bbc.com
Joe TidyCyber correspondent, BBC World Service

Prepare to switch to offline systems in the event of a cyber-attack, firms are being advised.

People should plan for potential cyber-attacks by going back to pen and paper, according to the latest advice.

The government has written to chief executives across the country strongly recommending that they should have physical copies of their plans at the ready as a precaution.

A recent spate of hacks has highlighted the chaos that can ensue when hackers take computer systems down.

The warning comes as the National Cyber-Security Centre (NCSC) reported an increase in nationally significant attacks this year.

Criminal hacks on Marks and Spencer, The Co-op and Jaguar Land Rover have led to empty shelves and production lines being halted this year as the companies struggled without their computer systems.

Organisations need to "have a plan for how they would continue to operate without their IT, (and rebuild that IT at pace), were an attack to get through," said Richard Horne, chief executive of the NCSC.

Firms are being urged to look beyond cyber-security controls toward a strategy known as "resilience engineering", which focuses on building systems that can anticipate, absorb, recover, and adapt, in the event of an attack.

Plans should be stored in paper form or offline, the agency suggests, and include information about how teams will communicate without work email and other analogue work arounds.

These types of cyber attack contingency plans are not new but it's notable that the UK's cyber authority is putting the advice prominently in its annual review.

Although the total number of hacks that the NCSC dealt with in the first nine months of this year was, at 429, roughly the same as for a similar period last year, there was an increase in hacks with a bigger impact.

The number of "nationally significant" incidents represented nearly half, or 204, of all incidents. Last year only 89 were in that category.

A nationally significant incident covers cyber-attacks in the three highest categories in the NCSC and UK law enforcement categorisation model:

Category 1: National cyber-emergency.
Category 2: Highly significant incident.
Category 3: Significant incident.
Category 4: Substantial incident.
Category 5: Moderate incident.
Category 6: Localised incident.
Amongst this year's incidents, 4% (18) were in the second highest category "highly significant".

This marks a 50% increase in such incidents, an increase for the third consecutive year.

The NCSC would not give details on which attacks, either public or undisclosed, fall into which category.

But, as a benchmark, it is understood that the wave of attacks on UK retailers in the spring, which affected Marks and Spencer, The Co-op and Harrods, would be classed as a Significant incident.

One of the most serious attacks last year, on a blood testing provider, caused major problems for London hospitals. It resulted in significant clinical disruption and directly contributed to at least one patient death.

The NCSC would not say which category this incident would fall into.

The vast majority of attacks are financially motivated with criminal gangs using ransomware or data extortion to blackmail a victim into sending Bitcoins in ransom.

Whilst most cyber-crime gangs are headquartered in Russian or former Soviet countries, there has been a resurgence in teenage hacking gangs thought to be based in English-speaking countries.

So far this year seven teenagers have been arrested in the UK as part of investigations into major cyber-attacks.

As well as the advice over heightened preparations and collaboration, the government is asking organisations to make better use of the free tools and services offered by the NCSC, for example free cyber-insurance for small businesses that have completed the popular Cyber-Essentials programme.

'Basic protection'
Paul Abbott, whose Northamptonshire transport firm KNP closed after hackers encrypted its operational systems and demanded money in 2023, says it's no longer a case of "if" such incidents will happen, but when.

"We were throwing £120,000 a year at [cyber-security] with insurance and systems and third-party managed systems," Mr Abbott told BBC Radio 5 Live on Tuesday.

He said he now focuses on security, education and contingency - key to which involves planning what is needed to keep a business running in the event of an attack or outage.

"The call for pen and paper might sound old-fashioned, but it's practical," said Graeme Stewart, head of public sector at cyber-security firm Check Point, noting digital systems can be rendered "useless" once targeted by hackers.

"You wouldn't walk onto a building site without a helmet - yet companies still go online without basic protection," he added.

"Cybersecurity needs to be treated with the same seriousness as health and safety: not optional, not an afterthought, but part of everyday working life."

bbc.com
Josh Martinbusiness reporter

The carmaker says some of its customers' data has been stolen in a cyber-attack that targeted a third-party provider.

Renault UK has confirmed that some of its customers' data has been stolen in a cyber-attack that targeted a third-party data processing provider.

No customer financial data, such as passwords or bank account details, had been obtained, Renault said, but other personal data had been accessed and the carmaker warned customers to be vigilant.

The French-owned carmaker would not specify how many people could be affected "for ongoing security reasons" but said it did not anticipate any wider implications for the company, as none of Renault's own systems had been hacked.

It comes after rival Jaguar Land Rover and brewing giant Asahi have had production stopped by cyber-attacks on their systems.

Renault UK said affected people would be notified and that victims of the hack may include a wider pool of people who had entered competitions or shared data with the car company, without purchasing a vehicle.

The carmaker said the data that had been accessed by the cyber-attack included some or all of: customer names, addresses, dates of birth, gender, phone number, vehicle identification numbers and vehicle registration details.

A Renault spokesperson said: "The third-party provider has confirmed this is an isolated incident which has been contained, and we are working with it to ensure that all appropriate actions are being taken. We have notified all relevant authorities.

"We are in the process of contacting all affected customers, advising them of the cyber-attack and reminding them to be cautious of any unsolicited requests for personal information," they added.

Jaguar Land Rover was recently forced to stop production and take a £1.5bn loan underwritten by the government after being targeted by hackers at the end of August.

Earlier this year, M&S and the Co-Op were both hit by cybersecurity breaches that disrupted supply chains and customer orders, and accessed the data of shoppers.

• The Register
Mon 29 Sep 2025 // 08:01 UTC
by Danny Bradbury

Feature: Guess how much of our direct transatlantic data capacity runs through two cables in Bude?

The first transatlantic cable, laid in 1858, delivered a little over 700 messages before promptly dying a few weeks later. 167 years on, the undersea cables connecting the UK to the outside world process £220 billion in daily financial transactions. Now, the UK Parliament's Joint Committee on National Security Strategy (JCNSS) has told the government that it has to do a better job of protecting them.

The Committee's report, released on September 19, calls the government "too timid" in its approach to protecting the cables that snake from the UK to various destinations around the world. It warns that "security vulnerabilities abound" in the UK's undersea cable infrastructure, when even a simple anchor-drag can cause major damage.

There are 64 cables connecting the UK to the outside world, according to the report, carrying most of the country's internet traffic. Satellites can't shoulder the data volumes involved, are too expensive, and only account for around 5 percent of traffic globally.

These cables are invaluable to the UK economy, but they're also difficult to protect. They are heavily shielded in the shallow sea close to those points. That's because accidental damage from fishing operations and other vessels is common. On average, around 200 cables suffer faults each year. But as they get further out, the shielding is less robust. Instead, the companies that lay the cables rely on the depth of the sea to do its job (you'll be pleased to hear that sharks don't generally munch on them).

The report praises a strong cable infrastructure, and admits that in some areas at least we have the redundancy in the cable infrastructure to handle disruptions. For example, it notes that 75 percent of UK transatlantic traffic routes through two cables that come ashore in Bude, Cornwall. That seems like quite the vulnerability, but it acknowledges that we have plenty of infrastructure to route around if anything happened to them. There is "no imminent threat to the UK's national connectivity," it soothes.

But it simultaneously cautions against adopting what it describes as "business-as-usual" views in the industry. The government "focuses too much on having 'lots of cables' and pays insufficient attention to the system's actual ability to absorb unexpected shocks," it frets. It warns that "the impacts on connectivity would be much more serious," if onward connections to Europe suffered as part of a coordinated attack.

"While our national connectivity does not face immediate danger, we must prepare for the possibility that our cables can be threatened in the event of a security crisis," it says.

Reds on the sea bed
Who is the most likely to mount such an attack, if anyone? Russia seems front and center, according to experts. It has reportedly been studying the topic for years. Keir Giles, director at The Centre for International Cyber Conflict and senior consulting fellow of the Russia and Eurasia Programme at Chatham House, argues that Russia has a long history of information warfare that stepped up after it annexed Crimea in 2014.

"The thinking part of the Russian military suddenly decided 'actually, this information isolation is the way to go, because it appears to win wars for us without having to fight them'," Giles says, adding that this approach is often combined with choke holds on land-based information sources. Cutting off the population in the target area from any source of information other than what the Russian troops feed them achieves results at low cost.

In a 2021 paper he co-wrote for the NATO Cooperative Cyber Defence Centre of Excellence, he pointed to the Glavnoye upravleniye glubokovodnykh issledovaniy (Main Directorate for Deep-Water Research, or GUGI), a secretive Russian agency responsible for analyzing undersea cables for intelligence or disruption. According to the JCNSS report, this organization operates the Losharik, a titanium-hulled submarine capable of targeting cables at extreme depth.

Shenanigans under the sea
You don't need a fancy submarine to snag a cable, as long as you're prepared to do it in plain sight closer to the coast. The JNCSS report points to several incidents around the UK and the Baltics. November last year saw two incidents. In the first, Chinese-flagged cargo vessel Yi Peng 3 dragged its anchor for 300km and cut two cables between Sweden and Lithuania. That same month, the UK and Irish navies shadowed Yantar, a Russian research ship loitering around UK cable infrastructure in the Irish sea.

The following month saw Cook Islands-flagged ship Eagle S damage one power cable and three data cables linking Finland and Estonia. This May, unaffiliated vessel Jaguar approached an underseas cable off Estonia and was escorted out of the country's waters.

The real problem with brute-force physical damage from vessels is that it's difficult to prove that it's intentional. On one hand, it's perfect for an aggressor's plausible deniability, and could also be a way to test the boundaries of what NATO is willing to tolerate. On the other, it could really be nothing.

"Attribution of sabotage to critical undersea infrastructure is difficult to prove, a situation significantly complicated by the prevalence of under-regulated and illegal shipping activities, sometimes referred to as the shadow fleet," a spokesperson for NATO told us.

"I'd push back on an assertion of a coordinated campaign," says Alan Mauldin, research director at analyst company TeleGeography, which examines undersea cable infrastructure warns. He questions assumptions that the Baltic cable damage was anything other than a SNAFU.

The Washington Post also reported comment from officials on both sides of the Atlantic that the Baltic anchor-dragging was probably accidental. Giles scoffs at that. "Somebody had been working very hard to persuade countries across Europe that this sudden spate of cables being broken in the Baltic Sea, one after another, was all an accident, and they were trying to say that it's possible for ships to drag their anchors without noticing," he says.

One would hope that international governance frameworks could help. The UN Convention on the Law of the Sea [PDF] has a provision against messing with undersea cables, but many states haven't enacted the agreement. In any case, plausible deniability makes things more difficult.

"The main challenge in making meaningful governance reforms to secure submarine cables is figuring out what these could be. Making fishing or anchoring accidents illegal would be disproportionate," says Anniki Mikelsaar, doctoral researcher at Oxford University's Oxford Internet Institute. "As there might be some regulatory friction, regional frameworks could be a meaningful avenue to increase submarine cable security."

The difficulty in pinning down intent hasn't stopped NATO from stepping in. In January it launched Baltic Sentry, an initiative to protect undersea infrastructure in the region. That effort includes frigates, patrol aircraft, and naval drones to keep an eye on what happens both above and below the waves.

Preparing for the worst
Regardless of whether vessels are doing this deliberately or by accident, we have to be prepared for it, especially as cable installation shows no sign of slowing. Increasing bandwidth needs will boost global cable kilometers by 48 percent between now and 2040, says TeleGeography, adding that annual repairs will increase 36 percent between now and 2040.

"Many cable maintenance ships are reaching the end of their design life cycle, so more investment into upgrading the fleets is needed. This is important to make repairs faster," says Mikelsaar.

There are 62 vessels capable of cable maintenance today, and TeleGeography predicts that'll be enough for the next 15 years. However, it takes time to build these vessels and train the operators, meaning that we'll need to start delivering new vessels soon.

The problem for the UK is that it doesn't own any of that repair capacity, says the JNSS. It can take a long time to travel to a cable and repair it, and ships can only work on one at a time. The Committee reported that the UK doesn't own any sovereign repair capacity, and advises that it gets some, prescribing a repair ship by 2030.

"This could be leased to industry on favorable terms during peacetime and made available for Government use in a crisis," it says, adding that the Navy should establish a set of reservists that will be trained and ready to operate the vessel.

Sir Chris Bryant MP, the Minister for Data Protection and Telecoms, told the Committee it that it was being apocalyptic and "over-egging the pudding" by examining the possibility of a co-ordinated attack. "We disagree," the Committee said in the report, arguing that the security situation in the next decade is uncertain.

"Focusing on fishing accidents and low-level sabotage is no longer good enough," the report adds. "The UK faces a strategic vulnerability in the event of hostilities. Publicly signaling tougher defensive preparations is vital, and may reduce the likelihood of adversaries mounting a sabotage effort in the first place."

To that end, it has made a battery of recommendations. These include building the risk of a coordinated campaign against undersea infrastructure into its risk scenarios, and protecting the stations - often in remote coastal locations - where the cables come onto land.

The report also recommends that the Department for Science, Innovation and Technology (DSIT) ensures all lead departments have detailed sector-by-sector technical impact studies addressing widespread cable outages.

"Government works around the clock to ensure our subsea cable infrastructure is resilient and can withstand hostile and non-hostile threats," DSIT told El Reg, adding that when breaks happen, the UK has some of the fastest cable repair times in the world, and there's usually no noticeable disruption."

"Working with NATO and Joint Expeditionary Force allies, we're also ensuring hostile actors cannot operate undetected near UK or NATO waters," it added. "We're deploying new technologies, coordinating patrols, and leading initiatives like Nordic Warden alongside NATO's Baltic Sentry mission to track and counter undersea threats."

Nevertheless, some seem worried. Vili Lehdonvirta, head of the Digital Economic Security Lab (DIESL) and professor of Technology Policy at Aalto University, has noticed increased interest from governments and private sector organizations alike in how much their daily operations depend on oversea connectivity. He says that this likely plays into increased calls for digital sovereignty.

"The rapid increase in data localization laws around the world is partly explained by this desire for increased resilience," he says. "But situating data and workloads physically close as opposed to where it is economically efficient to run them (eg. because of cheaper electricity) comes with an economic cost."

So the good news is that we know exactly how vulnerable our undersea cables are. The bad news is that so does everyone else with a dodgy cargo ship and a good poker face. Sleep tight.

– Krebs on Security
U.S. prosecutors last week levied criminal hacking charges against 19-year-old U.K. national Thalha Jubair for allegedly being a core member of Scattered Spider, a prolific cybercrime group blamed for extorting at least $115 million in ransom payments from victims. The charges came as Jubair and an alleged co-conspirator appeared in a London court to face accusations of hacking into and extorting several large U.K. retailers, the London transit system, and healthcare providers in the United States.

At a court hearing last week, U.K. prosecutors laid out a litany of charges against Jubair and 18-year-old Owen Flowers, accusing the teens of involvement in an August 2024 cyberattack that crippled Transport for London, the entity responsible for the public transport network in the Greater London area.

The Wall Street Journal
By
Dominic Chopping
Follow
Updated Sept. 29, 2025 6:39 am ET

Jaguar Land Rover discovered a cyberattack late last month, forcing the company to shut down its computer systems and halt production.

Jaguar Land Rover will restart some sections of its manufacturing operations in the coming days, as it begins its recovery from a cyberattack that has crippled production for around a month.

“As the controlled, phased restart of our operations continues, we are taking further steps towards our recovery and the return to manufacture of our world‑class vehicles,” the company said in a statement Monday.

The news comes a day after the U.K. government stepped in to provide financial support for the company, underwriting a 1.5 billion-pound ($2.01 billion) loan guarantee in a bid to support the company’s cash reserves and help it pay suppliers.

The loan will be provided by a commercial bank and is backed by the government’s export credit agency. It will be paid back over five years.

“Jaguar Land Rover is an iconic British company which employs tens of thousands of people,” U.K. Treasury Chief Rachel Reeves said in a statement Sunday.

“Today we are protecting thousands of those jobs with up to 1.5 billion pounds in additional private finance, helping them support their supply chain and protect a vital part of the British car industry,” she added.

The U.K. automaker, owned by India’s Tata Motors, discovered a cyberattack late last month, forcing the company to shut down its computer systems and halt production.

The company behind Land Rover, Jaguar and Range Rover models, has been forced to repeatedly extend the production shutdown over the past few weeks as it races to restart systems safely with the help of cybersecurity experts flown in from around the globe, the U.K.’s National Cyber Security Centre and law enforcement.

Last week, the company began a gradual restart of its operations, bringing some IT systems back online. It has informed suppliers and retail partners that sections of its digital network is back up and running, and processing capacity for invoicing has been increased as it works to quickly clear the backlog of payments to suppliers.

JLR has U.K. plants in Solihull and Wolverhampton in the West Midlands, in addition to Halewood in Merseyside. It is one of the U.K.’s largest exporters and a major employer, employing 34,000 directly in its U.K. operations. It also operates the largest supply chain in the U.K. automotive sector, much of it made up of small- and medium-sized enterprises, and employing around 120,000 people, according to the government.

Labor unions had warned that thousands of jobs in the JLR supply chain were at risk due to the disruption and had urged the government to step in with a furlough plan to support them.

U.K. trade union Unite, which represents thousands of workers employed at JLR and throughout its supply chain, said the government’s loan guarantee is an important first step.

“The money provided must now be used to ensure job guarantees and to also protect skills and pay in JLR and its supply chain,” Unite general secretary Sharon Graham said in a statement.

• GOV.UK
  From:
  Cabinet Office, Public Sector Fraud Authority and Josh Simons MP
  Published
  24 September 2025

Government stops over £480 million ending up in the pockets of fraudsters over twelve months since April 2024 - more money than ever before.

Government stops over £480 million ending up in the pockets of fraudsters over twelve months since April 2024 - more money than ever before.
New technology and artificial intelligence turns the tide in the fight against public sector fraud, with new tech to prevent repeat of Covid loan fraud.
Over a third of the money saved relates to fraud committed by companies and people during the pandemic.
Crackdown means more funding for schools, hospitals and vital public services to deliver the Plan for Change.
Fraudsters have been stopped from stealing a record £480 million from the taxpayer in the government’s biggest ever fraud crackdown, meaning more money can be used to recruit nurses, teachers and police officers as part of the Plan for Change.

Over a third of the money saved (£186 million) comes from identifying and recovering fraud committed during the Covid-19 pandemic. Government efforts to date have blocked hundreds of thousands of companies with outstanding or potentially fraudulent Bounce Back Loans from dissolving before they would have to pay anything back. We have also clawed back millions of pounds from companies that took out Covid loans they were not entitled to, or took out multiple loans when only entitled to one.

This builds on successful convictions in recent months to crack down on opportunists who exploited the Bounce Back Loan Scheme for their own gain, including a woman who invented a company and then sent the loan money to Poland.

Alongside Covid fraud, the record savings reached in the year to April 2025 include clamping down on people unlawfully claiming single persons council tax discount and removing people from social housing waitlists who wanted to illegally sublet their discounted homes at the taxpayers’ expense.

Announcing the record figures at an anti-fraud Five Eyes summit in London, Cabinet Office Minister Josh Simons said:

Working people expect their taxes to go towards schools, hospitals, roads and the services they and their families use. That money going into the hands of fraudsters is a betrayal of their hard work and the system of paying your fair share. It has to stop.

That’s why this government has delivered the toughest ever crackdown on fraud, protecting almost half a billion pounds in under 12 months.

We’re using cutting-edge AI and data tools to stay one step ahead of fraudsters, making sure public funds are protected and used to deliver public services for those who need them most - not line the pockets of scammers and swindlers.

The savings have been driven by comparing different information the government holds to stop people falsely claiming benefits and discounts that they’re clearly not eligible for.

The high-tech push brought around £110m back to the exchequer more than the year before, and comes as the government pushes to save £45 billion by using tech to make the public sector more productive, saving money for the NHS and police forces to deliver the Plan for Change.

The Minister will also unveil a new AI fraud prevention tool that has been built by the government and will be used across all departments after successful tests.

The AI system scans new policies and procedures for weaknesses before they can be exploited, helping make new policies fraud-proof when they are drafting them. The tool could be essential in stopping fraudsters from taking advantage of government efforts to help people in need amid future emergencies.

It has been designed to prevent the scale of criminality seen through the Covid pandemic, where millions were lost to people falsely taking advantage of furlough, Covid Grants and Bounce Back Loans.

Results from early tests show it could save thousands of hours and help prevent millions in potential losses, slashing the time to identify fraud risks by 80% while preserving human oversight.

The UK will also licence the technology internationally, with Five Eyes partners at the summit considering adoption as part of strengthening global efforts to stop fraud and demonstrating Britain’s role at the forefront of innovation.

The summit will bring together key allies and showcase the government’s unprecedented use of artificial intelligence, data-matching and specialist investigators to target fraud across more than a thousand different schemes.

At the summit, Cabinet Office Minister Josh Simons will describe how the record crackdown has been achieved:

Over £68 million of wrongful pension payments were prevented across major public sector pension schemes, including the Local Government Pension Scheme, NHS Pension Scheme, Civil Service Pensions and Armed Forces pension schemes. These savings were achieved by identifying cases where pension payments continued after the individual had died, often with relatives continuing to claim benefits they were not entitled to.
More than 2,600 people were removed from housing waiting lists they weren’t entitled to be on, including individuals who were subletting or had multiple tenancies unlawfully.
Over 37,000 fraudulent single-person council tax discount claims were stopped, saving £36 million for local councils and taxpayers. These false claims, often made by individuals misrepresenting their household size to secure a 25% discount, were uncovered using advanced data-matching.
Today’s announcement follows extensive progress on fraud in the last 12 months, including the appointment of a Covid Counter-Fraud Commissioner, introduced the Public Authorities Fraud, Error and Recovery Bill, and boosted AI-driven detection, saving hundreds of millions and strengthening public sector fraud prevention – driven by the Public Sector Fraud Authority.

The majority of the £480 million saved is taxpayer money, with a portion from private sector partners, such as insurance and utilities companies, helping lower consumer costs and support UK business growth.

therecord.media Alexander Martin
September 17th, 2025

Shares in a British automaker supplier plummeted 55% Wednesday as it warned that a cyberattack on Jaguar Land Rover (JLR) was impacting its business, adding to concerns that the incident is sending a “shockwave” through the country’s industrial sector, according to a senior politician.

Shares in Autins, a company providing specialist insulation components for Jaguar vehicles, opened 55% below its Tuesday closing price on the AIM exchange for smaller companies. As of publication the price recovered slightly to a 40% drop.

In a trading update the company acknowledged that JLR stopping all production since the cyberattack on September 1 was having a material effect on its own operations. Its chief executive, Andy Bloomer, told investors the attack was “concerning not just for Autins, but the wider automotive supply chain.”

Bloomer added the true impact of the disruption “will not be known for some time,” but that Autins was “doing everything possible to protect our business now and ensure we are ready to benefit as we come out the other side.”

These protective measures have included using banked hours for employees, delaying and cancelling raw material orders, as well as pausing discretionary spend across the business. Autins employed 148 people and recorded revenues of just over £31 million last year, according to its annual results.

It comes as Liam Byrne, a Labour MP for Birmingham Hodge Hill and Solihull North — one of the United Kingdom’s parliamentary constituencies in a region dominated by automotive manufacturing — warned the JLR disruption was “a cyber shockwave ripping through our industrial heartlands.”

“If government stands back, that shockwave is going to destroy jobs, businesses, and pay packets across Britain. Ministers must step up fast with emergency support to stop this digital siege at JLR spreading economic havoc through the supply chain,” stated Byrne.

It follows JLR announcing on Tuesday that its global operations would remain shuttered until at least the middle of next week. Thousands of JLR employees have been told not to report for work due to the standstill.

Reports suggest that thousands more workers at supply-chain businesses are also being temporarily laid off due to the shutdown. The Unite union has called on the government to provide a furlough scheme to support impacted workers.

The extended disruption is increasing the costs of the incident for JLR, which is one of Britain’s most significant industrial producers — accounting for roughly 4% of goods exports last year — and risks damaging the British economy as a whole.

Lucas Kello, the director of the University of Oxford's Academic Centre of Excellence in Cyber Security Research, told Recorded Future News last week: “This is more than a company outage — it’s an economic security incident.”

A spokesperson for the Department of Business and Trade did not respond to a request for comment. The Prime Minister's official spokesman previously stated there were "no discussions around taxpayers' money" being used to help JLR suppliers.

| The Record from Recorded Future News Alexander Martin
September 18th, 2025

Two suspected members of the Scattered Spider cybercrime collective have been arrested and charged in the United Kingdom following an investigation into the hack of Transport for London (TfL) last year.

The National Crime Agency (NCA) announced on Thursday that Thalha Jubair, 19, from East London, and Owen Flowers, 18, from Walsall, had been arrested at their homes at lunchtime on Tuesday.

The Crown Prosecution Service authorized charges against both men on Wednesday night under the Computer Misuse Act, alleging they conspired to commit unauthorized acts against TfL, which was hacked in August 2024. Flowers had initially been arrested over the the transit agency attack in September 2024, but released on bail.

The NCA said its officers also discovered additional potential evidence that Flowers had been involved in attacks against U.S. healthcare companies following his arrest. Flowers faces two additional charges of conspiring with others to infiltrate and damage the networks of SSM Health Care Corporation and attempting to do the same to Sutter Health.

Jubair faces an additional charge for refusing to provide investigators with passcodes to access devices seized from him. The U.S. Department of Justice also unsealed a complaint against Jubair on Thursday, accusing him of computer crimes.

The men are set to appear at Westminster Magistrates’ Court at 2 p.m. on Thursday. In England and Wales, criminal cases begin with a first hearing in a magistrates’ court where it is decided whether the case will proceed to a Crown Court for a jury trial — required for all cases where the sentence could exceed 12 months.

The specific charges against both men are “conspiracy to commit an unauthorised act in relation to a computer causing / creating risk of serious damage to human welfare/national security,” the maximum sentence for which is life imprisonment.

Magistrates’ courts also decide whether a defendant can be released on bail. Prosecutors are seeking to have both men remanded in custody until they can face trial.

Paul Foster, the head of the NCA’s National Cyber Crime Unit, said: “Today’s charges are a key step in what has been a lengthy and complex investigation. This attack caused significant disruption and millions in losses to TfL, part of the UK’s critical national infrastructure.”

It follows the NCA warning of an increasing threat from English-speaking cybercriminal groups, including the loose collective tracked as Scattered Spider, which has been associated with a range of attacks in both Britain and the United States.

“The NCA, UK policing and our international partners, including the FBI, are collectively committed to identifying offenders within these networks and ensuring they face justice,” said Foster.

Hannah Von Dadelszen, the CPS’ chief prosecutor for the Crown Prosecution Service, said: “Our prosecutors have worked to establish that there is sufficient evidence to bring the case to trial and that it is in the public interest to pursue criminal proceedings.”

The charges come as the NCA’s cybercrime unit is understood to be busier than ever in investigating a range of cases. These include the hack against TfL, the Legal Aid Agency, two incidents impacting the National Health Service, and attacks on three retailers — Marks & Spencer, the Co-op, and the London-based luxury store Harrods.

Contempt of court laws prohibit prejudicing a jury trial by suggesting suspects' guilt or innocence, publishing details regarding their past convictions, or speculating about the character of the defendants.

san.com straightarrownews Sep 08, 2025 at 06:20 PM GMT+2
Mikael Thalen (Tech Reporter)

Summary
Sensitive data leaked
More than 2,000 files linked to former U.K. Prime Minister Boris Johnson were stolen by hackers and leaked online.

‘Devastating’ breach
Cybersecurity experts describe the leak as a serious exposure of data belonging to a world leader.

‘High-priority target’
A former U.K. official says the breach could be related to an influence campaign by a foreign adversary.

Full story
Leaked computer files tied to former U.K. Prime Minister Boris Johnson offer an unprecedented glimpse into a scandal over COVID-19 protocols, his response to the Ukraine war and his private views on world leaders, including Russian President Vladimir Putin. The hack also found documents pitching a reality television show.

Taken together, the files paint an intimate portrait of the former politician’s day-to-day activities, including during his time as prime minister from 2019 to 2022.

Straight Arrow News obtained the more than 2,000 files from the nonprofit leak archiver DDoSecrets. Unidentified hackers quietly posted the data online last year, according to DDoSecrets co-founder Emma Best, but it has not been previously reported.

SAN sent an inquiry to Johnson’s office, where the data appears to have originated, as well as to Johnson’s personal email address, but did not receive a reply.

Little is known about the details surrounding the breach and those responsible. But cybersecurity experts describe the data leak as a serious exposure of information in the hands of a world leader.

“It’s obviously a devastating compromise if personal emails, documents and the like have been collected and breached,” Shashank Joshi, visiting fellow at the Department of War Studies at King’s College London, told SAN.

World leaders are regularly targeted by both criminal and nation-state hackers. In 2020, according to researchers at Citizen Lab, the University of Toronto-based group that specializes in spyware detection, multiple phones at Johnson’s office and the foreign office were compromised.

That attack, which Citizen Lab linked to the United Arab Emirates, was carried out with the advanced Israeli-made spyware known as Pegasus. Both the UAE and NSO Group, the company behind the spyware, denied involvement.

Rob Pritchard, the former deputy head of the U.K.’s Cyber Security Operations Centre and founder of the consulting firm The Cyber Security Expert, told SAN that it is entirely possible that the hack of Johnson could be tied to an influence operation from a foreign adversary.

“I think this really highlights the importance of ensuring good practices when it comes to cybersecurity, especially for high-profile individuals,” Pritchard said. “Ex-prime ministers will undoubtedly still be very high-priority targets for a range of countries, and their private office will hold sensitive information, if not actually classified information in the strict sense.”

‘Security briefing: Nuclear’
A folder titled “Travel” underscores the hack’s intrusiveness.

It includes photos of Johnson’s passport and driver’s license, as well as his visa information for Australia, Canada, Kurdistan, Saudi Arabia and the U.S. Identifying documents for family and staff are also present.

Itineraries outlining visits to numerous countries offer insight into Johnson’s routine. One U.S. visit, which does not include a date but appears to have been during President Donald Trump’s first term, shows efforts by Johnson to meet prominent politicians, such as Sen. Ted Cruz, R-Texas, former National Security Adviser John Bolton, former United Nations Ambassador Nikki Haley and Florida Gov. Ron DeSantis.

Other itineraries, including one for a November 2023 visit to Israel, mention Johnson’s security measures. The document states that although Johnson did not bring a protection force of his own, “4 Israeli private security agents” would look after his group while “on the ground.”

Documents related to a November 2022 visit to Egypt show the names and phone numbers of two individuals tasked with protecting Johnson while in the city of Sharm El-Sheikh. The travel folder also contains documents related to VIP suite bookings at London Gatwick Airport and COVID-19 vaccination records for those traveling with Johnson.

Another folder called “Speeches” contains dozens of notes and transcripts for talks by Johnson both during and after his tenure. Invoices show how much Johnson charged for several speaking engagements in 2024 after leaving office, including $350,000 for a speech to Masdar, a clean energy company in the UAE. After deductions, however, Johnson appears to have pocketed $94,459.08.

The usernames, passwords, phone numbers and email addresses used for Johnson’s accounts on Facebook, Instagram, Twitter, LinkedIn, Snapchat and Threads are exposed as well in a file marked “confidential.”

Another folder, labeled “DIARY,” includes Johnson’s daily schedules, marked as both “sensitive” and “confidential,” during his time as prime minister. One schedule from July 2019 simply states, “Security briefing: Nuclear.” Another entry from that month: “Telephone call with the President of the United States of America, Donald Trump.”

‘Partygate’
A folder titled “Notebooks” includes scans of hundreds of pages of Johnson’s handwritten notes. Many sections have been redacted with “National Security” warnings.

SAN confirmed that the documents are related to the U.K.’s independent public inquiry into the COVID-19 pandemic, which required Johnson to hand over copies of his diaries and notebooks. Although many of the documents related to the inquiry were made public, those obtained by SAN were not.

The investigation found that Johnson attended numerous social gatherings during the pandemic in breach of COVID-19 lockdown regulations. The ensuing scandal, known as “Partygate,” ultimately led to Johnson’s resignation.

In one notebook entry dated March 19, 2020, Johnson writes that “some very difficult rationing decisions” would be required because of the pandemic’s strain on the U.K.’s medical system.

Another entry regarding the 2021 G7 summit in Cornwall, England, highlights the issues Johnson planned to discuss with numerous world leaders, including former President Joe Biden, French President Emmanuel Macron and former German Chancellor Angela Merkel.

‘It would only take one missile’
The data cache contains 160 emails from the first 22 months following Johnson’s tenure as prime minister. They appear to have come from the account of Johnson’s senior adviser.

These emails discuss Johnson’s private endeavors, including a document pitching a reality TV show to popular streaming platforms, complete with AI-generated photos of the former world leader.

One of the later emails contained in the breach, dated June 10, 2024, shows attempts by the U.K.’s National Security Secretariat to schedule a meeting with Johnson regarding “a sensitive security issue” almost two years after he left office.

The email, sent on behalf of Deputy National Security Adviser Matt Collins, noted a “strong preference” for an in-person meeting with the former prime minister. It’s unclear what spurred the meeting request and whether it was related to the breach.
The final folder from the leaked data involves the Russian invasion of Ukraine.

Notes on a widely reported phone call between Johnson and Russian President Vladimir Putin from February 2022 offer insight into the former prime minister’s thinking. The conversation is described by Johnson, who makes specific mention of Putin’s use of profanity, as “weirdly intimate in tone.”

Johnson also claims that Putin said, “I don’t want to hurt you boris but it would only take one missile.”

Johnson later revealed the threat in a 2023 documentary by the BBC. A Kremlin spokesperson responded by calling the claim a “lie.”

In another entry dated “25 October,” Johnson reminds himself to “call Putin” with an invite to a United Nations Climate Change Conference. Johnson notes that such events are “not really his bag since it is all about moving beyond hydrocarbons and he is paranoid about covid.”

The leak also contains a U.K. Defense Intelligence document dated December 2022 regarding the status of a nuclear power plant in Ukraine. The document includes numerous classification labels, such as sensitive, which denotes that it is not intended for public release. Other markings show that the document may only be shared with international partners in the European Union, NATO, Australia and New Zealand.

The U.K.’s Cabinet Office, which supports the prime minister, did not provide a statement when contacted by SAN.

Alan Judd (Content Editor) and Devin Pavlou (Digital Producer) contributed to this report.

oxfordmail.co.uk | Oxford Mail By Madeleine Evans
Digital reporter

The Clarkson's Farm presenter said The Farmer's Dog pub in Burford has been the latest victim of cyber criminals, the same ones who launched massive attacks on M&S and Co-op in recent months.

Writing in his Sun column, the TV presenter-turned-farmer explained that the popular country pub had been hit too.

The former journalist wrote: "So, Jaguar Land Rover had to shut down its production lines this week after systems were breached by computer hackers. And we are told similar attacks were launched in recent months on both M&S and the Co-op.

"But no one thought to mention that my pub, The Farmer’s Dog, has been hit too. It was though.

"Someone broke into our accounting system and helped themselves to £27,000."

The former Top Gear host purchased The Windmill pub in Asthall near Burford for around £1,000,000.

The pub reopened to the public one year ago on August 22, 2024, at midday after being renamed The Farmer’s Dog.

Since it's opening, the 65-year-old celebrity owner has described running it as "more stressful" than running the farm.

The cyber attack comes as the latest set back in a string of difficulties facing the Diddly Squat farmer, as he's come up against local councils, Oxfordshire residents and farming issues all documented in his hit Amazon Prime series Clarkson's Farm.

Series four of the documentary show was released across May and June this year, with eight new episodes dropping on Prime Video.

ncsc.gov.uk The NCSC and international partners share technical details of malicious activities and urge organisations to take mitigative actions.

GCHQ’s National Cyber Security Centre and international partners link three China-based companies to campaign targeting foreign governments and critical networks.
Commercial cyber ecosystem with links to the Chinese intelligence services has enabled global malicious activity.
New advisory supports UK organisations in critical sectors bolster their security against China state-sponsored cyber activity
Network defenders urged to proactively hunt for activity and take steps to mitigate threat from attackers exploiting avoidable weaknesses
The UK and international allies have today (Wednesday) publicly linked three technology companies based in China with a global malicious cyber campaign targeting critical networks.

In a new advisory published today, the National Cyber Security Centre (NCSC) – a part of GCHQ - and international partners from twelve other countries have shared technical details about how malicious cyber activities linked with these China-based commercial entities have targeted nationally significant organisations around the world.

Since at least 2021, this activity has targeted organisations in critical sectors including government, telecommunications, transportation, lodging, and military infrastructure globally, with a cluster of activity observed in the UK.

The activities described in the advisory partially overlaps with campaigns previously reported by the cyber security industry most commonly under the name Salt Typhoon.

The data stolen through this activity can ultimately provide the Chinese intelligence services the capability to identify and track targets’ communications and movements worldwide.

The advisory describes how the threat actors have had considerable success taking advantage of known common vulnerabilities rather than relying on bespoke malware or zero-day vulnerabilities to carry out their activities, meaning attacks via these vectors could have been avoided with timely patching.

Organisations of national significance in the UK are encouraged to proactively hunt for malicious activity and implement mitigative actions, including ensuring that edge devices are not exposed to known vulnerabilities and implementing security updates.

NCSC Chief Executive Dr Richard Horne said:

“We are deeply concerned by the irresponsible behaviour of the named commercial entities based in China that has enabled an unrestrained campaign of malicious cyber activities on a global scale.

“It is crucial organisations in targeted critical sectors heed this international warning about the threat posed by cyber actors who have been exploiting publicly known – and so therefore fixable – vulnerabilities.

“In the face of sophisticated threats, network defenders must proactively hunt for malicious activity, as well as apply recommended mitigations based on indicators of compromise and regularly reviewing network device logs for signs of unusual activity.”

The UK has led globally in helping to improve cyber risk management with leading legislation including the Telecommunications (Security) Act 2021 and the associated Code of Practice, for which the NCSC was the technical authority.

The government's forthcoming Cyber Security and Resilience Bill will further strengthen the UK’s cyber defences, protecting the services the public rely on to go about their normal lives.

The NCSC and government partners have previously warned about the growing range of cyber threats facing critical sectors and provides a range of guidance and resources to improve resilience.

The NCSC's Early Warning service provides timely notifications about potential security issues, including known vulnerabilities, and malicious activities affecting users’ networks. All UK organisations can sign up to this free service.

The three China-based technology companies provide cyber-related services to the Chinese intelligence services and are part of a wider commercial ecosystem in China, which includes information security companies, data brokers and hackers for hire.

The named entities are: Sichuan Juxinhe Network Technology Co Ltd, Beijing Huanyu Tianqiong Information Technology Co, and Sichuan Zhixin Ruijie Network Technology Co Ltd.

The NCSC has co-sealed this advisory alongside agencies from the United States, Australia, Canada, New Zealand, Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland and Spain.

telegraph.co.uk 2025/08/17/ - Lazarus cyber gang believed to have used stolen funds to boost military and nuclear programmes

North Korean hackers have been accused of a £17m Bitcoin heist that brought down a UK-based cryptocurrency company.

Lazarus, the hermit kingdom’s notorious cyber gang, has been identified as the potential culprit behind the theft of cryptocurrency from Lykke, a trading platform incorporated in Britain.

If confirmed, it would be North Korea’s biggest-known cryptocurrency heist to target Britain. The pariah state has made billions in recent years stealing cryptocurrency to fund its military and nuclear programmes.

Lykke was founded in 2015 and operated from Switzerland but was registered in the UK. The company said last year that it had lost $22.8m (£16.8m) in Bitcoin, Ethereum and other cryptocurrencies, forcing it to halt operations.

In March a judge ordered the company to be liquidated after a legal campaign from more than 70 affected users.

North Korea was named as the potential hacker in a recent report by the Office of Financial Sanctions Implementation (OFSI), a branch of the Treasury.

“The attack has been attributed to malicious Democratic People’s Republic of Korea cyberactors, who stole funds on both the Bitcoin and Ethereum networks,” it said.

The Treasury said the OFSI did not reveal the sources of its information but that it worked closely with law enforcement.

Lazarus had been separately blamed for the attack on Lykke by Whitestream, an Israeli cryptocurrency research company.

It said the attackers had laundered the stolen funds through two other cryptocurrency companies notorious for allowing users to hide their tracks, and thus avoid money-laundering controls.

Other researchers have disagreed with the conclusions, saying it is not currently possible to determine who hacked the exchange.

Lykke was founded by Richard Olsen, a great-grandson of the Swiss banking patriarch Julius Baer, and offered cryptocurrency trading without transaction fees.

The company was run out of Zug in Switzerland’s so-called “crypto valley” but its corporate entity was registered in Britain.

In 2023, the Financial Conduct Authority issued a warning about the company, saying it was not registered or authorised to offer financial services for consumers in Britain.

Despite saying it would be able to return customers’ funds, it froze trading after the hack and officially shut down last December.

The company was liquidated in March following a winding up petition in the UK courts brought by a group of customers, who say they have lost £5.7m as a result of the company shutting down.

Interpath Advisory has been appointed to distribute the remaining funds to those who lost money. Its Swiss parent was placed into liquidation last year.

Mr Olsen was declared bankrupt in January and is the subject of criminal investigations in Switzerland, according to British legal filings. He did not respond to requests for comment.

uk.news.yahoo.com - Records show hundreds of data breaches involving HMRC staff

HM Revenue and Customs (HMRC) has revealed that hundreds of staff have accessed the records of taxpayers without permission or breached security in other ways. HMRC dismissed 50 members of staff last year for accessing or risking the exposure of taxpayers’ records, according to The Telegraph.

354 tax employees have been disciplined for data security breaches since 2022, of whom 186 have been fired - and some were dismissed for accessing confidential information. HMRC holds sensitive data including salary and earnings, which staff cannot access without a good reason.

In an email to staff, the line manager of the claimant wrote: “There have been more incidents of this recently.”

John Hood, of accountants Moore Kingston Smith, said: “Any HMRC employee foolish enough to look up personal information that is not part of their usual responsibilities faces a ticking time bomb as most searches are tracked. As an additional security, some parts of the system are restricted so that only specifically authorised personnel can access them, such as the departments dealing with MPs and civil servants.”

HMRC’s annual report shows there were six incidents last year of employees changing customer records without permission, and two of staff losing inadequately protected devices.

A spokesman for HMRC said: “Instances of improper access are extremely rare, and we take firm action when it does happen, helping prevent a recurrence. We take the security of customers’ data extremely seriously and we have robust systems to ensure staff only access records when there is a legitimate business need.”

Bern, 29.07.2025 — The Office of the Attorney General of Switzerland (OAG) has been conducting criminal proceedings since 2022 in the matter of a large-scale phishing series. Fake e-banking login pages had been used to defraud numerous Swiss bank customers, resulting in losses of around CHF 2.4 million. In this context, the OAG took over about thirty cases from the cantons. The investigations conducted by the OAG and fedpol led to the identification and location of the developer and distributor of phishing kit in the UK. The case was taken over by the British authorities, who were already conducting similar proceedings against the individual involved. He was sentenced by a court in the UK on 23 July 2025 to seven years imprisonment. This success demonstrates the importance of international cooperation in the fight against cybercrime.

In July 2022, the Office of the Attorney General of Switzerland (OAG) initiated criminal proceedings against persons unknown on suspicion of computer fraud (Art. 147 para. 1 in conjunction with para. 2 Swiss Criminal Code (SCC)) in connection with an extensive phishing series. Prior to this, several cantonal public prosecutor's offices had already initiated proceedings in around 30 cases in connection with the same matter, which the OAG subsequently took over and joined in its proceedings. In August 2023, following the identification of the developer and distributor of the phishing kit, criminal proceedings were extended to this person.

Real-time phishing on a grand scale

Between May 2022 and September 2022, unknown perpetrators created and used several fake login websites (phishing pages) for various Swiss banks, using what is known as a phishing kit. Bank customers who used Google Search to access their account ended up on the phishing pages posted as adverts and fell victim to the scam when they attempted to log into their supposed e-banking accounts. As a result, their e-banking access data were intercepted unbeknown to them, enabling the perpetrators to use the stolen access data to log into the victim's e-banking accounts and enable the two-factor authentication. The victims still believed that they were on the bank's real website and authenticated the login by entering the authentication code they received by text message on the phishing page. As a result, the perpetrators gained access to their authentication codes. This enabled them to successfully log into the victims' e-banking accounts and register an additional device with the bank to confirm two-factor authentication. The perpetrators were then able to log into the victims’ e-banking accounts without any further action by the victims and initiate payments without their knowledge or consent. The damage caused to the injured parties in the Swiss criminal proceedings amounts to CHF 2.4 million.

Successful cooperation with the UK, Europol and Eurojust

The intensive investigations conducted by the OAG and fedpol resulted in the identification and localisation of a British national who had developed and distributed the phishing kit. The OAG and fedpol's subsequent close cooperation with Europol, Eurojust and UK law enforcement authorities led to the arrest and prosecution in the UK of the developer and seller of the phishing kit. As the UK authorities were already conducting similar proceedings against this person, they took over the Swiss proceedings at the OAG’s request, continuing them in the UK. The OAG subsequently discontinued its criminal proceedings. On 23 July 2025, the perpetrator was sentenced in the UK to seven years imprisonment for his offences (press release from the Crown Prosecution Service). This success demonstrates the importance and effectiveness of international cooperation in tackling the fight against the ever-increasing cybercrime.

theguardian.com - Conservative government used superinjuction to hide error that put Afghans at risk and led to £2bn mitigation scheme.

Thousands of Afghans relocated to UK under secret scheme after data leak
Conservative government used superinjuction to hide error that put Afghans at risk and led to £2bn mitigation scheme

What we know about the secret Afghan relocation scheme
Afghan nationals: have you arrived in the UK under the Afghan Response Route?
Dan Sabbagh and Emine Sinmaz
Tue 15 Jul 2025 22.07 CEST
Share
Conservative ministers used an unprecedented superinjunction to suppress a data breach that led the UK government to offer relocation to 15,000 Afghans in a secret scheme with a potential cost of more than £2bn.

The Afghan Response Route (ARR) was created in haste after it emerged that personal information about 18,700 Afghans who had applied to come to the UK had been leaked in error by a British defence official in early 2022.

Panicked ministers and officials at the Ministry of Defence learned of the breach in August 2023 after data was posted to a Facebook group and applied to the high court for an injunction, the first sought by a British government – to prevent any further media disclosure.

It was feared that publicity could put the lives of many thousands of Afghans at risk if the Taliban, who had control of the country after the western withdrawal in August 2021, were to become aware of the existence of the leaked list and to obtain it.

The judge in the initial trial, Mr Justice Knowles, granted the application “contra mundum” – against the world – and ruled that its existence remain secret, resulting in a superinjunction which remained in place until lifted on Tuesday.

The gagging order meant that both the data breach and the expensive mitigation scheme remained hidden despite its size and cost until the near two-year legal battle was brought to a close in the high court.

At noon on Tuesday, the high court judge Mr Justice Chamberlain said it was time to end the superinjuction, which he said had the effect of concealing discussions about spending “the sort of money which makes a material difference to government spending plans and is normally the stuff of political debate”.

A few minutes later, John Healey, the defence secretary, offered a “sincere apology” for the data breach. In a statement to the Commons, he said he had felt “deeply concerned about the lack of transparency” around the data breach and “deeply uncomfortable to be constrained from reporting to this house”.

cetas.turing.ac.uk/ Research Report
As AI increasingly shapes the global economic and security landscape, China’s ambitions for global AI dominance are coming into focus. This CETaS Research Report, co-authored with Adarga and the International Institute for Strategic Studies, explores the mechanisms through which China is strengthening its domestic AI ecosystem and influencing international AI policy discourse. The state, industry and academia all play a part in the process, with China’s various regulatory interventions and AI security research trajectories linked to government priorities. The country’s AI security governance is iterative and is rapidly evolving: it has moved from having almost no AI-specific regulations to developing a layered framework of laws, guidelines and standards in just five years. In this context, the report synthesises open-source research and millions of English- and Chinese-language data points to understand China’s strategic position in global AI competition and its approach to AI security.

This CETaS Research Report, co-authored with the International Institute for Strategic Studies (IISS) and Adarga, examines China’s evolving AI ecosystem. It seeks to understand how interactions between the state, the private sector and academia are shaping the country’s strategic position in global AI competition and its approach to AI security. The report is a synthesis of open-source research conducted by IISS and Adarga, leveraging millions of English- and Chinese-language data points.

Key Judgements
China’s political leadership views AI as one of several technologies that will enable the country to achieve global strategic dominance. This aligns closely with President Xi’s long-term strategy of leveraging technological revolutions to establish geopolitical strength. China has pursued AI leadership through a blend of state intervention and robust private-sector innovation. This nuanced approach challenges narratives of total government control, demonstrating significant autonomy and flexibility within China’s AI ecosystem. Notably, the development and launch of the DeepSeek-R1 model underscored China's ability to overcome significant economic barriers and technological restrictions, and almost certainly caught China’s political leadership by surprise – along with Western chip companies.

While the Chinese government retains ultimate control of the most strategically significant AI policy decisions, it is an oversimplification to describe this model as entirely centrally controlled. Regional authorities also play significant roles, leading to a decentralised landscape featuring multiple hubs and intense private sector competition, which gives rise to new competitors such as DeepSeek. In the coming years, the Chinese government will almost certainly increase its influence over AI development through closer collaboration with industry and academia. This will include shaping regulation, developing technical standards and providing preferential access to funding and resources.

China's AI regulatory model has evolved incrementally, but evidence suggests the country is moving towards more coherent AI legislation. AI governance responsibilities in China remain dispersed across multiple organisations. However, since February 2025, the China AI Safety and Development Association (CnAISDA) has become what China describes as its counterpart to the AI Security Institute. This organisation consolidates several existing institutions but does not appear to carry out independent AI testing and evaluation.

The Chinese government has integrated wider political and social priorities into AI governance frameworks, emphasising what it describes as “controllable AI” – a concept interpreted uniquely within the Chinese context. These broader priorities directly shape China’s technical and regulatory approaches to AI security. Compared to international competitors, China’s AI security policy places particular emphasis on the early stages of AI model development through stringent controls on pre-training data and onerous registration requirements. Close data sharing between the Chinese government and domestic AI champions, such as Alibaba’s City Brain, facilitates rapid innovation but would almost certainly encounter privacy and surveillance concerns if attempted elsewhere.

The geographical distribution of China's AI ecosystem reveals the strategic clustering of resources, talent and institutions. Cities such as Beijing, Hangzhou and Shenzhen have developed unique ecosystems that attract significant investments and foster innovation through supportive local policies, including subsidies, incentives and strategic infrastructure development. This regional specialisation emerged from long-standing Chinese industrial policy rather than short-term incentives.

China has achieved significant improvements in domestic AI education. It is further strengthening its domestic AI talent pool as top-tier AI researchers increasingly choose to remain in or return to China, due to increasingly attractive career opportunities within China and escalating geopolitical tensions between China and the US. Chinese institutions have significantly expanded domestic talent pools, particularly through highly selective undergraduate and postgraduate programmes. These efforts have substantially reduced dependence on international expertise, although many key executives and researchers continue to benefit from an international education.

Senior scientists hold considerable influence over China’s AI policymaking process, frequently serving on government advisory panels. This stands in contrast to the US, where corporate tech executives tend to have greater influence over AI policy decisions.

Government support provides substantial benefits to China-based tech companies. China’s government actively steers AI development, while the US lets the private sector lead (with the government in a supporting role) and the EU emphasises regulating outcomes and funding research for the public good. This means that China’s AI ventures often have easier access to capital and support for riskier projects, while a tightly controlled information environment mitigates against reputational risk.

US export controls have had a limited impact on China’s AI development. Although export controls have achieved some intended effects, they have also inadvertently stimulated innovation within certain sectors, forcing companies to do more with less and resulting in more efficient models that may even outperform their Western counterparts. Chinese AI companies such as SenseTime and DeepSeek continue to thrive despite their limited access to advanced US semiconductors.

A criminal has been sentenced at Inner London Crown Court to over a year in prison for operating a SMS Blaster to conduct a mass smishing campaign against victims with the intent to harvest their personal details to be used in fraud.

The sentencing follows an investigation and arrest by the Dedicated Card and Payment Crime Unit (DCPCU), a specialist banking industry sponsored police unit.

The conviction was achieved thanks to the officers from the DCPCU working with mobile network operators including BT, Virgin Media O2, VodafoneThree and Sky as well as the National Cyber Security Centre and Ofcom.

Between 22 and 27 March 2025 Ruichen Xiong, a student from China had installed an SMS Blaster in his vehicle to commit smishing fraud, targeting tens of thousands of potential victims.

Xiong drove around the Greater London area in a Black Honda CR-V. This vehicle was used to hold and transport an SMS Blaster around in the boot.

An SMS Blaster allows offenders to send fraudulent text messages to phones within the vicinity of the equipment and acts as an illegitimate phone mast to send messages. The blaster will draw mobile devices away from legitimate networks by appearing to have a stronger signal. By doing so, the criminal is then able to send a text message to the victim's phone.

The equipment was programmed to send out SMS messages to victims within a nearby radius of the blaster, designed to look like trustworthy messages from genuine organisations, such as government bodies, where the victim was encouraged to click a link. The link would subsequently take them to a malicious site that was designed to harvest their personal details.

The Scattered Spider hacking group has caused chaos among retailers, insurers, and airlines in recent months. Researchers warn that its flexible structure poses challenges for defense.

Empty grocery store shelves and grounded planes tend to signal a crisis, whether it’s an extreme weather event, public health crisis, or geopolitical emergency. But these scenes of chaos in recent weeks in the United Kingdom, United States, and Canada were caused instead by financially motivated cyberattacks—seemingly perpetrated by a collective of joyriding teens.

A notorious cybercriminal group often called Scattered Spider is known for using social engineering techniques to infiltrate target companies by tricking IT help desk workers into granting them system access. Researchers say that the group seems to gain expertise about the backend systems commonly used by businesses in a particular industry and then uses this knowledge to hit a cluster of targets before moving on to another sector. The group often deploys ransomware or conducts data extortion attacks once it has compromised its victims.

Amid increasing pressure from law enforcement last year, which culminated in charges and arrests of five suspects allegedly linked to Scattered Spider, researchers say that the group was less active in 2024 and seemed to be attempting to lay low. The group’s escalating attacks in recent weeks, though, have shown that, far from being defeated, Scattered Spider is emboldened once again.
“There are some uniquely skilled actors in Scattered Spider when it comes to social engineering, and they have identified a major gap in our security systems that they’re successfully taking advantage of,” says John Hultquist, chief analyst in Google’s threat intelligence group. “This group is carrying out serious attacks on our critical infrastructure, and I hope that we’re not missing the opportunity to address the most imminent threat.”

Though a number of incidents have not been publicly attributed, an overwhelming spree of recent attacks on UK grocery store chains, North American insurers, and international airlines has broadly been tied to Scattered Spider. In May, the UK’s National Crime Agency confirmed it was looking at Scattered Spider in connection to the attacks on British retailers. And the FBI warned in an alert on Friday that it has observed “the cybercriminal group Scattered Spider expanding its targeting to include the airline sector.” The warning came as North American airlines Westjet and Hawaii Airlines said they had been victims of cybercriminal hacks. On Wednesday, the Australian airline Qantas also said it had been hit with a cyberattack, though it was not immediately clear if this attack was part of the group’s campaign.

On 12 June 2025, dozens of anonymous X (formerly Twitter) accounts advocating Scottish independence abruptly went silent. Many had posted hundreds of times per week, often using pro-independence slogans, anti-UK messaging, and identity cues like “NHS nurse” or “Glaswegian socialist.”
Their sudden disappearance coincided with a major Israeli airstrike campaign against Iranian military and cyber infrastructure. Within days, Iran had suffered severe power outages, fuel shortages, and an internet blackout affecting 95 percent of national connectivity.
What appeared at first glance to be a curious coincidence has since emerged as the most visible rupture to date in a long-running foreign influence operation.

The ICO said over 150,000 U.K. residents had data stolen in the breach.

The U.K. data protection watchdog has fined 23andMe £2.31 million ($3.1 million) for failing to protect U.K. residents’ personal and genetic data prior to its 2023 data breach.

The Information Commissioner’s Office (ICO) said on Tuesday it has fined the genetic testing company as it “did not have additional verification steps for users to access and download their raw genetic data” at the time of its cyberattack.

In 2023, hackers stole private data on more than 6.9 million users over a months-long campaign by accessing thousands of accounts using stolen credentials. 23andMe did not require its users to use multi-factor authentication, which the ICO said broke U.K. data protection law.

The ICO said over 155,000 U.K. residents had their data stolen in the breach.

In response to the fine, 23andMe told TechCrunch that it had rolled out mandatory multi-factor authentication for all accounts.

The ICO said it is in contact with 23andMe’s trustee following the company’s filing for bankruptcy protection. A hearing on 23andMe’s sale is expected later on Wednesday.