Cyber Threat Actor: His Royal Gingerness
| Actor Type | Location | Known Incidents |
Hacker
|
United Kingdom
|
1 incident |
|---|
Profile
His Royal Gingerness, also known by the abbreviation HRG, is a threat actor who operates under a pseudonym and has been identified as being based in the United Kingdom. The actor first came to public attention in October 2015 when he breached the website of Norwich International Airport, using the alias to claim responsibility for the intrusion. No further public attributions or affiliations with state entities, criminal groups, or other threat actors have been documented for this individual. The available information does not indicate any broader campaign history beyond the single reported incident.
During the Norwich International Airport breach, the actor gained access to the airport’s public‑facing website and extracted names and email addresses from a media centre database that was hosted on a standalone web server. He stated that the intrusion took between two and three minutes to accomplish and that he contacted the airport after the exploit to notify them of the vulnerability. The airport confirmed that the compromise did not affect operational systems, commercial data, or physical security, and determined that the volume and sensitivity of the accessed information did not meet the thresholds required for mandatory reporting to the United Kingdom’s Information Commissioner. The actor described his motivation as a desire to demonstrate the website’s vulnerability and to test his own ability to identify security weaknesses in modern systems.
No specific malware families, exploit tools, or advanced techniques were referenced in the reporting of this incident, and the actor’s methodology appears limited to exploiting a web application vulnerability to retrieve data from an associated database. Consequently, there is no publicly evidence of a distinctive tooling style, persistent infrastructure, or repeated use of particular initial access vectors beyond the website compromise described. The actor’s known activity remains confined to this singular, low‑impact website defacement and data exposure event, with no additional verified operations attributed to him in open sources.
