The UK government has admitted that IT systems at the Foreign, Commonwealth and Development Office (FCDO) were hacked in October, but insists the attack had a “low risk” of personal data being compromised.
During a round of broadcast interviews today (19 December 2025), trade minister Chris Bryant said it was “not clear” who perpetrated the attack, although the first report on the hack, revealed in The Sun, attributed it to a China-based threat actor known as Storm 1849.
The same group was blamed for targeting vulnerabilities in Cisco equipment that led to a National Cyber Security Centre (NCSC) warning in September for organisations using Cisco’s Adaptive Security Appliance family of unified threat management systems. Users were told to replace any devices reaching end-of-life support, noting the significant risks that ageing or obsolete hardware can pose.
Bryant said some of the reports about the FCDO hack were “speculation”, but that the government had managed to “close the hole” quickly, and that security experts were confident there was a “low risk” of any individual being affected. The Sun report claimed hackers accessed confidential data and documents, possibly including thousands of visa details.
The Storm 1849 attack campaign on Cisco equipment was dubbed ArcaneDoor, and targeted two zero-day vulnerabilities. One was a high-severity denial-of-service vulnerability capable of remote code execution; the other was a high-severity persistent local code execution vulnerability.
While government IT systems always face scrutiny over cyber security, the hack will provide further fuel for critics of plans to introduce a national digital ID scheme, many of whom have already raised concerns about the potential risks of gathering citizen identity data.
The development also comes a day after ITV News broadcast a report on the cyber security issues found in One Login – the government single sign-on system that will be at the heart of the digital ID plan – which were first revealed by Computer Weekly in April.
Damaging year
2025 has been a notably damaging year for cyber attacks, with high-profile ransomware campaigns affecting Jaguar Land Rover (JLR), the Co-op and Marks & Spencer.
The Office for National Statistics attributed a November decline in the UK’s economy partly to the impact of the JLR attack, which stopped car production at the manufacturer and had a knock-on impact across the automotive supply chain.
Last month, four London councils – Kensington and Chelsea; Hackney; Westminster; and Hammersmith and Fulham – suffered cyber attacks, disrupting services and prompting an NCSC investigation. Westminster has since admitted that potentially sensitive data was copied from its systems during the hack. Three of the local authorities operate a shared IT service.
