A cyberespionage operation conducted by Russia’s foreign intelligence service earlier this year compromised the personal data and emails of British government officials. The attack, previously unreported, exploited a breach at Microsoft, which provides corporate services to the UK’s Home Office.
The hackers initially targeted Microsoft before leveraging their access to infiltrate the email accounts and data of several of the tech giant’s clients, including the British government. While the Home Office’s systems were not directly compromised, sensitive corporate email data shared between the department and Microsoft, and hosted by the latter, was stolen.
Microsoft first disclosed in January that a hacking group, later attributed to Russia’s SVR intelligence agency, had accessed the email accounts of its senior executives. Subsequently, the company confirmed that the hackers had also infiltrated customer emails and internal systems.
Despite Microsoft’s early warning, the Home Office only reported the incident to the UK’s data protection regulator, the ICO, in May. This delay contravenes British data protection laws, which mandate reporting data breaches within 72 hours of discovery.
The ICO has since concluded that no further action is necessary. However, experts warn that the stolen data could pose a significant risk to the UK government and its officials.
Christopher Steele, a former British intelligence officer, described the attack as part of a more aggressive stance adopted by the Kremlin since the invasion of Ukraine. James Sullivan, a cyber research director, emphasized the need for greater vendor diversity to mitigate risks associated with relying on a small number of providers for critical services.
Microsoft has denied any compromise of its customer-facing systems and claimed to have notified affected customers. However, the extent of the damage caused by the breach remains unclear.
Key Points:
- Russian hackers targeted Microsoft and exploited access to steal data from clients, including the UK government.
- Home Office data was not directly compromised, but corporate email data shared with Microsoft was stolen.
- The UK government delayed reporting the incident to the data protection regulator.
- Experts warn of the potential risks posed by the stolen data and the need for greater vendor diversity.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. Summitsystemsissp assumes no liability for the accuracy or consequences of using this information.