Cyber Incident Victim: Communications Workers Union
Date:
Mar 2024
Location:
United Kingdom
Summary
The Communications Workers Union experienced a cyberattack disrupting IT systems and email services, prompting precautionary system shutdowns and engagement of third-party cybersecurity experts for forensic analysis. While member data within targeted systems remains at potential risk, the union notified the UK Information Commissioner's Office and advised members to remain vigilant against phishing attempts. Unverified claims suggested possible corruption of backup data, though the organization did not confirm this detail. The incident's full scope, including whether any data breach occurred, remained under investigation as specialists worked to restore infrastructure and assess remediation timelines. Regional union offices initially reported only email outages without awareness of a security breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 4 motives | 4 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Communications Workers Union (CWU), a major UK trade union representing approximately 185,000 members across technology, telecoms, and other sectors, experienced a disruptive IT outage beginning on or before March 21, 2024. Initial internal communications attributed the outage to technical server issues at its Wimbledon headquarters, with regional secretaries reporting email system failures but no indication of a security breach. By March 22, the CWU confirmed to *The Register* that the incident was being treated as a cyberattack, engaging third-party cybersecurity experts who arrived on-site at 0900 UTC on March 21. Systems including email remained non-functional, prompting the union to take additional infrastructure offline as a precautionary measure. CWU Head of Communications Chris Webb stated via WhatsApp—due to email outages—that member data stored on targeted systems was potentially compromised, though forensic analysis had not yet confirmed any data breach. The union notified the UK Information Commissioner’s Office (ICO) and advised members to remain vigilant against phishing attempts.
A purported insider claimed finance, payroll, and membership data was compromised during the attack, allegations Webb dismissed as unreliable. Regional branch offices received instructions to switch email systems but were not initially informed of the security incident. Unverified claims suggested the attack corrupted the union’s data backups, complicating potential recovery efforts—a critical concern given backups’ role in restoring operations after major breaches. The ICO acknowledged the CWU’s notification but had not yet determined whether the incident met the threshold for formal reporting under UK data protection regulations, which requires disclosure within 72 hours if risks to individuals’ rights exist. Digital forensic work continued on-site for multiple days, focusing on determining the attack’s scope, identifying compromised systems, and establishing restoration timelines for critical IT infrastructure. No ransomware or specific threat actor was identified publicly during the initial response phase.