing jolly well for himself. And, well, Danny, what would you do if you had 6,000 bitcoins worth $400 million?

Well, for a start, I wish I had that many bitcoins. It's one of those things that people always say this, but I've always had a powerful gaming computer. You know, even when I was sort of younger, I always made sure I had a bit of money to spend on one of those. It's like, yeah, maybe if I found out about this bitcoin thing in 2010 and used that back then, I'd be thinking about this problem in reality. But I think if I had 6,000 bitcoins worth $400 billion, I'd want to store them somewhere very safely in order so they couldn't be nicked. I'd probably buy myself one or two nice things, right? Maybe a gyrocopter, maybe not.

Maybe a gyrocopter, maybe a pot of award-winning honey. As well, who knows, or some prize bees to improve your beekeeping colony. Well, what Clifton did, and kudos to him for doing this, was he spread the risk around. He created 12 separate wallets and distributed his 6,000 coins evenly across them. So 500 bitcoins in each. So he was obviously thinking, you know, if I get hacked or if I'm careless, at least I haven't lost everything.

Yeah, that's some clever planning.

Yeah, because the last thing you want is some lowlife criminal stealing all of your bitcoin. Now, of course, the thing is each of these 12 wallets has an access code, right? Like the seed phrase. So you can access it. And if you lose the code, you can't access the bitcoin. It would mean it's gone forever, you know. Oh, that'd be galling, wouldn't it? Losing $400 million forever. I mean, it would hurt. It's going to smart. It's going to smart a little bit. You could have a little bit of a chip on your shoulder.

You'd probably feel a bit bitter about that sort of thing.

So Danny, where would you keep the access codes to your bitcoin fortune? I'm going to assume you do have a secret bitcoin fortune, which you're not announcing on the podcast now.

Well, where would I hide something?

And are you prepared to tell us here on Smashing Security?

That's the thing though, hopefully, you know, I don't think I've anything in particular that anyone would want to come and nick, to be honest. But I suppose that I've got a very nice bookshelf. I could sort of hide some bits of paper in between some books there, or maybe cut out into a book there. Oh, that's very fancy.

I've got books.

Boxes of old comic books. You could shove it in there.

Just as long as no one takes them down to the charity shop one day.

Yes. No, I think I'll be all right with that. But problem is, though, with the classic thing, I will forget where I've put it. And it will be gone forever in that case.

Well, what Clifton Collins did is he printed out all 12 access codes to his different wallets. He put them on a piece of A4 paper. And he folded it up very neatly, nice and small, and he tucked it inside the aluminium cap of his fishing rod case. Did I mention he was also into fishing?

I don't think — I'm not sure if that's come up, but—

He loves fishing. It's his hobby. It's his way of unwinding, possibly with a jazz cigarette. This is what he likes to do.

It's already giving me— it's very clever. I remember— no, this is an exciting tale. Many years ago, I was on a trip in the Peak District and went to the Keswick Pencil Museum. And they used to hide notes inside pencils.

Oh, what sort of note would they hide inside a pencil?

Oh, this was sort of during World War II, so sort of spycraft and that sort of thing. They used to basically hollow out the pencils and get paper that was so thin it could be rolled up and shoved in there.

Oh, okay. That makes some sense. I was thinking you were saying something like, "Help, I'm trapped inside a pencil factory." "Help, I'm trapped inside the pencil museum." No, no.

No, good day out. Well, I say good day, good hour out in our Lake District today in the village.

Anyway, this chap Clifton, he's got his bees, he's got his little gyrocopter, he's got his cannabis empire, he has $400 million. I think it's rather lovely. What he likes to do at the end of a long week is reach for his fishing rod. And maybe there's a lesson for all of us there.

Get out there, get offline, touch grass, as the kids say, I believe.

Yeah. It's idyllic. It's idyllic. Fast forward a few years, and Clifton's out and about. It's the early hours of the morning. He's driving around in his Lexus 4x4. And in the middle of nowhere, the police stop his car. They think he's acting suspiciously. It's like, why are you out in the middle of nowhere at half past 3?

Huh.

And so they stop him, they search the car, and they find cannabis worth about £1,600. And they think, well, hang on, this isn't for your personal consumption, is it?

I'm no expert, but that does sound like it would be more than a personal amount.

And they investigate some more. And of course, they discover that he is a serious dealer. They arrest him, they search his house, they find the pellet gun that he owns, a stun gun. Over 500 cannabis plants worth £330,000. So the question is, Danny, what do the police do about that bitcoin fortune?

So I've got a question here as well. So, with all this money laying in the bank, he's still being, I suppose you could say, entrepreneurial, if you want to put it that way.

Yes.

With this selling of the cannabis, because you think, you know, he wouldn't have to put that work in, but—

I wonder this about Geoff Bezos and Elon Musk and all these other billionaires. You know, just, well, why do you keep doing this? Haven't you done enough? Can you not just go and chill out and go fishing? What more do you need?

It seems this has come back to bite him in the behind, so to speak. Yes. So the police, they find out about this bitcoin, I presume.

Yeah, yeah, they do. And they seize the wallets. But what they can't do is they can't unlock them because the codes, as Clifton explained to them, he says, well, I've put it in my fishing rod case. And he says the fishing rod case has vanished.

Well, that's, that's convenient. That is.

Yeah. And we actually talked about this in a previous episode of Smashing Security. I think it's episode 167 in the archives. 5 years ago, we talked about this and the police couldn't get hold of this fishing rod case. And his story was that shortly after his arrest, someone broke into his home and various things got stolen from his house, including his fishing tackle.

Ah, so that is interesting. It's either very unfortunate or very convenient.

Convenient.

But was he plastered in the news saying, this bloke has been arrested, and someone goes, hey, I know that guy. He's got bitcoin at home. I'm going to go over there and have a look myself.

Or simply, that guy's been arrested. I remember he had a really lovely fishing rod. But it's not just that. It's not just this burglary story, because also apparently, according to Clifton Collins, when this guy was sent to prison, his landlord thought, what am I going to do with all the remaining belongings lying around in the house? I'll nip round and pinch it. And so he took them down to the dump in County Galway. So it could be someone else in the town, couldn't it?

That's— well, I suppose if he is no longer fulfilling a tenancy, I suppose the landlord has the right to do that. My second question is, if we had that much money lying around, why are you spending it on rent when you could— you wouldn't even need a mortgage. A fishing enthusiast of Galway, yeah. You could go over with your briefcase and hand it over.

I think what you're saying is logical, but I'm also thinking I've never been a multimillionaire drug dealer.

That we know of.

As far as I've ever known. But I'm imagining that if I wanted somewhere fairly palatial and luxurious, which would cost me a lot to buy, I would have to go through various money laundering tests to make sure, where have you got that money from, Cluley? Whereas if I have a landlord and it's, here's some cash, mate, I'll stay here another month.

Yeah, no, that is fair enough. Yeah, yes.

If there are any criminals out there who are listening to the podcast, please let us know what you do about these situations. Anyway, apparently the landlord has taken all this stuff to the dump. Now, there is a famous story about this guy. I think he threw out a hard drive or something. Do you remember this?

Guy from Newport. Yeah, he turns up in the news every couple of years.

Yes.

There's some new zany scheme in order to find this USB drive in a dump in Newport.

That's right. He's desperate to go and do it. It's, can I buy the entire dump? Can I share the proceeds with the local town? He hasn't been given permission to do it. Anyway, it's a different story from that. But the problem is that unlike that dump in Newport, with this particular waste disposal place, it isn't just sitting around waiting to be sifted through by detectives. Their waste gets shipped to Germany or China to be incinerated.

Oh.

Yeah, so here's my question for you, Danny. Do you believe Clifton when he says his codes were taken to the dump?

I have to say, I'd be somewhat suspicious. Yeah. I mean, let's be honest, criminals are not the most trustworthy individuals in the world. So I think he might be telling some porky pies, maybe.

You are a cynical, sceptical cybercrime journalist.

Yeah, I'm a miserable hack. Yeah.

Well, amazingly, the police did actually believe him. And as a consequence, the wallets weren't touched. The digital currency stayed there. He went to prison. The bitcoin sat there frozen. Nobody could get near. And for years and years, that was the story. And as I said, we did talk about this five years ago in the podcast. And it's a cautionary tale, really, of how lost codes, incinerated ashes, $400 million go whoompf because of a fishing rod which has been burgled, an overly tidy landlord, and that's the end of the story, really, Danny.

But he cast the characters involved.

Yeah, yeah. Oh, sorry, did I say that's the end of the story?

There's more.

There's more! Because there has been a twist.

Ah.

Because this week, and the reason why I'm returning to this story, is that one of Clifton's supposed dead cryptocurrency wallets has woken up.

Interesting.

$35 million worth of bitcoin. So not the full amount, but certainly quite a bit.

It's better than a poke in the eye.

Yes, it has been spotted moving out of one of his wallets where it has just sat there. People have been watching it, basically. And it's moved into something called a Coinbase custody address. Do you know what a Coinbase custody address is?

Yeah, I believe this is a thing that's used by sort of rather, let's say affluent individuals with a lot of bitcoin laying around.

That's right. So if you've got a serious amount of cryptocurrency, if you're a government or a hedge fund or a serious financial player, this is a sort of high security vault where you would put it. So it's not where you put your bitcoin if you're trying to quietly disappear to a South American beach or something. So it's regulated, it's auditable, and you can't deposit $35 million worth into one anonymously.

Huh. That makes sense. Yeah.

Yeah. So whoever moved that money had to identify themselves. There's going to be a paper trail, which means either someone in Germany or China who was running the incineration took a shine to the fishing rod and think, I'll keep that, and has just discovered this. Or something rather more interesting is going on. So, I think there's a couple of theories about what has happened here.

I just find this, this is the most interesting fishing rod in the world, it turns out. It's a global player in its own right, you know? Ireland, Germany, China.

So, the first theory, it's a relatively boring one, is that law enforcement have got there. Somehow or other, they have got into this wallet. And yes, it turns out the Irish police have confirmed this week that they have seized around about €30 million worth of cryptocurrency. They specifically mentioned 500 bitcoins, which you remember was the amount which he was keeping in each wallet. And if that's what's happened, it's a good result for the cops. Now, they haven't said in what case it is related to, so we don't know it's related to this, but it's a possibility.

Yeah, there might be a few people with 500 bitcoin wallets in Ireland.

But there is, of course, inevitably rampant speculation that other things could be going on. So one theory that some people have posited is that Collins has done his time. He's out of prison.

Of course.

And maybe his fishing rod story was a little bit creative, you know, retelling of the events. Maybe he did have a second copy of the codes. Maybe he sat in his cell and thought, you know, 'If I tell them it's all gone to the dump or it's all been lost, they'll stop looking.' And some people are speculating about that. I don't know if it's true, but—

It could be there's no fishing rod at all.

Yeah, maybe there was never a fishing rod in the first place. And then of course there's theory number 3, which was the burglary.

Of course, yeah, back to the conveniently timed intruder.

Because it happened so soon after this guy was arrested. You know, what if word got to some fellow conspirator? What if someone knew because they were told or because they worked it out that there could be those secret codes hidden in that fishing rod case worth $400 million? We don't know what to believe, but it's fascinating. If nothing else, I now know, Danny, to raid your classic comic collection.

Can I see my collection of Doctor Who? Well, you'd make off with the whole lot in any case.

I would, yes. If you've got some old copies of Doctor Who Monthly, yes, I'll have those. Okey dokey, a little bit of time now to talk about Meter, who are one of our sponsors this week.

What does this one do?

They set up your office network so you don't have to.

That's it?

Yeah, well, pretty much. Yeah, that's it. You know when you move into a new office and suddenly you're juggling ISPs and floor plans and hardware and configuration? It basically becomes a second job, doesn't it?

Yes, I know this one. It's when the contractor turns up on the wrong day or at the wrong address and tries to install the wrong thing.

That's the one, yeah. Well, meet Meter. What if that just wasn't your problem?

I'm listening.

So you hand them a physical address and a floor plan, and they sort out the ISP, they design the network, they show up on site, they rack their own hardware.

Their own hardware, not reselling someone else's kit?

Yep, their own hardware, and they get the whole thing up and running.

Hmm.

But what if I being put on hold for 45 minutes to listen to pan flute music?

Well, tough luck, Joe. Tough luck. And once you're up and running, you get one dashboard. Monitoring, management, security, VLANs, firewall, DNS security, SD-WAN, the whole caboodle.

So full visibility with none of the legwork.

Yep, that's exactly it. And it's sold through a subscription model, so there's no nasty surprises. There's even a hardware buyback program if you've already got kit from another vendor.

Ah, that's rather civilized.

Isn't it just? So head over to meter.com/smashing to find out more. That's meter.com/smashing.

And thanks to Meter for supporting the show.

Danny, what have you got for us this week?

Well, Graham, as you may have sussed out from my previous visits to your parish, when I spoke about hackers targeting Formula 1 drivers, I'm a bit of a sports fan.

Yes.

I'm not built to, you know, play well. I mean, anyone who's met me will tell you that I'm not very tall. I wear very thick glasses. I'm not really built for playing sport. So, later this year, me and some friends are going to the, we're all turning 40 this year. And we're going to be celebrating by a trip to the Dutch Grand Prix and a long weekend in Amsterdam. Partially because nice weekend away, partially because I don't ask me how the economy works, but spending an entire weekend in the Netherlands is cheaper than going to Silverstone for one day. So I've been researching, you know, what the cultural tourism of Amsterdam could be. I mean, Graham, do you have any suggestions? But not that one, because I'm asthmatic. So I can't do that anyway.

I think there's two clichés, aren't there, about Amsterdam?

I mean, it's—

So it's either going to be smoking the sort of thing which Clifton Collins was selling them.

Yes.

Or the other one, which is of course bicycles.

Of course.

So I imagine that's what you're thinking of, is cycling around.

Yes. Oh gosh.

Yes.

There's plenty of cultural activities to enjoy. There's the Van Gogh Museum. You can go see all of his art. Anyway, I've been

Very cool.

There's the Heineken Experience, which is, what I can tell, is a brewery tour of where they make Heineken beer. I mean, I'm hoping that would be some sort of Willy Wonka type thing going on there. doing my research. If it isn't, I would be disappointed. But there's also one of the major tourist attractions of the cultural side is a tour of the Johan Cruyff Arena, which is the home of the Ajax football club, which is the most successful football team in the Netherlands. And indeed, this is one of the most successful teams in the history of European football. They've won many European Cups.

Yes, and Ajax also gave their name, of course, to that fantastic bathroom cleaning product, didn't they? Yes, yes.

They could probably do with some sort of cleaning product right now, because you see, Ajax have run into a spot of cybersecurity bother. They've scored something of a cyber own goal, if you will, because this week it was revealed that the club was hacked.

Oh dear.

In a press release, Ajax said an outsider had unlawfully gained access to parts of the club's IT systems and that data was viewed, including email addresses of the supporters. The statement continues saying, for now, we know that access was gained to part of our systems, but we have no indication that this data has been spread, which as a cybersecurity reporter, I see a lot of press releases from companies which have suffered incidents and that's some good corporate speak. I will praise them in this case, they're actually talking about it because I won't name names, but there are companies which have been hacked in the past. Everyone knows they've been hacked, but they've never actually gone on record saying, yeah, this is the thing which has happened. Anyway, the statement makes it sound that while the club did suffer a data breach and the impact was small, just the personal details of a few hundred fans potentially accessed.

Okay.

Obviously Ajax is a big club. Its stadium can hold tens of thousands of people. It's got stadium tour. You're not going to just go look at a park by some rogue fans.

So it's bad that it's happened. I mean, obviously unfortunate for those few hundred fans who've been affected as well. They could potentially be at risk, but things could have been much worse.

Yes. If you take what the club say at face value. Yeah. Yes. But however, there seems to be a bit of debate as to what the person who intruded on this was able to access, because according to reports by Dutch publication RTL Nieuws, the incident might have exposed the personal details of 300,000 registered Ajax supporters, which is, well, that's a very large number. That's several times over the capacity of the stadium for a start. But that's a lot of people.

That sounds 1,000 times more than the number which Ajax was actually saying, or pretty much. Yes. It's a little bit they invested their few hundred fans in Bitcoin, waited 10 years, and now it's come out as 300,000 supporters of Ajax have been affected.

Careful, you're going to give some sort of tech CEO an idea now about how to expand the human population, which some of them seem to be so enthused about. So, 300,000. The source of this figure, well, RTL said it was approached by someone who is described in the report as an ethical hacker. It's not quite clear if this is the person who accessed the thing initially and it's just a bug bounty gone wrong, or if this is just someone showing that this is what the hacker could do. But anyway, this person has demonstrated that not only could an attacker see details of over 300,000 Ajax fans, he was also able to access ticket transfers. Basically, people download the Ajax app because that's how people get their tickets these days, you know, for major events. So anyone who accesses this data, the ability to steal match tickets, you know, I guess take them and transfer them and sell them on, could even do this with season tickets.

And I imagine, Danny, that the question which is foremost in your mind is, why on earth hasn't this happened to the British Grand Prix? Because if that vulnerability had existed there, you wouldn't have to be schlepping off to Amsterdam.

That is true. But in addition to this, okay, it'd be bad if attackers were able to steal tickets. The vulnerability would also allow an attacker to see and alter information about 500 people who've been banned from attending Ajax matches.

Oh, oh, so you could add someone to the banned list and prevent them from going to—

Yes.

That's very naughty, isn't it?

Or you could unban someone.

Ah, yes.

So there's two potential issues here. One is that the attacker would be able to lift the bans on people, which, you know, you'll assume will have been banned for a reason. Yes, football hooliganism and all of that which entails. So if a ban was removed, they'd be allowed back into the stadium, stadium with the risk of, you know, but on the flip side of this, there's also been the suggestion that the access to this information about stadium bans could potentially be used against those people who've been banned, which is an interesting way of thinking about this, I think.

Right.

So Bart Schirmer, professor of privacy and cybercrime at Leiden University in the Netherlands, said this information can be used against you. Potential employers are unlikely to hire someone with a stadium ban, especially for certain jobs. I've just had a thought, Danny. I've just had a thought. Oh, good question. Might be Feyenoord, maybe?

Okay, I'll take your word for it. But anyway, so imagine that you were a fan of whatever that name was you just said, and you had this hacking access. Could you not add to the list of banned people who aren't allowed to the stadium the strikers for Ajax? Or the manager or coach? And so they would not be allowed on the premises. And so they wouldn't be able to compete.

That is a very cunning plan. Do you think that— you think the staff might recognise Ajax's star striker at the gate?

If you have a jobsworth there, says, "I'm sorry, you're on this list."

"You're banned, mate." That is a very good point. I have seen instances in Formula 1 where drivers haven't been allowed into the paddock, so they haven't had their pass, and the person on the gate's gone, "Sorry, sorry, mate, you're not coming in." But that is a very cunning, sneaky plan.

That's what I do. That's what I do.

Anyway, apparently all of this exposure is as a result of what is vaguely described as security vulnerabilities in the official Ajax app, which allowed an unauthorized user to gain access to information they shouldn't have been able to. This vulnerability has now already been patched, which is a good thing. So it's the idea that, you know, if someone had managed to gain access to this data beforehand, they could still have that data available. Even if they can't swap around fan tickets and things, if someone had access, they've still got information on hundreds of thousands of people, which, you know, there's all sorts of—

And just the email addresses, and you know these people are fans of football. You get plenty of opportunities to phish them or trick them into following links or—

Yes, and Ajax are very much aware of this.

Yes.

In a statement, they've said about the incident, "We immediately launched an investigation and with the help of external experts," which I presume are cybersecurity incident responders, "into the cause and scope of the incident. We have patched the identified vulnerabilities and strengthened our security further." Anyway, I don't know how it is for you, Graham, but almost any event you go to involves downloading a bespoke application these days.

Now you go to — I've gone to Millennium Stadium in Cardiff to see rugby matches. I've been to concerts. I've been to the O2 to see professional wrestling recently. All involve having to download an app to show the tickets. So incidents like this showcase how these apps make tempting targets for cyber attackers. So we just have to hope that all these venues and organizations have properly invested in security of these services. Well, we'll see, we'll see how that goes. But in the meantime, if I do end up going on a tour of the Ajax Stadium, I hope paying with cash for a paper ticket is an option, just in case.

Very sensible. Well, we've got time right now to chat about one of our sponsors this week, Vanta.

Oh yes, my favourites. What do they do again?

They stop you running your entire security program out of a spreadsheet, Joe.

That seems aimed at me personally, Graham.

Well, it is a little bit, yes. But you know how most companies have to prove they're secure to customers or auditors and regulators? And the whole thing involves chasing down evidence, filling in questionnaires and forms, updating the same spreadsheet cells over and over again.

Over and over again. It sounds utterly soul-destroying.

Yeah. Well, Vanta automates all of that.

Automates it? How?

Well, their trust management platform keeps a continuous eye on your systems. It pulls everything into one place and keeps you audit-ready around the clock. So no more staring at the ceiling at 2 AM wondering whether you've got the right controls in place or whether one of your suppliers has been breached.

The stuff of nightmares.

Yeah, it would be, wouldn't it? But this Vanta solution uses AI as well, and it's the useful kind, flagging risks, collecting evidence, slotting into the tools your team already uses, so you move faster, scale without the headaches, and perhaps actually get some sleep. Go to vanta.com/smashing to find out more.

That's vanta.com/smashing. And thanks to Vanta for supporting the show.

And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, movie, a record, a podcast, a website, or an app, whatever they wish. It doesn't have to be security related necessarily. Well, my Pick of the Week this week is not security related. My Pick of the Week this week is a TV program which I've just started watching. I'm a few episodes in. And I can already tell you that I'm enjoying it.

Oh, good.

It is a TV show from the BBC, and it is called Small Profits. Have you seen Small Profits at all?

No, I've not seen it, but I have heard of it.

Yeah, it seems to be creating a bit of buzz at the moment. So it's a gentle new comedy drama with a slightly fantastical twist. It's been written and directed by Mackenzie Crook, who you may remember was a modern-day Wurzel Gummidge and was in The Detectorists and I love The Detectorists. Yeah, most famously, I think he was Gareth in The Office, wasn't he?

Yes. I think he's been in most of the Pirates of the Caribbean films.

Yes, he has been in some of those as well. But he's clearly a class act when it comes to writing and directing. He also appears, or doesn't have the starring role, in this show too. So, the premise of this show is a rather lost middle-aged man is given a recipe by his elderly dad for how to grow homunculi, which are, of course, that's the plural for homunculus, which are miniature humans who you can ask any question of and they have to tell you the truth.

Huh. So it's sort of almost asking a chatbot something except without them making weird stuff up.

Yes. So this man, he's a bit damaged because his girlfriend went missing. Years before. He doesn't know what happened to her. Rumors spread that he had killed her. The police dug up his garden. Everything's gone a bit to seed. He now just sort of hangs out in his shed, and he's a bit lost. He's got a job at a DIY superstore, but he decides that he's going to use the abilities of these things. He's going to conjure them up to ask them if he will ever be reunited with her again.

Huh.

Anyway, so he goes on this quest, and it's complicated by his boss at the DIY store, played by Mackenzie Crook, He has some suspicious neighbors next door. They take an unhealthy interest in what he's getting up to in his shed.

Typical nosy neighbors.

Yes. Michael Palin is playing his dad.

Oh, good.

I particularly enjoyed Lauren Patel. She's playing Casey, who's the main character's work-shy colleague in the DIY superstore. But it is gentle and lovely, and I think it's rather touching. I think it's very well done. And so, my pick of the week this week is Small Profits on the BBC, and I will put a link to the iPlayer in the show notes.

I will follow that because I should watch that because I'm very bad at watching new things. I always say I'm going to watch this, then I never get around to it, and I've just put on old episodes of The Simpsons or Red Dwarf or something again instead. Well, no, as we've established today and other times, you know, I'm a bit of a nerd, you might say. You know, I've got the big old glasses. I've got the interests. Back in the '90s when I was a teenager, I was doing things such as, you know, playing Warhammer.

Yep.

Playing, I'm not really sure how, thinking about it, because that stuff is very expensive. And that's a hobby I've recently taken up again, but I'm not talking about that. But I've played Warhammer. I played RPGs, read fantasy novels, movies, that sort of thing. But somehow I've reached sort of my age and never played Dungeons and Dragons. I found out about a place in South London.

Right.

It's called RPG Taverns. It is indeed a tavern. It's a pub and bar where you can go in and play Dungeons and Dragons. So I managed to rope in a friend to come on the sort of starter session with me.

It's good to take a friend with you, isn't it? Because it could be a bit like a timeshare. You don't know what you're walking into.

Yes, exactly.

Have a strong friend and say, look, if I'm beginning to get— if I'm beginning to go down the whirlpool, you've got to drag me out, right? Exactly. So we went there and had our introduction to Dungeons and Dragons. Okay.

Being me, I've given him an overtly Welsh name and somehow my guy has got a background of working on ships. And so we went through a little session with playing again with our characters. It was really fun. And I will be going back again. It was very enjoyable. And it's going into this world. It was really interesting. So I suppose there is something of a stereotype around people who play Dungeons and Dragons. I believe the television program Stranger Things has meant it's had a bit of a renaissance recently, but the bar itself was really nice, very welcoming.

That's me. I'm craving at the moment to go back and watch some episodes from 1968 of a Doctor Who story. So this is your pick of the week, is this, I mean, going to a real-life Dungeons and Dragons themed tavern. And we're putting a link in the show notes to your particular, will this be your particular one or is this a franchise operation? I think I'll go and watch that instead. Anyway, yes, Small Profits, well worth a watch. Is there a danger people will actually bump into you, Danny, and your wood elf? Danny, what's your pick of the week?

I suppose there is, yeah. I've even ordered my own minifigure I can take along. But this is just one example of this type of thing. There's a few different brands around London, this sort of thing. But I just think it's really nice where there's the people can go and do these things. So yeah, it's a very, very nerdy pick of the week, but it's on brand. And yeah, it gets me out the house, which is nice.

No bad thing at all. And that just about wraps up the show for this week. Thank you so much, Danny, for joining us. I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way for folks to do that?

Well, the best way to find me at the moment is I am currently the interim deputy editor of Infosecurity magazine.

Ooh la la.

I am standing in for James Coker, the regular deputy editor, who's away on paternity leave. So yeah, I am writing articles for that, news features. There's quite a big conference the website does. I believe you're familiar with it, Graham. Well, I believe by looking at the website, you'll be hosting one of the channels on it this year.

Yes, I'm doing some work on the keynote stage and giving a talk. So I'm looking forward to that.

I saw it last year as a freelancer. And yeah, I got to see you introduce Professor Brian Cox onto the stage, which was quite jealous of, to be honest.

He was a very nice chap. I enjoyed chatting to him.

But I'm there. So that's where you can find me. But apart from LinkedIn is the place where I get the most hashtag engagement.

And you can find me, Graham Cluley, on LinkedIn or follow Smashing Security on Mastodon or Bluesky. And there's a subreddit as well. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Pocket Casts for episode show notes, sponsorship info, guest lists, and the entire back catalog of over 460 episodes. Check out smashingsecurity.com. Until next time, cheerio, bye-bye.

Bye-bye.

You've been listening to Smashing Security with me, Graham Cluley, and I'm grateful to Danny Palmer for joining us this week and to this episode's sponsors, Action One, Vanta, and Meta. And also to the following folks: Scotia, not a full name, not quite a country. We respect the mystery. Sean, just Sean. Actually, no, somehow they have a trailing space in the database. So clearly they don't like to sit too close to anyone else. Jamie Forster. Jonathan Haddock. Yes, a man actually named after a fish. Very cool. Ask Leo. That isn't a patron's name. That's an order. Ask Leo. Leo, ask him what. We may never know, but Leo clearly has the answers. Rich, is he? We like to think so. Just Nate, please. Just Nate, please. That's all he's asking. Just let him be Nate. Mark Luxton, perfectly solid name. I can't think what to say about him. Expect he's still unraveling the Christmas tree lights. MJ Lee, initials only. Professional enigmatic. Critic. Could be anyone. Could be a journalist. Could be a spy. Could be a member of a K-pop group, for all I know. And Mayor McDonald, who, before you ask, can't help you with the Wi-Fi at your local branch of McDonald's. Those are just a few members of Smashing Security Plus, which means they get episodes ad-free, earlier than the general public, and can have their names pulled out at random to be mocked at the end of an episode. If you'd like to join Smashing Security Plus, just head over to smashingsecurity.com/plus for all of the details. You can become a patron, but you can also support the show in plenty of ways that don't cost a penny. You can like and subscribe. You can leave a 5-star review. Please do wherever you listen. Tell your friends about the show. Simply spread the word. Every little bit helps, and it really makes all of the effort worthwhile. And so thank you to all of you for listening, and I hope you'll tune in to our next episode. Until then, cheerio, bye-bye.