Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

China Raises Security Concerns Over Rapidly Growing OpenClaw AI Tool

  A fresh alert from China’s tech regulators highlights concerns around OpenClaw, an open-source AI tool gaining traction fast. Though built...

All the recent news you need to know
Spanish government data breach
Cyber Attacks cybercrime surge 2025 GordonFreeman hacker IDOR vulnerability exploit Ministry of Science cyberattack Spain Spanish government data breach

Spain Ministry of Science Cyberattack Triggers IT Shutdown, Hacker Claims Data Breach

 

A cyberattack targeting the Ministry of Science, Innovation and Universities has led to a partial shutdown of government IT infrastructure, interrupting essential digital services relied upon by researchers, universities, students, and businesses nationwide.

Authorities initially referred to the disruption as a “technical incident,” but mounting evidence — alongside confirmations from Spanish media — now indicates the event was the result of a cyberattack that may have compromised sensitive academic, personal, and financial data.

The ministry is a key pillar of Spain’s higher education and research framework. Any outage affecting its digital systems carries significant operational and administrative consequences, elevating the seriousness of the breach beyond a routine technical malfunction.

In a statement posted on its electronic headquarters, the ministry acknowledged the disruption and announced the temporary closure of several digital services.

“As a result of a technical incident that is currently being assessed, the electronic headquarters of the Ministry of Science, Innovation and Universities has been partially closed.”

The notice further stated: “All ongoing administrative procedures are suspended, safeguarding the rights and legitimate interests of all persons affected by said temporary closure, resulting in an extension of all deadlines for the various procedures affected.”

Officials added that deadline extensions would remain active: "until the complete resolution of the aforementioned incident occurs," citing Article 32 of Law 39/2015.

While the extension of deadlines offers procedural protection to affected users, the absence of immediate clarity regarding the nature of the disruption sparked concern among stakeholders.

Hacker Claims Responsibility for Breach

Concerns escalated after a threat actor operating under the alias Gordon Freeman appeared on underground forums claiming responsibility for the attack. The individual alleged exploitation of a critical Insecure Direct Object Reference (IDOR) vulnerability, which reportedly granted “full-admin-level access” to internal systems.

The attacker published sample screenshots online — though their authenticity has not been independently confirmed — showing what appear to be official documents, email addresses, enrollment records, and internal communications.

Spanish outlet OKDIARIO reported that a ministry spokesperson acknowledged the IT disruption stemmed from a cyberattack and confirmed that the electronic headquarters had been taken offline to evaluate the potential scope of the breach.

Although the forum where the leak was allegedly posted has since gone offline and the data has not resurfaced elsewhere, early indicators suggest the materials could be genuine. If verified, the breach would represent a significant failure in access control safeguards.
According to the attacker’s claims, the compromised data may include:
  • Scanned identification documents, including NIEs and passports
  • Email addresses
  • Payment confirmations displaying IBAN numbers
  • Academic transcripts and apostilled degrees
  • Curricula containing private personal details
If confirmed, the breach could expose thousands of students and researchers to identity theft, financial fraud, and long-term privacy risks. Academic records, once leaked, are particularly difficult to revoke or replace.

The incident reflects a broader cybersecurity challenge in Spain. Cybercrime now represents more than one in six recorded criminal offenses nationwide. Authorities have reported a 35% increase in cyberattacks this year, with daily incidents exceeding 45,000. Between late February and early March, reported attacks surged by 750% compared to the same timeframe last year.

During the week of 5–11 March 2025, Spain ranked as the most targeted country globally, accounting for 22.6% of all recorded cyber incidents — surpassing even the United States.

Experts attribute the trend to two primary factors: rapid digital transformation — accelerated by EU-backed modernization initiatives — and insufficient investment in cybersecurity infrastructure. Ransomware incidents alone have climbed 120%, disproportionately affecting public institutions and small-to-medium enterprises.


Read more »
User Privacy
Data Breach Flickr Personal Data Third-Party Leak User Privacy

Flickr Discloses Third-Party Breach Exposing User Names, Emails

 

Photo-sharing platform Flickr has disclosed a potential data breach involving a third-party email service provider that may have exposed sensitive user information. The incident, reported on February 6, 2026, stems from a vulnerability in a system operated by this unnamed provider, which Flickr used for email-related services. While the company has not revealed how many users were affected, it has begun notifying impacted members and urging them to exercise caution in the coming days.

According to Flickr, the issue was identified on February 5, 2026, when the company was alerted to the security flaw in the third-party system. Engineers moved quickly and shut down access to the affected system within hours of being notified, in an effort to limit any potential misuse of exposed data. The company has not yet provided technical details about the vulnerability or responded to media requests for additional comment. However, Flickr has emphasized that it is actively investigating the incident and working to tighten its security posture around external vendors.

The exposed data includes a range of personal and account-related information belonging to Flickr members. This may involve real names, email addresses, Flickr usernames, account types, IP addresses, general location data, and records of user activity on the platform. Importantly, Flickr has stressed that passwords and payment card numbers were not compromised in this incident, since these details were not stored in the impacted third-party system. Even so, the nature of the leaked data raises concerns about targeted phishing and profiling attempts.

In emails sent to affected users, Flickr is advising members to review their account settings carefully and look for any unexpected changes that might indicate suspicious access. The company is also warning users to stay alert for phishing emails that reference their Flickr activity or appear to come from official Flickr channels. As part of its guidance, Flickr reiterated that it will never ask for passwords via email and recommended that users change their passwords on other services if they reuse the same credentials. This precaution helps limit the fallout if exposed addresses are linked to reused passwords elsewhere.

Flickr has apologized to its community, acknowledging the concern the incident may cause and reaffirming its commitment to user privacy. As part of its response, the company says it is conducting a thorough investigation, strengthening its system architecture, and enhancing monitoring of its third-party service providers to prevent similar issues in the future. The breach highlights the growing risks associated with outsourced infrastructure and email services, especially for platforms hosting large global communities and vast volumes of user content.
Read more »
Strela Stealer Campaign
Detour Dog Threat Actor DNS Command And Control DNS Security Monitoring DNS TXT Record Exploit Initial Access Broker malware Strela Stealer Campaign

The Growing Threat of DNS Powered Email and Web Attacks


 

As an important component of the internet architecture, the Domain Name System has historically played the role of an invisible intermediary converting human intent into machine-readable destinations without much scrutiny or suspicion. However, this quiet confidence has now been put to the test. 

Research conducted by DomainTools has revealed a subtle yet consequential technique that redefines DNS into a covert delivery channel for malicious code rather than just a directory service. Rather than hosting payloads on compromised servers or suspicious domains, attackers fragment malware into tiny segments and embed them in DNS TXT records scattered across a variety of subdomains.

The fragments appear harmless when isolated, indistinguishable from legitimate configuration information. However, after systematically querying and reassembling-often by scripting PowerShell commands-the pieces combine to form fully functional malware. As a result of the implicit trust placed in DNS traffic and the limited visibility many organizations maintain over it, this methodical approach is inexpensive, methodical, and quiet. 

According to a report by Ars Technica, DNS infrastructure abuse is not merely theoretical. Threat actors have operationalized the technique in a manner that has been remarkable in its precision. In that instance, the malicious payload was converted into hexadecimal form and separated into hundreds of discrete chunks. As a result of the registration of whitetreecollective.com and generation of a large number of subdomains, the operators assigned each fragment to a distinct TXT record of the host. 

These records, individually, appeared to be indistinguishable from routine DNS metadata which is commonly used for verifying domains, authenticating email, and establishing service configurations. Collectively, however, they constitute a malware repository incorporated into the DNS infrastructure as a whole. Upon establishing foothold access inside a target environment, the reconstruction process did not require any more conspicuous methods than a series of DNS queries. 

Each encoded fragment was retrieved individually using scripted queries, which allowed the payload to be assembled in memory without the need for conventional file downloads or suspicious HTTP traffic. This retrieval mechanism blends seamlessly into ordinary network activity since DNS requests are ubiquitous and rarely subject to deep inspection, particularly in environments requiring encrypted resolvers. 

Even though DNS tunneling has long been associated with data exfiltration and command-and-control communications, the deliberate hosting of malicious payloads across TXT records represents a more assertive evolution in this area. 

Through the campaign, people illustrate the importance of comprehensive DNS telemetry, anomaly detection, and policy enforcement within modern enterprise security architectures, and demonstrate how foundational internet protocols, when inadequately monitored, can be repurposed into resilient delivery channels. 

Furthermore, investigations into DNS-enabled threat infrastructure revealed the activities of a threat actor identified as Detour Dog, who was the key enabler for campaigns to distribute the Strela Stealer malware. In accordance with Infoblox analysis, the actor is in control of domains hosting the initial malware component a lightweight backdoor called StarFish that is used to deliver the malware chain. 

During the first stage, the implant functions as a reverse shell, establishing a persistent communication channel that facilitates retrieving and executing the Strela Stealer payload. Informationblox has been tracking Detour Dog since August 2023, when Sucuri, a company owned by GoDaddy, reported security breaches targeting WordPress sites. 

Early operations involved the injection of malicious JavaScript into compromised websites to serve as covert command channels for traffic distribution systems using DNS TXT records. Visitors were silently directed to malicious sites or fraudulent pages.

Historical telemetry indicates a sustained and evolving presence of the actor since February 2020, suggesting that its infrastructure extends back as far as February 2020. Operational model has since matured. Where redirects once supported scams, DNS-based command-and-control frameworks now permit staged execution of remote payloads. 

According to IBM X-Force, StarFish is delivered through weaponized SVG files, enabling persistent attacks and hands-on access to compromised systems. A financially motivated operator has been identified as Hive0145 since at least 2022 as the sole operator responsible for the Strala Stealer, a criminal operation that has been functioning as an initial access broker monetizing unauthorized access to networks by reselling them to other criminals. 

Further, Detour Dog's DNS infrastructure was found to play a major role in 69 percent of confirmed StarFish staging hosts, highlighting its central role in the broader campaign. Additionally, the attack chain included a MikroTik-based botnet, marketed as REM Proxy, which was armed with SystemBC malware previously analyzed by Black Lotus Labs at Lumen Technologies. 

In addition to REM Proxy, Tofsee botnet, which historically propagated through PrivateLoader C++ loader, was also responsible for spam emails that delivered Strela Stealer. Detour Dog's infrastructure consistently hosted the first-stage payload on both distribution pathways, confirming the actor's role as a crucial DNS-centric facilitator within Strela's ecosystem.

When Detour Dog first emerged as a threat intelligence source, its activities seemed relatively simple. The primary use of compromised websites was to redirect visitors to fraudulent advertising networks, scam websites, and deceptive CAPTCHA pages that are intended to generate illegal revenue through forced clicks. However, telemetry indicated a strategic shift by late 2024. 

Initially, the infrastructure served as a traffic monetization strategy, but it soon became a distribution backbone for materially more dangerous payloads. A DNS-centric framework was observed to facilitate the delivery of Strela Stealer, a family of malware that steals information associated with the threat actor Hive0145, in mid-2025. 

The Strela campaigns, usually initiated through malicious email attachments themed around invoices, are intended to exfiltrate user credentials, session information, and host information stored in browsers. There is no indication that Detour Dog directly hosts final-stage malware binaries.

In reality, it appears to operate as a DNS relay layer, resolving staged instructions and retrieving remote payloads from attacker-controlled servers before relaying them through compromised web assets. Indirection obscures the true origin of malware and complicates the static blocking process. A detailed description of Detour Dog's operation remains unclear. It is unclear whether it functions solely as an infrastructure provider or concurrently runs its own campaigns. 

According to an analysis of infrastructure overlap and domain control, Detour Dog has provided DNS channels to other operators, including Hive0145, for distribution of payloads. According to internal research, nearly two-thirds of the staging domains associated with recent campaigns are controlled by Detour Dog, suggesting a delivery-for-hire model as opposed to a single threat operation whose focus is on a single, isolated threat. 

The primary entry point into the ecosystem continues to be email. Malicious attachments often masquerade as invoices or business documents and initiate a multi-stage infection process. This documentation does not embed the final payload in its entirety, but instead refers to compromised domains that query Detour Dog's name servers for further instructions.

By using DNS lookups as a precursor to remote execution, ostensibly benign clicks can be transformed into covert downloads and staging sequences as a result of a server-side retrieval process. Mass distribution has been linked to botnets such as REM Proxy, a MikroTik-based network, and Tofsee, while Detour Dog provides persistent hosting and DNS command and control relays to protect backend infrastructure against direct exposure. 

The segmentation of responsibilities reflects the increasingly modular nature of cybercriminals' supply chains. Among the groups, one manages spam dissemination, another provides DNS and hosting infrastructure resilience, and a third develops and operates the information-stealing payload. Such compartmentalization makes attribution and disruption difficult. 

A single component rarely dismantles an operation; actors can reconstitute infrastructure or redirect traffic in a matter of seconds if a single component is removed. As such, defensive strategies must include DNS-layer intelligence capable of detecting anomalous TXT record queries as well as covert command channels prior to downstream payload execution.

The example of Detour Dog demonstrates how foundational internet protocols can be used to deliver stealth payloads. It has been observed that threat actors embed malicious orchestration in routine DNS activity to transform everyday web traffic into an unobtrusive mechanism to deliver malware and exfiltrate data. 

As part of the prevention of this class of threat, organizations should elevate DNS from a background utility to a frontline security control by integrating visibility, validation, and enforcement across both email and resolution layers. There are wider implications for security leaders than just a single campaign or actor. 

Adversaries have begun weaponizing core internet infrastructure in a structural way by combining email lures, DNS staging, and modular malware services. Defense systems based primarily on perimeter filtering and endpoint detection are unlikely to identify threats that arise through routine name resolution. 

In order to maintain DNS observability, organizations must implement a strategy that correlates resolver telemetry with email security signals, enforces strict egress policies, verifies record integrity, and integrates threat intelligence into recursive as well as authoritative layers. 

DNS configuration auditing, anomaly detection of irregular TXT record patterns, and rigorous segmentation of web-facing assets are three effective ways to reduce exposure. As adversaries continue to operationalize trusted protocols for covert delivery, resilience will increasingly rely on disciplined architectural design that treats DNS as a decisive defense line rather than a background infrastructure.
Read more »
User Privacy
Conduent Data Breach Data Leak Ransomware attack User Privacy

Conduent Data Breach Expands to Tens of Millions of Americans

 

A massive data breach at Conduent, a leading government technology contractor, has escalated dramatically, now affecting tens of millions of Americans across multiple states. Initially detected in January 2025, the intrusion originated from an unauthorized access on October 21, 2024, allowing hackers to lurk undetected for nearly three months. Recent disclosures reveal the scope far exceeds early estimates, with Texas alone reporting 15.4 million victims, Oregon 10.5 million, and additional hundreds of thousands in Washington, Maine, and beyond.

Conduent provides critical back-end services like payments, printing, and processing for state agencies, transit systems, and insurers serving over 100 million users nationwide. The stolen data trove includes highly sensitive details: names, Social Security numbers, dates of birth, medical records, health insurance IDs, and treatment information. This breach, linked to ransomware group SafePay, exposes victims to severe identity theft and fraud risks, prompting lawsuits and regulatory scrutiny.

The cyberattack disrupted operations briefly, delaying child support payments in states like Wisconsin and affecting insurers such as Premera Blue Cross and Blue Cross Blue Shield of Montana. Conduent, aided by Palo Alto Networks and other forensics experts, secured systems swiftly but incurred $25 million in direct response costs by Q1 2025. No misuse of data has surfaced as of late 2025 notifications, but experts warn of looming phishing and extortion campaigns.

Legal fallout has been swift, with at least nine class-action suits filed over the 10.5 million+ record exposure, marking it as 2025's largest healthcare breach.Notifications began rolling out in October 2025 to state attorneys general in Maine, California, and others, advising credit freezes and fraud alerts—without offering free monitoring. Victims, primarily government program beneficiaries, face heightened vulnerability in an era of persistent ransomware targeting public sector vendors.

Cybersecurity analysts highlight Conduent's prolonged undetected access as a stark reminder of supply chain risks in govtech. The firm's SEC filings underscore ongoing financial strain from notifications and potential liabilities. As investigations continue into 2026, this incident amplifies calls for stricter vendor oversight and zero-trust architectures in handling citizen data.

In response, affected states and insurers urge proactive measures: monitor credit reports, enable multi-factor authentication, and watch for suspicious IRS or healthcare scams. Conduent assures full cooperation with authorities, but the ballooning victim count underscores the fragility of centralized data troves in government services.This breach serves as a pivotal case study in evolving cyber threats to public infrastructure.
Read more »
Virtual Machine Abuse
Bulletproof hosting command and control servers ISPsystem VMmanager malware Ransomware Infrastructure Virtual Machine Abuse

ISPsystem VMs Hijacked for Silent Ransomware Distribution


 

The evolution of cybercrime has led to infrastructure becoming less of a matter of ownership and more of a convenience issue. As opposed to investing time and resources in the construction and maintenance of dedicated command-and-control servers, ransomware operators are increasingly renting inexpensive virtual machines that blend seamlessly into legitimate hosting environments as a practical alternative. 

As a result of this shift, attackers have enhanced their operational strategy by embedding their activities within widely used infrastructure, thereby gaining scalability, plausible deniability, and operational resilience. 

In the event of the disruption of one node, dozens, sometimes hundreds, of nearly identical systems continue to run in parallel, ensuring that campaigns continue uninterrupted. 

Sophos investigators, following this operational shift, identified a series of recent WantToCry ransomware attacks that were triggered by virtual machines that were provisioned through infrastructure managed by ISPsystem, a legitimate provider of virtualization and hosting control panels. 

In forensic analysis of several incidents, researchers observed an underlying pattern: attackers controlled Windows virtual machines whose hostnames were the same. 

As the systems appeared to have been deployed using default Windows templates from ISPsystem's VMmanager platform, it can be deduced that threat actors were utilizing standardized rather than customized builds. 

Based on the correlation between telemetry and sinkhole data, it was found that the same hostname conventions were shared among infrastructures associated with multiple ransomware operations, including LockBit, Qilin, Conti, BlackCat, also known as ALPHV, and Ursnif, a banking trojan. In addition to ransomware, infrastructure overlaps with campaigns distributing information-stealing malware, such as RedLine and Lumma. 

A high frequency of identical system identifiers between geographically dispersed incidents indicates the reuse of templates rather than isolated deployments within the virtual environment. ISPsystem's VMmanager platform facilitates rapid provisioning and lifecycle management of Windows and Linux virtual machines, making it widely used by hosting providers. 

According to Sophos, the default Windows images in VMmanager use the same hostname and certain system identifiers upon deployment. Within benign environments, such uniformity may go unnoticed, while within hostile environments, it becomes a disguise.

The bulletproof hosting operators exploit this architectural feature by enabling their clients to instantiate virtual machines en masse, which allow malicious command-and-control and payload delivery servers to be embedded within pools of otherwise legitimate systems. The result is infrastructure dilution: malicious nodes become statistically indistinguishable from thousands of benign peers, resulting in a challenge in attribution efforts and a reduced likelihood of swift remediation. 

Several of these virtual machines had a concentration that was not evenly distributed. A significant proportion were traced to a small number of hosting providers with history of abuse complaints or regulatory scrutiny, such as Stark Industries Solutions Ltd., Zomro B.V., First Server Limited, Partner Hosting LTD, and JSC IOT. 

Moreover, researchers identified MasterRDP as a recurrent element in the ecosystem, providing VPS and RDP services that are resistant to legal intervention while maintaining direct control over physical infrastructure. The Sophos analysis revealed that over 95 percent of ISPsystem virtual machines with internet-facing hostnames came from four default Windows hostnames generated by ISPsystems. 

There was a correlation between each of these identifiers and detected cybercriminal activity, strengthening the assertion that templated infrastructure is being systematically repurposed to sustain large-scale ransomware and malware operations. 

After expanding their dataset, the researchers identified over 7,000 internet-facing servers sharing one autogenerated hostname, which were spread across Russian, multiple European countries, the United States, as well as Iran and Israel. According to Sophos' Counter Threat Unit, two hostnames in particular recurred consistently both in the WantToCry investigation and in the reporting of general threat intelligence. 

The identifiers identified in this report were not restricted to one particular campaign. Observations from third parties and telemetry correlated them with operations involving LockBit, Qilin, and BlackCat, as well as NetSupport RAT deployments. 

Among the uses of these systems have been host-and-control servers for ransomware, secondary malware payloads distribution, phishing campaigns, botnet management, and staging exfiltrated data for monetization. This pattern of reusable infrastructure templates is likely to have persisted for a minimum of five years, according to investigators.

Ironically, despite the strategy reducing operational costs and speeding up deployment for threat actors, it introduces a measurable signature. Defenders can benefit from the widespread reuse of static hostnames across thousands of ISPsystem-provided virtual machines by clustering these hosts into clusters that can be useful for attribution and campaign tracking. 

Virtual machines were identified by a narrow group of hosting providers, including several companies which have been repeatedly linked to cybercriminal or state-sponsored activity. According to Sophos, some legitimate traffic may originate from these environments, however additional intelligence identifies Stark Industries Solutions Ltd. as the most prominent provider.

Cybercriminal ecosystems and Russian state-sponsored operations are linked to First Server Limited and First Server Limited. Regulatory scrutiny has followed the establishment of Stark Industries in early 2022, shortly prior to the Russian invasion of Ukraine. Several threat groups have been observed to leverage Stark Industries' infrastructure since that time. 

Stark Industries Solutions and its operators were imposed restrictive measures by the European Council in May of last year for their involvement in destabilizing activities by Russian state-affiliated actors, based on their role in facilitating such activities.

Due to its apparent connection with Doppelganger, a Russian disinformation campaign sanctioned by the UK government in October 2024, First Server Limited has also received attention. According to our assessment, MasterRDP is among a number of bulletproof hosting providers that lease ISPsystem managed virtual machines on abuse-tolerant infrastructure to customers who conduct ransomware and malware operations. 

ISPsystem's VMmanager remains a viable and widely used virtualization management platform in the global hosting industry, according to researchers. The software itself is not inherently malicious; however, it is attractive to threat actors seeking scalable infrastructure due to its low cost, ease of onboarding, and rapid deployment capabilities. 

A combination of its widespread user base with its extensive ubiquity allows malicious deployments to maintain operational cover, enabling ransomware and malware campaigns to persist among thousands of routine, compliant virtual machine instances. As a result of these findings, the hosting ecosystem is facing a broader structural challenge. 

Because virtualization platforms reduce infrastructure deployment barriers, security responsibility is increasingly shifting away from providers, resellers, and enterprise customers to ensure that template hygiene is implemented effectively, unique system identifiers are enforced, and anomalous clustering patterns are monitored.

As a result of proactive hostname randomization, stronger customer vetting, transparency in abuse response, and cross-industry intelligence sharing, threat actors may be less likely to use templated infrastructure. 

As demonstrated by these consistent artifacts exposed in the campaign, even commoditized infrastructure leaves discernible patterns behind. It will not be sufficient to dismantle individual malicious nodes. Instead, it will be necessary to address the systemic weaknesses that allow legitimate technology to be silently adapted for large-scale, persistent cybercrime operations.
Read more »
Technology
Chelsea Cyber Attacks data intrusion Kensington London Technology

London Boroughs Struggle to Restore Services After November Cyber Attack




A cyber intrusion identified on November 24, 2025 has disrupted essential local authority services in two central London boroughs, freezing parts of the property market and delaying administrative functions.

The Royal Borough of Kensington and Chelsea and Westminster City Council have both been unable to operate several core systems since the breach was detected. Although Kensington and Chelsea is internationally associated with high-value homes, luxury retail outlets and tree-lined residential streets, routine civic operations in the borough are currently under strain.

A notice published on the Kensington and Chelsea council website states that disruption is expected to continue for several more weeks and that restoring all services may take months.

According to HM Land Registry figures, approximately 2,000 property transactions occur annually within Kensington and Chelsea. Many of those transactions are now impacted because the councils cannot conduct local authority searches. These searches are mandatory checks that examine planning history, land charges, infrastructure proposals and regulatory constraints linked to a property.

Nick Gregori, Head of Research at property data platform LonRes, explained that local authority searches are fundamental to the conveyancing process. Buyers relying on mortgage financing cannot secure loans without completed searches. Even purchasers using cash are advised to obtain them to ensure proper due diligence.

Jo Eccles, founder of buying agency Eccord, said two of her clients purchasing in Westminster have had to obtain indemnity insurance because official searches are not expected to resume until April due to accumulated delays. She noted that private banks are sometimes willing to proceed with indemnity-backed transactions, whereas retail lenders are generally less accommodating.

Robert Green, Head of Sales at John D Wood & Co. in Chelsea Green, stated that indemnity policies do not eliminate the need for careful investigation. Solicitors are attempting to reconstruct due diligence by reviewing historical documentation held by sellers or from previous acquisition files. Buyers without access to private lending or substantial liquidity are finding transactions extremely difficult to complete.

Planning services have also stalled. Architect Emily Ceraudo has two projects paused: one involving listed building consent in South Kensington and another concerning a mansard roof extension in Mayfair. She said clients initially struggled to accept that the entire planning system could remain offline for this duration, prompting her to share official correspondence confirming the cause of delay. Councils have indicated that some applications may be processed offline, but no revised timeframe has been provided.

There are reports of contractors reconsidering site activity and some clients contemplating proceeding with works in anticipation of retrospective approval.

Housing benefit payments were also interrupted. Laurence Turner, who rents a studio flat in Chelsea to an elderly tenant with medical needs, said he only became aware of the issue after two missed payments. He emphasized that he has no contractual relationship with the council and that his tenant had consistently paid rent early for five years. His letting agent, Maskells, contacted the council for clarification. Payments due in mid-December and mid-January were missed, leaving £2,870 outstanding before funds were eventually received.

Turner observed that council service charges were skipped once in mid-December but resumed in mid-January, whereas housing benefit was missed twice. He acknowledged that municipal financial systems are complex and that he may not see the full administrative context.

Neither borough has provided a definitive restoration date. Kensington and Chelsea stated that systems are being reactivated gradually under guidance from NCC Group, the Metropolitan Police and the National Cyber Security Centre. Property searches are expected to return as soon as possible, with a limited search service available before full restoration.

Council Leader Cllr Elizabeth Campbell described the incident as a n intricate criminal cyber attack. She said prior investment in digital, data and technology infrastructure, including updated cyber defence systems, helped reduce overall damage. She confirmed that the planning system is undergoing checks, that new planning applications cannot progress beyond validation, and that local land charge searches remain unavailable. She added that £10 million in housing benefits has been issued since the incident and that recovery work continues with specialist partners to ensure systems are restored safely and with strengthened resilience. 

Read more »
Subscribe to: Comments (Atom)

Featured