Cyber Incident Victim: National Smallbore Rifle Association
Date:
Apr 2023
Location:
United Kingdom
Summary
The National Smallbore Rifle Association was the victim of a cyber-attack targeting legacy servers containing working documents. While no funds were lost and the membership portal remained secure, the compromised data prompted engagement with law enforcement to assess potential firearms-related risks. A police investigation into the incident was initiated, and the organization stated it could not provide further details while that investigation was ongoing.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around April 1, 2023, the National Smallbore Rifle Association (NSRA) publicly confirmed it had fallen victim to a cyber attack. The association stated it was unable to provide further specific details regarding the initial intrusion or its exact discovery timeline due to an ongoing police investigation. The attack was directed at legacy servers containing working documents rather than the primary membership database. The NSRA confirmed that its core IT systems, including the membership portal, remained fully operational and secure throughout the incident, and no financial losses were incurred as a result of the attack.
The compromised legacy servers held various working documents. The NSRA explicitly stated it did not have access to these servers following the attack, preventing an immediate and precise assessment of whose data was affected. This lack of access created significant uncertainty regarding the full scope of the data breach and the specific individuals impacted. The nature of the working documents on the legacy servers was not detailed, but the immediate concern raised by the organization related to potential firearms security risks stemming from the compromised data.
In response to the incident, the NSRA engaged with law enforcement authorities. The association reported the crime to the South East Regional Organised Cybercrime Unit (SEROCU), which took lead on the investigation. The NSRA also engaged with the National Crime Agency (NCA) and National Police Firearms Licensing to assess and mitigate any additional risks related to firearms that could arise from the data compromise. This coordination was aimed at understanding the potential danger posed by the exposure of any information related to certificate holders or firearms storage.
The primary consequence identified was the potential loss of privacy for members and individuals associated with the NSRA. The association acknowledged that those connected to it might be worried about this development. A more significant potential impact was the risk of attempted fraud and cyber crime against affected individuals. The NSRA and SEROCU warned that cyber criminals often sell and trade stolen data, which could lead to phishing emails, cold calls, and impersonation scams. Criminals might attempt to impersonate the NSRA itself, making fake offers to help, or even pretend to be police officers investigating the breach.
The official response included public communication and guidance. The NSRA published a press release on its website to inform members and the public of the situation. The association stated it did not have the capacity to answer individual questions about the incident and could not comment further while the police investigation was ongoing. It committed to providing updates on its website as more information became available. Information regarding the attack was also shared with local firearms officers across the UK to raise awareness at a regional level.
Direct advice was provided to certificate holders and individuals who lawfully hold firearms at home. The NSRA suggested that these individuals consider their storage arrangements to ensure compliance with the Firearms Security Handbook, implying that the stolen data could potentially relate to firearm ownership or storage information. For the broader audience potentially affected by the data breach, SEROCU's Cyber Protect team recommended taking immediate steps to secure online accounts and update passwords as a precautionary measure. The public was directed to the SEROCU Cyber Protect website for more comprehensive advice on reducing risk following a data breach.
The public was also warned to be highly wary of unsolicited or unexpected contact. This was a key part of the mitigation advice, as criminals were expected to leverage the stolen data for social engineering attacks. The guidance emphasized being cautious of email attachments that might contain viruses and recommended taking time to validate the identity of any sender or caller. It was noted that real police officers would not have a problem with an individual verifying their identity, providing a method to distinguish between legitimate contact and impersonation attempts.
The investigation remained active with SEROCU, and the NSRA stated that a full communication to its members would be made upon the conclusion of the police investigation. The association expressed appreciation for the understanding of its members during the period of uncertainty and limited information disclosure. The incident highlighted the risks associated with maintaining legacy systems and the specific security sensitivities involved when an organization dealing with firearms licensing and ownership is targeted by cyber criminals. The potential for exposed data to be used in targeted physical security threats against firearm owners was a unique and serious aspect of this particular cyber attack.