Exclusive The Communications Workers Union (CWU), which represents hundreds of thousands of employees in sectors across the UK economy including tech and telecoms, is currently working to mitigate a cyberattack.

In what was originally being called a serious IT outage at the end of last week, the union confirmed to The Register today that the incident is now being treated as an attack, the full extent of which is still being assessed.

The CWU told us on March 22 that its email services weren't working and that it has engaged third-party cybersecurity experts who have been on site since 0900 UTC on March 21. Some systems have also been pulled down as a precaution.

Asked whether the trade union, one of the UK's largest, had been the victim of a cyberattack, or whether the situation was caused by ransomware, head of communications Chris Webb said: "We don't know."

"We can confirm that The CWU has been the victim of a cyber attack on parts of our IT systems," Webb said in a statement via WhatsApp, because email systems remain down. "We have informed the Information Commissioner's Office and have updated our members.

"Some CWU member data is held within the IT systems that were targeted. At this point, we do not know if a breach of this personal data has occurred. We have advised members to be vigilant against the risk of phishing emails that they may receive.

"Our specialist cybersecurity advisers are working on a digital forensic analysis of our systems to determine precisely what has occurred. They will also assess what the next steps are and establish timelines to restore the union’s IT infrastructure. The cyber security team will remain on site for the coming days. We will continue to communicate with members as we respond to this incident."

The Register contacted the CWU after being informed by a purported union insider who made various claims about the state of its outage last week, including that finance, payroll, and membership information was compromised by a cyberattack.

Asked about the claims made by the source, Webb had questioned where they got the information, saying they were "in dreamland" and that they "shouldn't be trusted."

While it isn't clear whether any data has been compromised by the incident, any possible breach at the CWU could be significant given its 185,000-strong membership.

What we do know, however, is that the UK's data watchdog confirmed that it's been made aware of the situation.

"The Communications Workers Union has made us aware of an incident and we are assessing the information provided," said a spokesperson for the Information Commissioner's Office (ICO).

The ICO's reporting guidance stipulates that organizations only need to report personal data breaches to the ICO if it is likely that the incident will present a risk to the rights and freedoms of individuals affected.

Incidents that meet the threshold must be reported within 72 hours, where feasible, and the individuals affected must be informed "without undue delay."

The Register spoke to a handful of CWU regional secretaries late last week - leaders of the union's regional outposts - and all of those who responded said they had not been made aware of any cybersecurity or data security incident.

The only issue reported by the secretaries was email outages, citing an apparent server issue at CWU headquarters, which is based in Wimbledon, South West London.

Branch offices had been told to switch email systems, but CWU head office made no mention of any kind of security breach. Everything else was business as usual, we were told.

It's also been claimed by a CWU source that the cyberattack at the union corrupted its data backups too, which, if correct, would be a damaging blow to its recovery protocol, should it need to be engaged.

Ensuring an organization has robust backups in place is generally seen as the most important thing needed to sustain any material breach of systems.

Our security sources say these things are more common than most people think as many organizations don't think about keeping backups away from their network or even off-site.

For example, shipping giant Maersk was only able to recover from its nightmare NotPetya incident, which also affected its backups, because a site in Ghana remained unaffected due to a local power outage. ®

https://www.theregister.com//2024/03/25/cwu_security_incident/