Cyber Incident Victim: The Salvation Army UK

The Salvation Army UK experienced a ransomware attack compromising its corporate IT systems, first detected around late May 2021. The incident affected a London-based data center utilized by the organization, though frontline services for vulnerable populations remained operational. Attackers exfiltrated an unspecified volume and type of organizational data before deploying ransomware. The charity promptly notified the UK Information Commissioner’s Office (ICO) and Charity Commission, adhering to regulatory obligations, while initiating internal investigations and engaging with key partners and staff. No ransomware group claimed public responsibility for the attack during the initial reporting period, and the Salvation Army declined to disclose attacker identities or detailed forensic findings.

The incident posed significant data breach risks, prompting warnings for staff and volunteers to monitor financial accounts for fraudulent activity. Industry sources speculated potential involvement of the Conti or Pysa ransomware gangs, citing their history of targeting public-sector entities like schools and local governments. The Salvation Army’s IT infrastructure included Citrix Virtual Desktops implemented in 2018 to facilitate secure remote access via thin-client devices, though the specific intrusion vector remained unconfirmed. Financial disclosures revealed substantial operational scale, with UK trusts holding combined fund balances exceeding £639 million and a £280 million UK government contract for modern slavery victim services. Regulatory bodies acknowledged the charity’s compliance with incident reporting protocols but provided no further commentary on ongoing assessments. Data protection authorities emphasized standard protocols for individuals to address potential misuse of compromised personal information.