Criminals steal sensitive data on UK aid projects overseas

22 April 2021

Cyber criminals have stolen sensitive data relating to British aid projects overseas, including details related to projects funded by a secretive national security fund.

The UK’s Foreign, Commonwealth and Development Office (FCDO) and experts from the National Cyber Security Centre (NCSC), an arm of GCHQ, are investigating how a “third party” came to obtain the data, according to reports.

The FCDO has also told companies and individuals involved in pitching tenders for UK government projects that their personal data has been compromised.

An email from the FCDO said: “Some of these documents included your personal details, compromising some, or all, of the following categories: your name, work and contact details, location and nationality.”

Individuals affected by the breach include those working on UK aid projects financed by the Conflict, Security and Stabilisation Fund (CSSF) - a £1bn pot of money overseen by the National Security Council. It funds projects intended to resolve conflicts and build stability overseas. 

Its most recent annual report said the fund supported programmes ranging from peacekeeping in Sudan, where the UK deployed 300 personnel, to projects designed to counter terrorism and violent extremism in the Middle East and Asia.

MPs and others have in the past expressed significant concern about the lack of transparency, accountability and leadership of the CSSF.

The information commissioner’s office has been informed of the breach and is being updated on the government’s response.

Moreover, individuals have been advised to take steps to protect themselves online as an immediate precaution by watching out for suspicious emails, calls or text messages. 

Nigel Thorpe, technical director at SecureAge, told Networking+ that while there are few details of this data breach it, seems that stored data has been compromised. “Malware delivered by email is a likely culprit but cyberattacks through breached hardware or compromised supply chain services - such as SolarWinds, or the Accellion File Transfer Appliance - are also possibilities,” Thorpe said. Faced with software shortcomings, human error and the huge complexity of an IT infrastructure, organisations need to accept that it’s a case of when, not if they will get hacked.” Thorpe added that cybercriminals look for sensitive, compromising or financially beneficial data - much of which is considered by organisations to be inconsequential, even if they know the location of all this information. “If all data were universally encrypted then stolen data would be useless: breached? Yes, but damaged? No,” he concluded.

The data theft also coincided with news that hundreds of UK companies have been compromised as part of a global campaign linked to Chinese hackers.

Cyber-security firm Eset said more than 500 email servers in the UK may have been hacked, while many companies are not aware they are victims of the attack.

 “We are living in a period in which the modern world endured not just a historic pandemic, but some of the most aggressive and costly hacking events ever seen,” said Ruth Schofield, UK country manager of Danish security specialist Heimdal, told Networking+. “Hospitals, schools, clinical trials, vaccine research, supply chains, technology and cybersecurity firms and government agencies were all, in some way, shape or form, hijacked by hackers.  And not just with usual state-sponsored, suspect line-up from Russia, China, Iran and North Korea but newer players, who were caught hacking one another in an attempt to glean any intelligence or advantage they could in a pandemic.” 

Schofield added that while the origination and exact route of the CSSF breach is still unclear, “it’s highly probable” that it leveraged one of the traditional vectors such as insider threat, data leakage, email threat and fraud prevention.  As with every situation, prevention is better than cure and simply wishing we had been better prepared is not going to cut it,” she said.   

An FCDO spokesperson said: “We take data security very seriously and we are thoroughly investigating this incident.”