‘Sex life data’ stolen from UK government among record number of ransomware attacks

Data on the sex lives of up to 10,000 people was stolen from a British government department in one of the record number of ransomware attacks to have hit Westminster in the first half of this year.

It is not known which department the information was stolen from, nor why the government was holding this data, which is defined by the Information Commissioner’s Office (ICO) as “any data on a person’s sex life which does not specifically relate to orientation or health,” potentially including the use of dating apps and period trackers.

According to the most recent tranche of security incident trends data released by the ICO, there have been 10 ransomware attacks on central government in the first six months of this year — doubling the total number of successful attacks on Whitehall departments since records began in 2019.

A sharp rise in incidents can be seen across multiple sectors. As reported by Recorded Future News, data previously released by the ICO showed ransomware attacks hitting record levels in 2022, with criminals compromising data on at least 5.3 million people from over 700 organizations.

But in just the first half of 2023, ransomware criminals already compromised 667 organizations in the United Kingdom — equivalent to just over 94% of the 706 affected last year — suggesting that efforts to tackle the criminal ecosystem are not proving effective.

The government did not respond to Recorded Future News about why it had been holding sex life data. A spokesperson for the Home Office said: “Ransomware is the most significant cyber national security threat facing the UK today. Defending the UK from ransomware attacks and reducing its impact on victims is a top priority for this government.”

The data supports the comments of Britain’s security minister, Tom Tugendhat, who in September warned: “The UK is a top target for cybercriminals. Their attempts to shut down hospitals, schools and businesses have played havoc with people’s lives and cost the taxpayer millions. Sadly, we’ve seen an increase in attacks.”

Even within just the first six months of this year, ransomware attacks have already broken the record within several critical sectors in the United Kingdom. Both central and local government reported more incidents in the first half of the year than they had in the three years prior.

Efforts to tackle the business model driving the financially motivated cyberattacks on government systems have involved dozens of countries recently signing a pledge as part of the Counter Ransomware Initiative to never pay an extortion fee in the event of an attack targeting “relevant institutions under the authority of our national government.”

At the time, Tugendhat said the pledge was “an important step forward in our efforts to disrupt highly organized and sophisticated cyber criminals, and sets a new global norm that will help disrupt their business models and deter them from targeting our country.”

Responding to Recorded Future News for this story, a Home Office spokesperson cited the pledge alongside “sanctioning of 18 Russian cyber criminals” as demonstrations of the government’s response to the criminal ecosystem.

“We will continue to use all of the levers at Government’s disposal to counter this heinous crime and hold these criminal actors accountable,” they added.

The data for the first half of this year that reveals a record number of incidents affecting the public sector does not cover the period in which the pledge was active. However even then it would not prevent payments by private sector organizations, who the ICO’s data shows make up the bulk of the criminal ecosystem’s victims.

Almost every sector included in the ICO’s data looks set to suffer a record number of ransomware attacks in 2023. Some — including Finance and Credit, Utilities, and Tech and Telecoms — have already passed that mark.

The 87 attacks on the education and childcare sector resulted in 14 incidents in which data on up to 156,000 children was stolen — including one incident affecting between 1,000 and 10,000 children in which sexual orientation data was compromised by the hackers.

Since 2019, there have been 19 incidents in which children's sexual orientation data was stolen from organizations in the sector.

Speaking to Recorded Future News previously, Jamie MacColl, a research fellow at the Royal United Services Institute (RUSI) — whose work includes a research project on ransomware harms and the victim experience — said: “We’ve collected very little evidence that stolen or leaked personal data … is being exploited by ransomware threat actors or other cybercriminals in a systematic way.

“However, that’s not to say there aren’t incidents where very sensitive information on individuals has been published or sent to them to increase pressure. … During our research, we also heard of cases where ransomware threat actors had targeted schools and then sent stolen safeguarding data to parents to get them to increase pressure on the schools to pay.”

Back in 2020, ransomware incidents accounted for 20% of all cyber incidents, before rising to 28% the next year. Ransomware attacks continued to increase to 34% in 2022, and as of the first half of this year now make up almost two in every five incidents.

Establishing the true scale of ransomware incidents is a challenge for officials trying to figure out how to tackle the problem. Victims are not obliged to report attacks to law enforcement, and darknet extortion sites only provide a partial count of victims who refused to pay.

The data from the ICO is collected under Britain’s data protection laws, which require companies to report breaches of personal data to the regulator under the threat of being fined up to 4% of the organization’s global turnover if they fail to make a report.

No company has ever received such a fine, and the dataset necessarily only covers ransomware incidents that involve a breach of personal data, meaning an attack involving server-level encryption might not require reporting.

Earlier this year, the National Cyber Security Centre and the ICO also published a joint blog post saying they were “increasingly concerned” that ransomware victims were keeping incidents hidden from both law enforcement and from regulators.

Despite the limitations of the ICO data, experts including RUSI’s MacColl have told Recorded Future News that it is “likely the most comprehensive public dataset about the frequency of ransomware attacks in the UK.”