Cyber Incident Victim: Foreign, Commonwealth and Development Office
Date:
Dec 2021
Location:
United Kingdom
Summary
The Foreign, Commonwealth and Development Office experienced a serious cybersecurity incident requiring urgent external contractor support for remediation and investigation at a cost exceeding £467,000. While attackers reportedly breached systems, they were detected before accessing sensitive material, though the incident was not disclosed to the Information Commissioner’s Office. Separately, the department’s executive agency suffered an undetected six-year compromise of its systems, later prompting server replacements and physical security upgrades. These breaches coincided with governmental acknowledgments of persistent cyber resilience gaps across public sector entities and the introduction of new national strategies to strengthen defenses against evolving threats.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Foreign, Commonwealth and Development Office (FCDO) experienced a serious cybersecurity incident around early December 2021, prompting an urgent response. The UK government disclosed the breach indirectly through a February 4, 2022 contract notice revealing it had engaged BAE Systems Applied Intelligence for emergency remediation and investigation services. The FCDO paid £467,325.60 under a non-competitive contract awarded due to "extreme urgency," citing the supplier's existing familiarity with its infrastructure as critical for rapid response. Work concluded on January 12, 2022. While the FCDO declined to confirm details, stating only that it had systems to "detect and defend against potential cyber incidents," the BBC reported attackers breached systems but were detected before accessing sensitive material. The Information Commissioner's Office confirmed it had not received any data breach notification from the FCDO regarding the incident. Contract documentation emphasized the severity of the undisclosed attack and the necessity of bypassing standard procurement procedures given the operational criticality.
This incident followed closely after a separate December 5, 2021 discovery of 144,000 unencrypted British Council files exposed on a misconfigured Microsoft Azure instance, containing student data. Additionally, the FCDO’s executive agency Wilton Park disclosed in its July 2021 annual report that a six-year undetected breach of its systems—lasting from November 2014 until discovery in late 2020—had required NCSC investigation and £50,000 in FCDO funding for server replacements and physical security upgrades. The UK government concurrently published its National Cyber Strategy in December 2021 and a Government Cyber Security Strategy in January 2022, acknowledging significant gaps in public sector cyber resilience. These documents noted the NCSC responded to approximately 300 public sector cybersecurity incidents between September 2020 and August 2021, underscoring systemic challenges amid evolving threats.