Cyber Incident Victim: National Smallbore Rifle Association

On or around April 21, 2023, the National Smallbore Rifle Association (NSRA) suffered a breach of its IT systems. The association publicly revealed the incident on April 28, 2023, in a statement that also served as a warning to its members. The NSRA immediately engaged with law enforcement following the discovery of the breach, specifically working with the UK’s South East Regional Organised Cybercrime Unit (SEROCU) to investigate the incident. The organization stated that all its IT systems were fully operational at the time of its public announcement and confirmed that no funds had been lost as a direct result of the attack.

The attackers targeted legacy servers within the NSRA's infrastructure. These servers were reported to contain working documents and were not the primary database systems. The NSRA explicitly confirmed that its membership portal was not affected by the breach and remained secure. Due to the compromised state of the servers and the ongoing police investigation, the association stated it did not have access to the affected systems and could not immediately determine the exact scope of the incident or precisely which individuals were affected. This lack of access prevented a full and immediate assessment of the data that may have been exfiltrated.

Despite the uncertainty regarding the full scope, the NSRA issued a warning to its members about potential follow-on risks. The primary concern articulated was that cyber-criminals often sell and trade stolen data, which could increase the risk of attempted fraud and cybercrime against those whose information was compromised. The association outlined specific threats members might face, including criminals attempting to impersonate the NSRA itself through phishing emails or cold calls. These communications might contain fake offers to help victims or could involve impersonation of police officers pretending to investigate the breach. The NSRA advised members to be highly wary of any unsolicited or unexpected contact and to scrutinize email attachments which could contain computer viruses. The organization further advised that legitimate police officers would not object to having their identity verified.

The incident raised significant concerns due to the nature of the NSRA's membership, which consists of gun owners. Reports indicated that should data on gun owners fall into the wrong hands, it could be exploited by criminal gangs to target specific properties for theft. Firearms are difficult to obtain in the UK, making them particularly valuable on the black market. This concern was not theoretical; a precedent existed from September 2021, when the personal information of approximately 100,000 UK gun owners was leaked online. That previous incident included details such as home addresses where firearms were believed to be stored, directly illustrating the potential physical security risk posed by such data breaches.

The NSRA's response included a public statement assuring members that its core systems, including the membership portal, were secure and that the attack was confined to older, legacy infrastructure. The organization committed to communicating fully with its members upon the conclusion of the police investigation, indicating that a more detailed account of the incident's impact would be provided at a later date. As an immediate protective measure, the NSRA urged all members to update their account passwords as a precautionary step, even though the membership portal itself was confirmed to be unaffected by the breach. The overall response focused on transparency about what was known, collaboration with law enforcement, and providing actionable guidance to members to help them protect themselves from potential secondary attacks. The investigation by SEROCU remained ongoing at the time of the public disclosure.