Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label United Kingdom. Show all posts
United Kingdom
AI prompt injection attack Artificial Intelligence Cyber Security NCSC SQL United Kingdom

UK Cyber Agency says AI Prompt-injection Attacks May Persist for Years

 



The United Kingdom’s National Cyber Security Centre has issued a strong warning about a spreading weakness in artificial intelligence systems, stating that prompt-injection attacks may never be fully solved. The agency explained that this risk is tied to the basic design of large language models, which read all text as part of a prediction sequence rather than separating instructions from ordinary content. Because of this, malicious actors can insert hidden text that causes a system to break its own rules or execute unintended actions.

The NCSC noted that this is not a theoretical concern. Several demonstrations have already shown how attackers can force AI models to reveal internal instructions or sensitive prompts, and other tests have suggested that tools used for coding, search, or even résumé screening can be manipulated by embedding concealed commands inside user-supplied text.

David C, a technical director at the NCSC, cautioned that treating prompt injection as a familiar software flaw is a mistake. He observed that many security professionals compare it to SQL injection, an older type of vulnerability that allowed criminals to send harmful instructions to databases by placing commands where data was expected. According to him, this comparison is dangerous because it encourages the belief that both problems can be fixed in similar ways, even though the underlying issues are completely different.

He illustrated this difference with a practical scenario. If a recruiter uses an AI system to filter applications, a job seeker could hide a message in the document that tells the model to ignore existing rules and approve the résumé. Since the model does not distinguish between what it should follow and what it should simply read, it may carry out the hidden instruction.

Researchers are trying to design protective techniques, including systems that attempt to detect suspicious text or training methods that help models recognise the difference between instructions and information. However, the agency emphasised that all these strategies are trying to impose a separation that the technology does not naturally have. Traditional solutions for similar problems, such as Confused Deputy vulnerabilities, do not translate well to language models, leaving large gaps in protection.

The agency also stressed upon a security idea recently shared on social media that attempted to restrict model behaviour. Even the creator of that proposal admitted that it would sharply reduce the abilities of AI systems, showing how complex and limiting effective safeguards may become.

The NCSC stated that prompt-injection threats are likely to remain a lasting challenge rather than a fixable flaw. The most realistic path is to reduce the chances of an attack or limit the damage it can cause through strict system design, thoughtful deployment, and careful day-to-day operation. The agency pointed to the history of SQL injection, which once caused widespread breaches until better security standards were adopted. With AI now being integrated into many applications, they warned that a similar wave of compromises could occur if organisations do not treat prompt injection as a serious and ongoing risk.


Read more »
United Kingdom
Co-op Data Breach Financial Loss retailers United Kingdom

Co-op Faces Heavy Financial Losses Following April Cyberattack

 



The Co-operative Group in the United Kingdom has revealed the extent of the damage caused by the cyberattack it suffered earlier this year. In its interim financial report for the first half of 2025, the company announced an £80 million (about $107 million) drop in operating profit, attributing the decline directly to the April breach.

According to the report, the losses can be broken down into two areas: around £20 million spent on immediate recovery efforts and another £60 million lost in sales while core systems were out of service. The disruption also drove down overall revenue by £206 million ($277 million). Co-op expects recovery-related expenses to continue, with an additional £20 million likely to be recorded in the second half of 2025.


The Attack and Data Theft

In late April, Co-op had to take parts of its IT network offline after detecting suspicious activity. The incident was later confirmed to be the work of affiliates linked to Scattered Spider, operating in connection with the DragonForce ransomware group. Although the attack was stopped before files could be encrypted, the intruders managed to steal personal details of all 6.5 million members, including both current and past customers.

The U.K.’s National Crime Agency arrested four individuals between the ages of 17 and 20 in July in connection with the breach. The same suspects are also believed to have played a role in cyberattacks against other well-known retailers, including Marks & Spencer and Harrods, during the same period.


Operational Disruptions

The breach created major technical problems that forced Co-op to rebuild its Windows domain controllers, which are critical servers that manage access across its network. With automated systems unavailable, the group had to fall back on manual operations. Staff rerouted more than 350,000 product items to franchise partners and independent co-ops to help minimize the disruption. Discount vouchers were also offered to members during the outage.

Despite these efforts, the group experienced ongoing challenges, including shortages in certain product categories and steep drops in sales of items such as tobacco. The company explained that while the quick response reduced some of the damage, the weeks of system downtime and the loss of customer information took a substantial toll.


Financial Position 

Co-op emphasised that despite the losses, its overall financial position remains stable. The group has £800 million in available liquidity, which it says will allow it to continue operating without funding concerns while addressing long-term recovery. Executives stressed that the business remains focused on its broader goals even as it manages the fallout from the attack.

The April incident highlights how cyberattacks can have wide-ranging consequences beyond stolen data, disrupting daily operations, reducing consumer trust, and inflicting heavy financial costs. For Co-op, the road to recovery will continue into the second half of 2025.



Read more »
United Kingdom
cyber attack Cyber Attacks cybersecurity news NCSC United Kingdom

UK Retail Sector Hit by String of Cyberattacks, NCSC Warns of Wake-Up Call

 

The United Kingdom’s National Cyber Security Centre (NCSC) has issued a stark warning following a wave of cyberattacks targeting some of the country’s most prominent retail chains. Calling the incidents a “wake-up call,” the agency urged organisations to strengthen their cybersecurity posture amid growing threats. 

The NCSC, a division of GCHQ responsible for cybersecurity guidance across the UK’s public and private sectors, confirmed it is working closely with the impacted retailers to understand the scope and impact of the attacks. 

“The disruption caused by the recent incidents impacting the retail sector are naturally a cause for concern to those businesses affected, their customers and the public,” said NCSC CEO Dr Richard Horne. 

“These incidents should act as a wake-up call to all organisations. I urge leaders to follow the advice on the NCSC website to ensure they have appropriate measures in place to help prevent attacks and respond and recover effectively.” 

In the past two weeks, major British retailers Marks & Spencer, Co-op, and Harrods have all reported cybersecurity breaches. Harrods confirmed that threat actors attempted to infiltrate its systems on May 1st, prompting the luxury department store to restrict access to certain websites—a move that suggests defensive measures were enacted during an active threat. Around the same time, the Co-operative Group revealed it was also the target of a cyberattack. 

In an internal memo, Co-op’s Chief Digital and Information Officer Rob Elsey warned staff to exercise caution with email and Microsoft Teams usage, adding that VPN access had been shut down as part of containment efforts. Marks & Spencer, one of the UK’s most iconic retail brands, faced disruptions across its online ordering platform and in-store services such as contactless payments and Click & Collect. The incident has since been identified as a ransomware attack, with sources confirming the involvement of threat actors linked to the Scattered Spider group. 

The attackers reportedly used DragonForce ransomware—tactics that have also been deployed in previous high-profile breaches at companies like MGM Resorts, Coinbase, and Reddit. In light of these incidents, the UK Parliament’s Business and Trade Committee has sought clarification from the CEOs of Marks & Spencer and Co-op on the level of support received from government agencies such as the NCSC and the National Crime Agency.
Read more »
United Kingdom
AI Cameras Artificial Intelligence Technology Threat Intelligence United Kingdom

New AI Speed Cameras Record Drivers on Their Phones

 

New AI cameras have been deployed in vans to record drivers using their phones while driving or driving without a seatbelt. 

During a 12-hour evaluation in March, South Gloucestershire Council discovered 150 individuals not wearing seatbelts and seven drivers preoccupied by their cell phones. 

Pamela Williams, the council's road safety education manager, stated, "We believe that using technology like this will make people seriously consider their driving behaviour." 

According to figures, 425 people sustained injuries on South Gloucestershire roads in 2023, with 69 critically injured or killed. Throughout the survey, vans were equipped with mounted artificial intelligence (AI) technology. The devices monitored passing vehicles and determined whether drivers were infringing traffic laws. 

If a likely violation was spotted, the images were submitted to at least two specially experienced highways operators for inspection. There were no fixed penalty notices issued, and photographs that were not found to be in violation were automatically deleted. The authorities stated that it was just utilising the technology for surveys, not enforcement. 

Dave Adams, a road safety officer, helped conduct the area's first survey. He went on to say: "This is a survey so we can understand driver behaviour that will actually fit in with other bits of our road safety strategy to help make our roads safer.”

Ms Williams noted that "distracted drivers" and those who do not wear seatbelts are contributing contributors to road fatalities. "Working with our partners we want to reduce such dangerous driving and reduce the risks posed to both the drivers and other people." 

Fatalities remain high 

Dr Jamie Uff, Aecom's lead research specialist in charge of the technology's deployment, stated: Despite attempts by road safety agencies to modify behaviour via education, the number of individuals killed or badly wounded as a result of these risky driving practices remains high. 

"The use of technology like this, makes detection of these behaviours straightforward and is providing valuable insight to the police and policy makers.”
Read more »
User Privacy
Bank Security Cyber Fraud Data Safety Internet Scam UK Banks United Kingdom User Privacy

UK Banks Issue a Warning Regarding an Upsurge in Internet Scams

 

Banks have issued a warning about a sharp rise in fraud in 2022, much of it coming from online sources. 77% of frauds now take place on dating apps, online markets, and social media., Barclays reported.

According to TSB, the major causes of this were an enormous rise in impersonation, investment, and purchase fraud instances. It was discovered that fraudulent listings on Facebook Marketplace had doubled, while impersonation frauds on WhatsApp had increased thrice in a year. 

Additionally, it claimed that there had been "huge fraud spikes" on Meta-owned platforms including Facebook and WhatsApp. Fraud, according to a spokesperson for Meta, is "an industry-wide issue," the BBC reported. 

"Scammers are using increasingly sophisticated methods to defraud people in a range of ways, including email, SMS, and offline," the company stated. "We don't want anyone to fall victim to these criminals, which is why our platforms have systems to block scams, financial services advertisers now have to be FCA (Financial Conduct Authority)-authorised and we run consumer awareness campaigns on how to spot fraudulent behaviour." 

"Epidemic of scams" 

Banks are dealing with an "epidemic of scams," according to Liz Ziegler, director of fraud protection for Lloyds Banking Group. 

"With more than 70% of fraud starting with contact through the main tech platforms, these companies must be held responsible for stopping scams at source and putting things right for innocent victims," she explained. 

Three million people in the UK would become victims of fraud in 2022, NatWest CEO Alison Rose previously warned a Treasury Select Committee. 

She stated, "we have seen an 87% increase in fraud," noting that NatWest believed that 60% of frauds started on social media and other internet platforms. 

Meanwhile, TSB stated 60% of purchase fraud cases of which it is aware - where a fraudster offers an item they never intend to send to the customer - occurs on Facebook Marketplace, and two-thirds of impersonation fraud cases it sees are happening on WhatsApp, The bank claims that 2,650 refunds covering these incidents were given out last year. 

According to Paul Davis, TSB's director of fraud prevention, social media companies "must urgently clean up their platforms" to safeguard users. 

Returned funds 

56% of the total money was lost to scammers in the first half of 2022, according to the most recent data from UK Finance, which represents the banking and finance industry. 

The Contingent Reimbursement Model Code, which intends to pay consumers if they fall victim to an Authorised Push Payment (APP) scam "and have acted appropriately," has been endorsed by many institutions, including NatWest, Lloyds, and Barclays. 

A consumer may be duped into sending money to a fraudulent account through an APP scam. However, TSB asserts that it reimburses victims in 97% of the fraud incidents it observes and is urging other organisations to do the same.
Read more »
Youtube
Data Breach Data Privacy Google United Kingdom User Privacy Youtube

YouTube Charged for Data Gathering on UK Minors

A million children's personal data might be collected by YouTube, as per the research. According to the claim, YouTube violates the 'age-appropriate design code' set forth by the Information Commissioner's Office (ICO).

The UK's data protection rules pertaining to the personal information of minors must be complied with by online services in order to do so. In accordance with the Global Data Protection Regulation (GDPR) program, the UK put into effect the Data Protection Act 2018.

These details include the location from which kids view, the device they use, and their preferred types of videos, according to Duncan McCann, Head of Accountability at the 5Rights Foundation.

According to McCann, the streaming service has violated recently established child protection rules by capturing the location, viewing habits, and preferences of potentially millions of youngsters who visit the main YouTube website.

As per attorney and data protection specialist Jonathan Compton from DMH Stallard, YouTube could be hit with a hefty charge of up to £17.5 million, or 4% of its annual global revenue. Not only the YouTube website can be in violation of the ICO Children's Code. In a study published last month by Comparitech, researchers found that one in four Google Play apps did not adhere to the Age Appropriate Design Code. 

A spokesperson for YouTube said, "Over the years, we've made efforts to protect kids and families, like developing a dedicated kids app, implementing new data standards for children's content, and delivering more age-appropriate experiences."

Extra safeguards have been adopted to support children's privacy on YouTube, such as more protective default settings and a specific YouTube Supervised Experience, building on that long-standing strategy and adhering to the additional recommendations offered by the code. 




Read more »
User Privacy
Cisco Cyber Defence Data Breach ICO Identity Theft United Kingdom User Privacy

Companies are at Risk From Remote Workers Losing Thier Laptops

 

Data thieves can steal a laptop from a coffee shop table, a lost property bin, an unlocked locker, your desk at work, or even your luggage on a crowded commuter train, and it's far away when you first realize it's gone. They are difficult to identify and trace, and because most individuals carry computers, it is simple to steal without anybody knowing. Many data theft events are simply crimes of opportunity rather than deliberate attacks, and stolen laptops make an excellent target.

Organizations are penalized a total of £26 million, according to data compiled by Cisco Systems, after employees misplaced company-owned laptops and phones.

The Information Commissioner's Office has collected over 3,000 reports of missing devices with user data during the past two years. Businesses are far more prone to be penalized than companies that have been the target of ransomware hackers if employees' misplaced laptops and phones consist of consumer information.

The majority of organizations are putting in place their cyber defenses, yet many do not consider their staff to be a threat to company data. But a major aspect of cyber security preparation is searching within the organization for potential insider threats. It might be challenging to tell whether a staff member has genuinely used company systems or if they are attempting to assault the company.
  
According to data protection legislation, the loss of a device containing or having access to the personal data of customers or suppliers must be reported to the ICO. As per Lindy Cameron, the CEO of the National Cyber Security Centre, ransomware is one of the most severe cybersecurity risks in the UK.

Martin Lee, technical lead for cybersecurity at Cisco, warned that office workers who are unable to resume their usual commute may see an increase in lost or stolen devices that carry important company data. Businesses in the UK have been investing heavily to ensure that their corporate networks are impenetrable because of the increased awareness of cyber threats brought on by rising data breaches. 



Read more »
User Privacy
Antivirus Data Breach Data Privacy Laws Hackers Phishing Attacks United Kingdom User Privacy

 UK Penalizes Interserve £4.4 Million for Security Breach

The Information Commissioner's Office (ICO) fined Interserve Group £4.4 million for violating data protection laws after it failed to protect the personal data of its employees.

An unidentified group of hackers launched a phishing attack in May 2020 to gain access to the systems of the construction firm and stole personal and financial information stored by Interserve on its 113,000 present and former employees, according to the ICO. It came to the conclusion that the business failed to implement adequate security measures to avoid such an attack.

A phishing email that had not been quarantined or prevented by the Interserve system was passed in May 2020 by an employee of the company either to an employee that opened it and downloaded its contents. On the employee's workstation, the malware was consequently installed.

The ICO claims that although the company's anti-virus system isolated the malware and provided an alert, it did not fully look into the suspicious activities. If it did so, the hacker would still have been able to access the company's systems.

Following the penetration of 283 systems and 16 accounts, the hacker removed the company's antivirus program. Up to 113,000 current and former employees' personal information was encrypted and made inaccessible.

Personal information like names, addresses, and bank account numbers were among the leaked data, along with certain category information like racial origin, religion, information about any disabilities, sexual orientation, and medical records.

According to John Edwards, the UK's information commissioner, "Firms are most in danger from internal complacency rather than external hackers. You can anticipate a similar fine from my office if your company doesn't routinely check its systems for suspicious behavior and ignores alerts, or if it doesn't update software and fails to teach employees."

The ICO has the authority to fine a data controller up to £17.5 million, or 4% of their total annual global revenue, whichever is larger. This fine was imposed under the DPA2018 (GDPR) for violations of the General Data Protection Regulation.



Read more »
Subscribe to: Comments (Atom)