Further disruptions to the public sector

This month saw even more disruption to the public sector with multiple councils losing personal data from housing registers to hackers. Thousands of residents have been sent phishing emails from the hackers asking them to provide personal data to “activate tenancy options”. 

On a much larger scale, hackers managed to gain access to National Public Data, a critical public service in the United States which collects and aggregates data from federal, state and local governments and public bodies. Millions of records of private individuals, including social security numbers, addresses and phone numbers were stolen, exposing them to scams and fraud.

Public sector data bases are particularly attractive to cyber attackers as they tend to have older systems, hold lower budgets for robust security and tend to contain valuable data. Information stolen during cyber attacks is often resold and reused in the criminal economy. 

We noted in our last bulletin that UK Finance had reported record levels of scams in 2024, exceeding £1bn in stolen funds, and flagged guidance on how to avoid scams. These attacks highlight that personal information is constantly being stolen, sold and used to enable scams. 

An HMRC spokesperson announced this month that recent letters said to be from HMRC asking for businesses to verify financial information was a scam. At present, there is no specific guidance for when your personal or business information is stolen from public sector records, so it is crucial that you remain vigilant and aware of recent attacks, and seek ways to secure or change information where possible. 

The Port of Tyne also experienced outages after a cyber-attack, disrupting their operations for part of a day. While disruption from this attack appears to have been minimal, it points to an increasing focus among hostile actors on targeting critical infrastructure and providers. 

These attacks point at two important outcomes the threat actors are looking to achieve: disruption or ransom. 

Headaches for big tech

At the end of July, Microsoft suffered another outage less than two weeks after the CrowdStrike incident that impacted millions of Microsoft computers. Microsoft Azure, 365 and other services experienced a 10-hour long outage, initially due to a Distributed Denial of Service (DDoS) attack followed by mitigating actions which amplified the impact. 

DDoS attacks are when an actor creates a deluge of internet traffic to a system in order to overwhelm it and take it offline. As with the CrowdStrike incident, the reliance of the modern global economy on tech providers such as Microsoft means these outages impacted a huge array of businesses and public services, including the HM Courts and Tribunal Service, NatWest and a top Dutch football club. In these instances, it is important that firms have contingency plans for when services are disrupted, and that appropriate due diligence is undertaken when assessing third-party risks. 

Microsoft is not alone in being targeted. Late in August, researchers discovered Amazon Web Services had a sophisticated ransomware campaign embedded in its systems, which automatically scanned for sensitive information stored on the cloud service, then asked for a ransom for the information, with approximately 7,000 organisations targeted. The organisations were at risk due to leaked credentials, which allowed the attackers to infiltrate systems. The attack emphasises the need to check that cloud access management is well controlled and monitored to detect suspicious activity, and to audit the access keys that have been distributed. 

The recent announcement of the NCSC’s Cyber Resilience Audit scheme will hopefully reduce the risk of these providers being targeted. We look at this in more detail below. 

Cyber insurance claims down

On a more positive note, the number of cyber insurance claims has been reported to be shrinking. The cyber firm Databarracks found that two thirds of organisations have cyber insurance, suggesting more than ever now have coverage, but the proportion of organisations making claims has decreased substantially. The report suggests that more organisations have contingency plans driven by stricter insurance policies. 

National Cyber Security Centre research cyber deception

The NCSC has launched research into cyber deception technologies in the UK. These are tools that alert you of threat actors in your systems by enticing them to certain components or systems away from the higher risk elements. The intention is to understand the value and efficacy of these techniques in supporting cyber defence and to inform the NCSC’s support of these techniques. 

The NCSC is also encouraging deployment of these techniques across government and critical national infrastructure to further broaden the evidence base. If you want to feed into this research, please follow the link and express your interest to the NCSC.

New cyber resilience audit launched

The NCSC has also announced the launch of the Cyber Resilience Audit scheme. The NCSC will approve providers that conduct independent Cyber Assessment Framework-based audits. The scheme is predominantly aimed at organisations conducting audits of the public sector and critical national infrastructure. Firms interested in joining the scheme can apply here.

This will hopefully drive the development of the cyber audit profession and will be crucial in securing and building resilience in the UK, especially considering how much disruption such attacks have caused to the NHS and cloud providers.

Upcoming cyber lecture

To kick off this year’s Cyber Security Awareness month in October, ICAEW will be hosting its annual cyber lecture on 7 October with Ben Owen from Channel 4’s Hunted. He will provide a demonstration of a hacking session illustrating just how much data we all give away online each day, leaving hundreds of digital breadcrumbs to be found by cyber criminals. You can register for the event here.