🧠 Editorial

This week, I repeatedly asked myself whether we in IT are actually solving problems or just swapping the names of the problems.

In the past, it was Vendor Lock-in, Shadow IT, and insecure plugins. Today, they are called AI assistants, digital sovereignty, and supply chain attacks. The result is astonishingly similar.

We look at a critical Copilot vulnerability, the major sovereignty debate surrounding Anthropic and US technology, Volkswagen’s European cloud plans, and a WordPress hack that shows why trust is sometimes the biggest vulnerability.

Also included: a noteworthy guest article by Marcus Krämer, explaining why the WordPress community is meeting in Saarland for the industry’s reunion.

Enjoy reading. Reality was more creative than any AI again this week.

📰Tech-News:

Critical Copilot Vulnerability: A Single Click Could Have Led to Data Leak

Security researchers from Varonis Threat Labs have uncovered a critical vulnerability in Microsoft 365 Copilot Enterprise Search that could have allowed attackers access to sensitive corporate data under certain circumstances. The security flaw, identified as CVE-2026-42824, has since been patched server-side by Microsoft.

Particularly concerning: A successful attack would have required just a single click on a legitimate Microsoft link. No password prompt or further user interaction would have been necessary.

The researchers combined three different vulnerabilities into an attack chain called “SearchLeak.” By manipulating search parameters, Copilot could be tricked into reading internal data such as emails, calendar entries, or files from Microsoft 365. Through a combination of prompt injection, a rendering vulnerability, and a content security policy bypass, the information could then be transferred to external servers.

Especially critical was the ability to read time-limited one-time codes for multi-factor authentication (MFA), password reset links, or other sensitive information from mailboxes. Additionally, attackers could potentially access documents from SharePoint, OneDrive, and meeting notes—but always within the permissions of the logged-in user.

The vulnerability once again shows that AI-powered systems create new attack surfaces. Classic security issues like cross-site scripting, race conditions, or server-side request forgery (SSRF) gain a new dimension through large language models and prompt injections. Attackers no longer need to compromise systems directly but can prompt the AI to process and share sensitive information itself.

Microsoft has already closed the security gap. Nevertheless, companies should review their Copilot usage, analyze unusual search queries, and restrict access to sensitive data based on the principle of least privilege. The fewer data an AI can index, the lower the potential damage of future security breaches.

The incident underscores that securing AI systems is increasingly becoming a central challenge for corporate security.

🔗https://thehackernews.com/2026/06/one-click-microsoft-365-copilot-flaw.html

The Illusion of Digital Sovereignty

If this still isn’t enough to end the debate on digital sovereignty, I don’t know what else needs to happen. The US government orders Anthropic to block access to its latest AI models for foreign nationals. A few hours later, the models are gone.

And while it’s openly demonstrated in the US that advanced AI is long considered a strategic technology, we in Germany are still discussing whether AWS European Sovereign Cloud or similar constructs supposedly create a sufficient level of independence. How long do we want to keep telling ourselves this story? Anyone who still believes that digital sovereignty arises from running American technology in European data centers is still confusing location with control.

The crucial question was never where the data is located. The crucial question is who sets the rules.

Who decides on access? Who decides on functions? Who decides which technologies can be used and which cannot? Who can immediately enforce political directives technically?

The answer in this case is not Europe. ❌

That’s exactly why the notion is so absurd that one could outsource the central building blocks of one’s digital infrastructure permanently to non-European providers and simultaneously speak of sovereignty. Dependency cannot be defined away by contracts. It cannot be eliminated by new certificates. And it cannot disappear by the word “sovereign” in the product name.

The Anthropic decision clearly shows what it’s really about: Whoever owns the technology controls the technology. And whoever controls the technology also enforces the political framework if necessary.

The fact that we still have to have this discussion in 2026 is actually the most shocking part of the whole story.

🔗https://www.cnbc.com/2026/06/12/anthropic-disables-access-to-fable-5-and-mythos-5-to-comply-with-government-directive.html

Germany’s Administrative Digitalization: The Problem Isn’t the Money

Germany has been investing significant sums in the digitalization of its administration for years. Nevertheless, progress remains disappointing from the perspective of many citizens. While digital services in the private sector are long taken for granted, authorities are still struggling with paper files, media breaks, and incompatible systems.

According to experts, the reason for this lies less in a lack of budget and more in structural problems. Responsibilities between the federal government, states, and municipalities are often unclearly defined, uniform standards are missing, and many digitalization projects are developed in isolation. The result is a patchwork of individual solutions that can only communicate with each other to a limited extent.

This becomes particularly evident in the data infrastructure. Although numerous administrative services can now be applied for digitally, further processing often still occurs analogously. An example is the digital BAföG application, which in many cases still has to be printed out and filed manually because seamless digital processes are lacking.

Additionally, there is a lack of strategic control. Many decisions are made without sufficient digital expertise, while at the same time, there is a shortage of skilled workers who could develop and operate modern administrative processes. The public sector also faces a massive demographic challenge: By 2030, more than a third of employees will retire due to age. The resulting personnel gap could further complicate modernization.

Experts are therefore calling for a fundamental course correction. Instead of constantly launching new individual projects, a common target architecture, binding data standards, and clear responsibilities are needed. Only if systems can work together across administrative boundaries can digital offerings be created that are genuinely simpler, faster, and more efficient for citizens.

The central insight is therefore: Germany’s digitalization problem is no longer a technology problem. The necessary tools exist. The decisive factor will be whether it succeeds in adapting organizational structures, responsibilities, and processes to the requirements of a modern digital administration.

🔗 https://www.heise.de/hintergrund/Missing-Link-Warum-Deutschlands-Behoerden-bei-der-Digitalisierung-stagnieren-11331433.html

VW Relies on European Cloud: T-Systems Takes Over Group Infrastructure

Volkswagen is taking an unusual path with its cloud strategy and is opting for a European alternative to the major US hyperscalers. The automotive group has commissioned Telekom subsidiary T-Systems to build and operate the new “Group Private Cloud 2.0” worldwide.

The new infrastructure is intended to serve as a central platform for applications of all group brands in the future—including Volkswagen, Audi, Porsche, and Skoda. New applications will be developed and operated directly in the cloud environment, while existing systems are to be gradually migrated.

With the project, Volkswagen primarily aims to strengthen its digital sovereignty. By operating critical applications within the European legal framework, data protection requirements can be more easily implemented, and dependency on providers like AWS, Microsoft Azure, or Google Cloud can be reduced. At the same time, T-Systems promises high security standards and direct access to AI infrastructures for industrial use cases.

The move shows a growing trend in Europe. In light of geopolitical uncertainties, regulatory requirements, and discussions about data sovereignty, more and more companies are examining which critical systems they still want to operate with international cloud providers and which areas they want to bring back under their own control.

However, the strategy shift is not without risks. While Volkswagen reduces dependency on US hyperscalers, it simultaneously creates a new dependency on T-Systems as the central infrastructure partner. Additionally, there is the enormous technical challenge of transferring historically grown IT landscapes of a global corporation into a new cloud environment. Such transformation projects are considered complex, costly, and prone to errors.

Nevertheless, the project could set a precedent for other European companies. If Volkswagen can demonstrate that a European private cloud solution is economically competitive and technologically capable, the debate on digital sovereignty in Europe could gain new momentum.

🔗 https://www.heise.de/news/VW-setzt-auf-die-Telekom-T-Systems-baut-weltweite-Cloud-fuer-Volkswagen-11331601.html

🗣️LinkedIn Post of the Week

This week’s LinkedIn post comes from Furkan Yildiz.

In his post, he critically examines Microsoft’s AI strategy. The starting point is an internal document that apparently describes how users are to be more closely tied to AI assistants. Yildiz criticizes the growing dependency of the mid-sized sector on the Microsoft 365 ecosystem and questions whether AI productivity should really be paid for with vendor lock-in, sensitive corporate data on foreign platforms, and increasing dependency.

The post is pointed, uncomfortable, and precisely for that reason worth reading. It fits perfectly into the current debate on digital sovereignty, European alternatives, and the question of whom companies entrust with their data, workflows, and future viability.

🔗 https://www.linkedin.com/posts/furkan-yildiz-fluesta_make-people-addicted-das-ist-kein-zitat-share-7472535569005355008-lyBB/?utm_source=share&utm_medium=member_desktop&rcm=ACoAADCSWyQBU4m7hUbXDJqk27ftrkLIYOZzONU

🚨 Security Alert:

Supply Chain Attack on WordPress Plugins Threatens Over 1.2 Million Websites

Security researchers from Sansec have uncovered a large-scale supply chain attack on several popular WordPress plugins