Cyber Incident Victim: Serco Group

On or around January 31, 2021, public services contractor Serco experienced a cyberattack impacting its mainland European operations. The company confirmed the incident involved Babuk ransomware, a malicious software variant designed to encrypt victim networks and exfiltrate data, with attackers demanding payment to restore access and prevent public release of stolen information. Serco, one of two primary contractors supplying call handlers for the UK's NHS Test and Trace program and one of five firms managing COVID-19 testing centers, emphasized that its UK operations—including all NHS-related services—remained unaffected. The attack was contained within Serco's continental European business division, which represented less than 3% of the company's global operations. No disruption to NHS Test and Trace contact tracing or testing center management occurred.

Serco's public response stated the incident had been isolated to European systems without compromising UK customer services. The company did not disclose whether data was stolen, operational systems were encrypted, or if a ransom was paid. Miles Tappin, VP of EMEA at cybersecurity firm ThreatConnect, identified the attack as exposing systemic vulnerabilities in data protection frameworks, particularly given Serco's role in public health initiatives. He noted that while no documents were confirmed compromised in this instance, the breach highlighted risks to personal information collected during pandemic response efforts. Tappin advocated for enhanced collaboration between government entities and contractors to centralize threat intelligence and strengthen defensive measures against evolving ransomware threats. The incident underscored ongoing security challenges for critical infrastructure suppliers during large-scale public health operations.