Cyber Incident Victim: British Broadcasting Corporation
Date:
Jan 2017
Location:
United Kingdom
Summary
A BBC local radio station's Twitter account was compromised, resulting in an unauthorized post falsely claiming President Trump had been shot during his inauguration. The fabricated tweet was rapidly deleted but had already been retweeted before removal. The organization confirmed the account breach, initiated an investigation, and implemented measures to prevent recurrence. A security group named OurMine intervened, stating they detected unusual activity and temporarily re-accessed the account to verify the compromise, emphasizing their role as security researchers rather than initial attackers. The BBC publicly acknowledged the incident and apologized for the misleading content disseminated through the hacked account.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 20 or 21, 2017, the BBC Northampton Twitter account was compromised by an unauthorized party, leading to the publication of a false report about then-U.S. President Donald Trump. At 10:52 GMT, a tweet appeared on the account stating: "Breaking News: President Trump is injured in arm by gunfire #Inauguration," referencing the presidential inauguration occurring that day. The fabricated claim gained immediate attention through retweets before BBC staff deleted the post. Public replies expressed skepticism, with users questioning why a local BBC account would break such significant international news. Approximately 20 minutes after the initial breach, a follow-up message appeared on the account attributed to OurMine, a U.S.-based security group: "Message from OurMine: we detected unusual activity on this account, the account was hacked by someone and we are trying to fix the issue now." BBC Northampton subsequently acknowledged the compromise via Twitter, stating: "We do appear to have been hacked and are looking into how." The incident occurred despite existing security measures on BBC social media accounts.
The BBC initiated an immediate response, with a corporate spokesperson confirming the hack and launching an investigation into the breach. OurMine representatives clarified their involvement, stating they had not conducted the initial hack but had detected suspicious activity and temporarily accessed the account to verify the compromise. "We saw unusual activity on the account and we re-hacked it to make sure if the account was hacked or not, and unfortunately it was hacked," a OurMine spokesperson explained, emphasizing their self-described role as a security group that "never hack[s] anyone for no reason." BBC corporate communications issued a formal statement confirming the account takeover and noting the fraudulent tweet was removed "quickly, as soon as we realised the situation." The organization committed to implementing additional protective measures to prevent future incidents, though specific technical details of the attack vector and remediation steps were not publicly disclosed. No secondary compromises of other BBC accounts or systems were reported in connection with this incident.