Hello 👋 get a brew on because these are the top emerging risks between April 6th, and April 22nd, 2026…

Review our report’s terminology here ↗

Small update: Our Unbreakable Ventures fortnightly update will move to a Wednesday release moving forward. This allows our team to prepare content and launch on a day that is typically more open for you to read and listen.

Our main risk this fortnight is…

1. Societal: Middle East Crisis Threatens Global Poverty Surge

• A new United Nations Development Programme report warns that the ongoing military escalation in the Middle East, centred on the Strait of Hormuz closure and broader regional conflict, could push millions of people across the Asia-Pacific region into poverty through surging energy prices, trade disruption, and collapsing remittance flows, with impacts extending far beyond the immediate conflict zone.

• The UNDP analysis models the crisis through the lens of its Human Development Index and finds that countries already vulnerable, particularly South and Southeast Asian nations dependent on oil imports, migrant worker remittances, and tourism revenues, face compound shocks that could reverse years of development progress within months rather than years.

• The report identifies multiple transmission channels through which the crisis radiates outward: direct energy cost inflation hitting household budgets and industrial output; disruption to maritime trade routes that carry a significant share of global oil and LNG supplies; collapse or severe reduction in remittance flows from Gulf-based migrant workers who face job losses or repatriation; and tourism revenue declines as regional instability deters travel.

• Small island developing states and least-developed countries in the Asia-Pacific face disproportionate exposure because they lack fiscal buffers, strategic petroleum reserves, or diversified energy sources to absorb price shocks, meaning even short-duration disruptions can trigger food insecurity, power rationing, and social instability.

• The UNDP calls for coordinated international action including emergency social protection scaling, energy subsidy targeting, remittance corridor protection, and accelerated renewable energy investment, warning that delayed responses will compound the human cost and make recovery significantly more expensive and protracted.

Sources

• Middle East Crisis: Millions Around the World Could Be Pushed into Poverty, Flags UNDP | Times of India | April 2026

• Middle East Military Escalation: HDI Impacts Across Asia-Pacific (Full Report) | UNDP Regional Bureau for Asia and the Pacific | April 2026

• Strait of Hormuz Closure Sends Oil Prices to Record Highs | Reuters | April 2026

• Asia-Pacific Economies Brace for Oil Shock Fallout | Nikkei Asia | April 2026

• Gulf Migrant Workers Face Mass Layoffs as Regional Crisis Deepens | Al Jazeera | April 2026

• How the Middle East Conflict Threatens Global Development Goals | The Guardian | April 2026

You should be concerned if…

• Oil-importing developing nations in South and Southeast Asia: Countries like Pakistan, Bangladesh, Sri Lanka, the Philippines, and Pacific Island states are absorbing the full force of energy price inflation without the fiscal reserves or strategic stockpiles to cushion the blow. For these nations, the crisis is not abstract geopolitics but an immediate threat to household energy access, food affordability, and industrial output. The UNDP report makes clear that these economies sit at the sharpest end of the transmission chain, and that even a partial reversal of development gains could take a decade to recover.

• Migrant worker communities and remittance-dependent households: Millions of workers from South and Southeast Asia employed in Gulf states face job insecurity, wage delays, or forced repatriation as the regional economy contracts under conflict pressure. The families they support, often in rural communities with no alternative income sources, lose their primary financial lifeline. Remittance flows represent a larger share of GDP than foreign aid in many of these countries, making this channel of crisis transmission particularly devastating and under-reported.

• Global humanitarian and development organisations: The UNDP warning signals a potential surge in demand for emergency social protection, food assistance, and energy subsidies across multiple countries simultaneously. Organisations already stretched by existing crises face the prospect of compounding need with no corresponding increase in donor funding, particularly as major donor nations themselves grapple with the economic fallout of higher energy costs.

• Multinational corporations with Asia-Pacific supply chains: The poverty surge and economic instability flagged by the UNDP translate directly into workforce disruption, demand volatility, and operational risk across manufacturing hubs and sourcing countries. Companies relying on labour-intensive production in vulnerable economies should anticipate absenteeism, wage pressure, civil unrest, and potential government interventions such as export restrictions or price controls that could disrupt supply agreements.

• Insurance, sovereign debt, and credit risk analysts: The compounding effect of energy inflation, remittance collapse, and tourism decline on fiscally fragile states raises the probability of sovereign debt distress, credit rating downgrades, and currency crises. Analysts must model not just the direct oil price shock but the second and third-order effects on government revenues, social spending commitments, and political stability.

These items are generic assumptions. We recommend considering your own unique risk landscape against your critical dependencies. If you don’t know what they are, get in touch.

Preventative actions

Map your exposure to remittance and energy transmission channels

• Organisations and governments should urgently map their direct and indirect exposure to the crisis transmission channels identified in the UNDP report: energy import dependence, remittance flow concentration, tourism revenue reliance, and maritime trade route vulnerability. Understanding which channels carry the greatest risk for your specific context allows for targeted mitigation rather than generic crisis response.

Accelerate targeted social protection and subsidy programmes

• Governments in exposed countries should pre-position emergency cash transfer mechanisms and energy subsidy frameworks that can be activated rapidly as household budgets come under pressure. The UNDP report emphasises that delayed social protection scaling compounds the poverty impact exponentially, so the priority is speed of deployment over perfection of targeting.

Diversify energy sourcing and fast-track renewable alternatives

• The current crisis is a structural argument for reducing dependence on Gulf-sourced hydrocarbons. Countries and corporations should use this moment to accelerate renewable energy procurement, distributed generation, and energy storage investments that reduce long-term exposure to maritime chokepoint disruptions, even if the immediate crisis requires short-term fossil fuel alternatives.

Protect and diversify remittance corridors

• Financial regulators and remittance service providers should ensure that alternative transfer channels remain operational and affordable if primary Gulf-based corridors are disrupted. Governments of labour-sending countries should negotiate bilateral protections for their nationals in Gulf states and establish emergency repatriation and reintegration plans.

Stress-test supply chains for poverty-driven disruption

• Multinational corporations should model the impact of rising poverty and economic instability in their sourcing countries on workforce availability, production continuity, and demand patterns. Build contingency plans for scenarios where key manufacturing or agricultural regions face civil unrest, government-imposed export restrictions, or significant labour force disruption driven by the cascading effects of the crisis.

2. Technological: Mercor Breach Exposes Permanent Biometric Threat

• AI hiring startup Mercor, valued at $10 billion and backed by prominent Silicon Valley investors, suffered a catastrophic data breach in which the hacking group Lapsus exfiltrated approximately 4 terabytes of deeply sensitive user data, including high-resolution video interviews, passport and identity document scans, resumes, candidate profiles, and proprietary source code, creating what cybersecurity experts describe as a near-perfect deepfake training dataset.

• The breach did not originate from simple negligence at Mercor. It was the downstream result of a sophisticated software supply chain attack that compromised Trivy, a widely used open-source security vulnerability scanner, which in turn poisoned LiteLLM, an AI model proxy layer, before reaching Mercor’s systems. The attack chain, Trivy to LiteLLM to Mercor, was three layers deep, and the same supply chain compromise affected thousands of companies simultaneously, making attribution of fault to any single organisation misleading.

• The nature of the stolen data is what elevates this breach from a conventional cybersecurity incident to a permanent, irreversible threat. Unlike passwords or credit card numbers, biometric data, including detailed facial geometry, voice patterns, and behavioural mannerisms captured across thousands of hours of video interviews, cannot be changed, reset, or reissued. Every affected individual now carries a lifelong vulnerability to identity fraud, deepfake impersonation, and synthetic identity attacks.

• The breach raises urgent questions about the data collection practices of AI-era platforms. Mercor’s business model required job applicants to submit extensive video recordings, identity documents, and personal information as a condition of being considered for roles, often roles that involved training AI models for major technology companies. The volume and intimacy of the data collected far exceeded what traditional hiring processes demand, yet the security infrastructure protecting it was ultimately dependent on a chain of third-party tools that no single entity fully controlled or audited.

• The stolen dataset has direct commercial and strategic value to hostile actors. Nation-state intelligence services, rival AI laboratories, and criminal enterprises could use the biometric data to train deepfake generation models, conduct targeted social engineering, or build synthetic identity systems. The risk is not hypothetical: a dataset of this quality and scale, combining face, voice, identity documents, and professional background, is precisely what is needed to produce convincing impersonations that could defeat video-based identity verification systems now used across financial services, corporate access controls, and government processes.

Sources

• Mercor AI Startup Security Incident | Fortune | April 2026

• Lapsus Group Claims Responsibility for Mercor Data Breach | BleepingComputer | April 2026

• Supply Chain Attack on Trivy Scanner Compromises Thousands of Downstream Companies | The Record | April 2026

• The Deepfake Risk of Biometric Data Breaches | Wired | April 2026

• AI Hiring Platforms and the Data Collection Arms Race | MIT Technology Review | March 2026

• LiteLLM Vulnerability Exploited in Multi-Stage Supply Chain Attack | Ars Technica | April 2026

You should be concerned if…

• Individuals who submitted video interviews, identity documents, or resumes to Mercor: You face a permanent and irreversible exposure. Unlike a compromised password, your face, voice, and identity documents cannot be changed. This data can be used to create convincing deepfake videos or audio that could pass automated verification checks, be deployed in targeted social engineering, or be sold to entities building synthetic identity systems. You should assume the data is in hostile hands and take protective action immediately.

• Organisations using video-based identity verification or biometric authentication: The Mercor dataset provides attackers with precisely the training material needed to defeat video KYC, voice authentication, and liveness detection systems. Financial institutions, corporate security teams, and government agencies that rely on these technologies should assume the threat model has fundamentally shifted and begin evaluating the resilience of their verification systems against high-quality synthetic media generated from real biometric data.

• Companies relying on open-source security tools in their software supply chain: The Trivy-to-LiteLLM-to-Mercor attack chain demonstrates that the tools organisations trust to identify vulnerabilities can themselves become the attack vector. This is not a failure of one company’s credential hygiene; it is a structural weakness in how modern software ecosystems are assembled. Any organisation using open-source scanners, proxy layers, or AI tooling without rigorous supply chain verification is potentially exposed to identical compromise patterns.

• AI companies and technology platforms that collect extensive applicant or user data: The Mercor breach forces a reckoning with the question of how much personal data is truly necessary to deliver a service, and what duty of care attaches to collecting it. Platforms that require video submissions, biometric captures, or identity document uploads as a routine part of engagement must now justify that collection against the reality that no security architecture can guarantee permanent protection of permanently sensitive data.

• Regulators and policymakers responsible for data protection and AI governance: The breach exposes a gap between current data protection frameworks, which were largely designed around financial and textual personal data, and the emerging reality of mass biometric data collection by AI-era platforms. The permanent, non-resettable nature of biometric exposure demands a different regulatory approach than breach notification and credit monitoring.

Preventative actions

Audit and minimise biometric data collection practices immediately

• Every organisation that collects video, voice, facial imagery, or identity documents should conduct an urgent review asking a single, uncomfortable question: is this data truly necessary for the service being provided? If it is not essential, stop collecting it. If it is essential, segregate it from general data stores, encrypt it with dedicated key management, and impose strict retention limits. The Mercor breach demonstrates that data you hold is data that can be stolen, and biometric data, once stolen, creates a liability that lasts a lifetime.

Implement supply chain security verification for all third-party and open-source tools

• The attack chain that compromised Mercor started three layers upstream with a trusted security tool. Organisations must move beyond trusting tools by reputation and implement continuous verification of third-party software integrity, including code signing validation, software bill of materials (SBOM) monitoring, and runtime behavioural analysis. The security scanner that protects your perimeter should itself be treated as an attack surface.

Adopt multi-layered identity verification that does not rely solely on biometrics

• With high-quality biometric datasets now in adversarial hands, organisations must assume that video and voice-based verification can be spoofed. Layer biometric checks with behavioural analytics, device-binding, cryptographic attestation, and human-in-the-loop review for high-risk transactions. No single authentication factor, especially one derived from data that cannot be changed, should be treated as definitive.

Establish breach response protocols specific to biometric data exposure

• Standard breach response playbooks built around password resets and credit monitoring are inadequate for biometric data incidents. Organisations should develop specific response plans that include lifelong monitoring services for affected individuals, proactive notification to financial institutions and identity verification providers, and legal frameworks for addressing the unique, permanent nature of biometric compromise.

Demand transparency and contractual accountability from AI-era platforms

• Individuals and organisations providing sensitive data to AI hiring platforms, model training services, or any technology company requiring biometric inputs should demand explicit disclosure of data storage architecture, third-party tool dependencies, supply chain security practices, and breach response commitments before submitting any information. The era of trusting platforms with intimate data based solely on their valuation or investor backing should be over.

Quick snippet stories

1. UK Small Businesses Hit by Cash Crunch, Supplier Fears, and War Shocks
   A new Federation of Small Businesses survey reveals that UK SMEs are facing a compounding crisis as the Middle East conflict drives up input costs, supply chain uncertainty erodes confidence in supplier reliability, and persistent cash flow pressures push many firms toward the brink. The core risk is a cascading failure: when small businesses cannot trust that their suppliers will deliver, they freeze investment and hiring, which in turn weakens the suppliers they depend on. SMEs should stress-test their supplier base now and build short-term cash reserves to weather delayed payments. Main link to resource

2. Airlines Slash Flights as Jet Fuel Crisis Deepens
   Airlines are cutting routes and reducing frequencies as jet fuel prices surge amid ongoing Middle East volatility and Strait of Hormuz disruption. The risk extends beyond airline profitability into tourism-dependent economies and business travel connectivity, as reduced capacity concentrates passengers onto fewer routes and drives up ticket prices. Airlines hedged against short-term shocks may cope, but carriers and destinations without fuel diversification strategies face a prolonged squeeze that could reshape global aviation networks for years. Main link to resource

3. Australia’s Fuel Security Scheme Tested Under Real Conditions
   Australia’s strategic fuel reserve ships are now delivering under the government’s emergency fuel security scheme, providing a live stress test of a system designed for exactly this kind of disruption. Much like the COVID pandemic, where nations closely studied each other’s public health responses to identify what worked and what failed, countries are now observing each other’s fuel crisis strategies in real time. Australia, for example, has noted the Philippines’ mandate for work-from-home policies to reduce fuel consumption, only to discover that workers running air conditioning throughout the day consumed comparable energy, highlighting how seemingly logical mitigation measures can produce unintended consequences. Main link to resource

4. Australian Businesses Cut Hours and Push Remote Work as Fuel Costs Bite
   Australian businesses are slashing employee hours and accelerating work-from-home arrangements as the fuel crisis raises commuting and operational costs beyond sustainable levels. This may represent one of the first early signs of an employment slump beginning to set in, as reduced hours typically precede outright job losses in economic downturns. The risk is that what begins as a temporary cost-saving measure becomes structural, with businesses discovering they can operate with fewer paid hours and choosing not to restore them when conditions stabilise. Main link to resource

5. Security Leaders Dangerously Overconfident About Ransomware Recovery
   A new industry survey reveals a significant gap between security leaders’ confidence in their ransomware recovery capabilities and the reality of actual recovery outcomes. The risk is that overconfidence leads to underinvestment in tested, validated recovery processes, with organisations assuming backup systems and incident response plans will perform under pressure without ever subjecting them to realistic simulations. Firms should conduct unannounced recovery drills that mirror real attack conditions, including encrypted backups and compromised admin credentials, to expose gaps before an actual incident does. Main link to resource

Want to discuss how these risks might effect your business?
Book 30 minutes with us, free ↗

Need support?

At Fixinc, we are passionate about helping people get through disasters. That’s why our team of Advisors bring you this resource free of charge. If you need help understanding these threats and building a plan against them, the same Advisors are here to help over a 30-minute online call. Once complete, if you like what was provided, you can choose to provide a donation or subscribe to Unbreakable Ventures to support this channel.

Book your 30min call here