Dmitry Naumov - Fotolia
UK government confirms Foreign Office cyber attack
Reports blame Chinese hacking group but minister insists the source of the attack is unclear
The UK government has admitted that IT systems at the Foreign, Commonwealth and Development Office (FCDO) were hacked in October, but insists the attack had a “low risk” of personal data being compromised.
During a round of broadcast interviews today (19 December 2025), trade minister Chris Bryant said it was “not clear” who perpetrated the attack, although the first report on the hack, revealed in The Sun, attributed it to a China-based threat actor known as Storm 1849.
The same group was blamed for targeting vulnerabilities in Cisco equipment that led to a National Cyber Security Centre (NCSC) warning in September for organisations using Cisco’s Adaptive Security Appliance family of unified threat management systems. Users were told to replace any devices reaching end-of-life support, noting the significant risks that ageing or obsolete hardware can pose.
Bryant said some of the reports about the FCDO hack were “speculation”, but that the government had managed to “close the hole” quickly, and that security experts were confident there was a “low risk” of any individual being affected. The Sun report claimed hackers accessed confidential data and documents, possibly including thousands of visa details.
The Storm 1849 attack campaign on Cisco equipment was dubbed ArcaneDoor, and targeted two zero-day vulnerabilities. One was a high-severity denial-of-service vulnerability capable of remote code execution; the other was a high-severity persistent local code execution vulnerability.
While government IT systems always face scrutiny over cyber security, the hack will provide further fuel for critics of plans to introduce a national digital ID scheme, many of whom have already raised concerns about the potential risks of gathering citizen identity data.
The development also comes a day after ITV News broadcast a report on the cyber security issues found in One Login – the government single sign-on system that will be at the heart of the digital ID plan – which were first revealed by Computer Weekly in April.
Damaging year
2025 has been a notably damaging year for cyber attacks, with high-profile ransomware campaigns affecting Jaguar Land Rover (JLR), the Co-op and Marks & Spencer.
The Office for National Statistics attributed a November decline in the UK’s economy partly to the impact of the JLR attack, which stopped car production at the manufacturer and had a knock-on impact across the automotive supply chain.
Last month, four London councils – Kensington and Chelsea; Hackney; Westminster; and Hammersmith and Fulham – suffered cyber attacks, disrupting services and prompting an NCSC investigation. Westminster has since admitted that potentially sensitive data was copied from its systems during the hack. Three of the local authorities operate a shared IT service.
2025 – a year of cyber breaches
- Election workers’ data stolen in cyber breach of Oxford City Council.
- Ransomware gangsters claim to have attacked the NHS, but clarity on the nature of the incident is yet to emerge.
- Harrods hit by second cyber attack in six months: Data on approximately 430,000 Harrods shoppers was stolen in a third-party breach, but the cyber attack is not related to an earlier Scattered Spider incident, says the retailer.
- Cyber attack that downed airport systems confirmed as ransomware: Authorities in Europe say the cyber attack that caused disruption to passenger-facing services at multiple airports, including Heathrow, was the result of ransomware, as investigations continue.
- Cyber attackers damage Jaguar Land Rover production: Jaguar Land Rover reports a cyber attack has ‘severely disrupted’ its vehicle production and retail operations, recalling similar attacks on other prominent British brands this year.
- Co-op declares cyber attack damage cost £206m: Co-op reveals £206m costs from April cyber attack, with revenues hit, member data stolen and shelves emptied, exposing major retail supply chain vulnerabilities.
- Glasgow Council services remain offline a week after cyber attack: Disruption continues a week after core services at Glasgow City Council were forced offline following a cyber attack on a third-party IT services provider.
- Adidas confirms customer data was accessed during cyber attack: Sportswear manufacturer Adidas has confirmed its systems were infiltrated by an unauthorised third party.
- Retail cyber attacks hit food distributor Peter Green Chilled: Cold chain services provider Peter Green Chilled, which supplies the likes of Aldi, Sainsbury’s and Tesco, has been forced to halt operations after succumbing to a ransomware attack.
