Russia Microsoft Hack Accessed Home Office Data

Russian hackers accessed email data shared between Microsoft and the UK Home Office in an attack that occurred in January, a report has found.

Microsoft has been heavily criticised for internal security lapses that led to the January hack, which also gave the attackers access to emails shared with several US federal government agencies and other Microsoft corporate customers.

The hackers access to Home Office data, reported by Recorded Future, had not been previously made public.

A government spokesperson emphasised that the hackers had not accessed the Home Office’s own internal systems, but only corporate email data shared with Microsoft and held by the company.

Government data

“We take data security very seriously,” the spokesperson said.

The January breaches posed a security risk because in some cases the compromised data included credentials that could have been used by attackers to try to access the systems of Microsoft customers.

The Home Office reported the breach to the Information Commissioner’s Office on 2 May, describing it as a “nation state attack on [a] supplier”, according to Recorded Future, which obtained the information via a Freedom of Information Act request.

The ICO said it was aware of the incident and had decided no further action was required.

The US Cybersecurity and Infrastructure Security Agency (CISA) warned in April that US federal government data had been breached in the attack and warned the stolen email data “presents a grave and unacceptable risk to agencies”.

The US and UK governments have attributed the January attack to a group of hackers tracked as Midnight Blizzard that works for Russia’s SVR intelligence agency.

Security lapses

Microsoft President Brad Smith appeared before a Congressional national security panel in June following criticism of the company’s internal security failures that led to the January hack as well as a separate attack in 2023 attributed to China.

Both attacks allowed hackers to access sensitive data belonging to Microsoft’s government customers.

Microsoft is the US governnment’s largest IT supplier and industry watchers say it has faced no meaningful consequences for its security failures.

“This is yet another example of the dangerous monopoly Microsoft has on the digital world and how attackers are hijacking on its ubiquity to compromise organisations,” said Kevin Robertson, chief operating officer of Acumen Cyber, of the latest breach.

“Governments and organisations are placing their trust in Microsoft when they store their data in its services, so security should be a guarantee. But unfortunately with Microsoft it’s not.”

The US Cyber Safety Review Board (CSRB) in April similarly singled Microsoft out for its cybersecurity lapses and a lack of transparency over last year’s China hack.