Cybercrime

Co-op CEO apologises after cyberattack hits 6.5 million members

Co-op CEO Shirine Khoury-Haq has confirmed that all 6.5 million members had their data stolen during a cyberattack in April.

‘I’m devastated that information was taken,’ Khoury-Haq told BBC Breakfast. ‘It hurt my members; they took their data, and it hurt our customers, whom I take personally.’

The stolen data included names, addresses, and contact details, but no financial or transaction information. Khoury-Haq said the incident felt ‘personal’ due to its impact on Co-op staff, adding that IT teams ‘fought off these criminals’ under immense pressure.

Although the hackers were removed from Co-op’s systems, the stolen information could not be recovered. The company monitored the breach and reported it to the authorities.

Co-op, which operates a membership profit-sharing model, is still working to restore its back-end systems. The financial impact has not been disclosed.

In response, Co-op is partnering with The Hacking Games — a cybersecurity recruitment initiative — to guide young talent towards legal tech careers. A pilot will launch in Co-op Academies Trust schools.

The breach was part of a wider wave of cyberattacks on UK retailers, including Marks & Spencer and Harrods. Four people aged 17 to 20 have been arrested concerning the incidents.

In a related case, Australian airline Qantas also confirmed a recent breach involving its frequent flyer programme. As with Co-op, financial data was not affected, but personal contact information was accessed.

Experts warn of increasingly sophisticated attacks on public and private institutions, calling for stronger digital defences and proactive cybersecurity strategies.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Air Serbia suffers deep network compromise in July cyberattack

Air Serbia delayed issuing June payslips after a cyberattack disrupted internal systems, according to internal memos obtained by The Register. A 10 July note told staff: ‘Given the ongoing cyberattacks, for security reasons, we will postpone the distribution of June 2025 payslips.’

The IT department is reportedly working to restore operations, and payslips will be emailed once systems are secure again. Although salaries were paid, staff could not access their payslip PDFs due to the disruption.

HR warned employees not to open suspicious emails, particularly those appearing to contain payslips or that seemed self-addressed. ‘We kindly ask that you act responsibly given the current situation,’ said one memo.

Air Serbia first informed staff about the cyberattack on 4 July, with IT teams warning of possible disruptions to operations. Managers were instructed to activate business continuity plans and adapt workflows accordingly.

By 7 July, all service accounts had been shut down, and staff were subjected to company-wide password resets. Security-scanning software was installed on endpoints, and internet access was restricted to selected airserbia.com pages.

A new VPN client was deployed due to security vulnerabilities, and data centres were shifted to a demilitarised zone. On 11 July, staff were told to leave their PCs locked but running over the weekend for further IT intervention.

An insider told The Register that the attack resulted in a deep compromise of Air Serbia’s Active Directory environment. The source claims the attackers may have gained access in early July, although exact dates remain unclear due to missing logs.

Staff reportedly fear that the breach could have involved personal data, and that the airline may not disclose the incident publicly. According to the insider, attackers had been probing Air Serbia’s exposed endpoints since early 2024.

The airline also faced several DDoS attacks earlier this year, although the latest intrusion appears far more severe. Malware, possibly an infostealer, is suspected in the breach, but no ransom demands had been made as of 15 July.

Infostealers are often used in precursor attacks before ransomware is deployed, security experts warn. Neither Air Serbia nor the government of Serbia responded to media queries by the time of publication.

Air Serbia had a record-breaking year in 2024, carrying 4.4 million passengers — a 6 percent increase over the previous year. Cybersecurity experts recently warned of broader attacks on the aviation industry, with groups such as Scattered Spider under scrutiny.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Hungary enforces prison terms for unauthorised crypto trading

Hungary has introduced strict penalties for individuals and companies involved in unauthorised cryptocurrency trading or services. Under the updated Criminal Code, using unauthorised crypto exchanges can lead to two years in prison, with longer terms for larger trades.

Crypto service providers operating without authorisation face even harsher penalties. Sentences can reach up to eight years for transactions exceeding 500 million forints (around $1.46 million).

The updated law defines new offences such as ‘abuse of crypto-assets’, aiming to impose stricter control over the sector.

The implementation has caused confusion among crypto companies, with Hungary’s Supervisory Authority for Regulatory Affairs (SZTFH) yet to publish compliance guidelines. Businesses now face a 60-day regulatory vacuum with no clear direction.

UK fintech firm Revolut responded by briefly halting crypto services in Hungary, citing the new legislation. It has since reinstated crypto withdrawals, while its EU entity works towards securing a regional crypto licence.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Google pushes urgent Chrome update before 23 July

Google has confirmed that attackers have exploited a high-risk vulnerability in its Chrome browser. Users have been advised to update their browsers before 23 July, with cybersecurity agencies stressing the urgency.

The flaw, CVE-2025-6554, involves a type confusion issue in Chrome’s V8 JavaScript engine. The US Cybersecurity and Infrastructure Security Agency (CISA) has made the update mandatory for federal departments and recommends all users take immediate action.

Although Chrome updates are applied automatically, users must restart their browsers to activate the security patches. Many fail to do so, leaving them exposed despite downloading the latest version.

CISA highlighted that timely updates are essential for reducing vulnerability to attacks, especially for organisations managing critical infrastructure. Enterprises are at risk if patching delays allow attackers to exploit known weaknesses.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

US House passes NTIA cyber leadership bill after Salt Typhoon hacks

The US House of Representatives has passed legislation that would officially designate the National Telecommunications and Information Administration (NTIA) as the federal lead for cybersecurity across communications networks.

The move follows last year’s Salt Typhoon hacking spree, described by some as the worst telecom breach in US history.

The National Telecommunications and Information Administration Organization Act, introduced by Representatives Jay Obernolte and Jennifer McClellan, cleared the House on Monday and now awaits Senate approval.

The bill would rebrand an NTIA office to focus on both policy and cybersecurity, while codifying the agency’s role in coordinating cybersecurity responses alongside other federal departments.

Lawmakers argue that recent telecom attacks exposed major gaps in coordination between government and industry.

The bill promotes public-private partnerships and stronger collaboration between agencies, software developers, telecom firms, and security researchers to improve resilience and speed up innovation across communications technologies.

With Americans’ daily lives increasingly dependent on digital services, supporters say the bill provides a crucial framework for protecting sensitive information from cybercriminals and foreign hacking groups instead of relying on fragmented and inconsistent measures.

Malicious Gravity Forms versions prompt urgent WordPress update

Two versions of the popular Gravity Forms plugin for WordPress were found infected with malware after a supply chain attack, prompting urgent security warnings for website administrators. The compromised plugin files were available for manual download from the official page on 9 and 10 July.

The attack was uncovered on 11 July, when researchers noticed the plugin making suspicious requests and sending WordPress site data to an unfamiliar domain.

The injected malware created secret administrator accounts, providing attackers with remote access to websites, allowing them to steal data and control user accounts.

According to developer RocketGenius, only versions 2.9.11.1 and 2.9.12 were affected if installed manually or via composer during that brief window. Automatic updates and the Gravity API service remained secure. A patched version, 2.9.13, was released on 11 July, and users are urged to update immediately.

RocketGenius has rotated all service keys, audited admin accounts, and tightened download package security to prevent similar incidents instead of risking further unauthorised access.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Foreign cybercrime cells thrive in Nigeria

Nigeria’s anti-fraud agency had 194 foreign nationals in custody in 2024, prosecuting 146 for their roles in cyber-enabled financial crimes, highlighting a robust response to a growing threat.

December alone saw nearly 800 arrests in Lagos, targeting romance and cryptocurrency investment scams featuring foreign ringleaders from China and the Philippines. In one case, 148 Chinese and 40 Filipino suspects were detained.

These groups established complex fraud operations in major Nigerian cities, using fake identities and training local recruits, often unaware of the ultimate scheme. Investigations also flagged cryptocurrency-fuelled money laundering and arms trafficking, pointing to wider national security risks.

EFCC chairman Ola Olukoyede warned that regulatory failures, such as visa oversight and unchecked office space leasing, facilitated foreign crime cells.

National and continental collaboration, tighter visa control, and strengthened cybercrime frameworks will be key to dismantling these networks and securing Nigeria’s digital economy.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Crypto ATM scams surge across Australia

A wave of scams involving crypto ATMs has hit Australia, leaving elderly victims devastated. In the latest reported case, 15 people from Tasmania lost a combined $2.5 million, according to local police.

The average victim was 65 years old, and many are now facing severe financial consequences.

Police say the scams involve fraudsters manipulating people into depositing large sums of cash into crypto ATMs. Tactics range from fake romance and investment schemes to impersonating authorities or tech support.

Victims are often threatened or misled with false promises of returns, leading to irreversible losses once crypto is transferred.

Crypto ATMs offer no recovery mechanism, unlike traditional banks. As a result, once a victim sends funds to a scammer’s wallet, the money is gone. In one extreme case, a Tasmanian lost $750,000, forcing them to sell assets and depend on government aid.

Regulators are responding. Australia has imposed cash limits on crypto ATM transactions, while New Zealand has gone a step further by banning them altogether to curb criminal activity.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Google urges caution as Gmail AI tools face new threats

Google has issued a warning about a new wave of cyber threats targeting Gmail users, driven by vulnerabilities in AI-powered features.

Researchers at 0din, Mozilla’s zero-day investigation group, demonstrated how attackers can exploit Google Gemini’s summarisation tools using prompt injection attacks.

In one case, a malicious email included hidden prompts using white-on-white font, which the user cannot see but Gemini processes. When the user clicks ‘summarise this email,’ Gemini follows the attacker’s instructions and adds a phishing warning that appears to come from Google.

The technique, known as an indirect prompt injection, embeds malicious commands within invisible HTML tags like <span> and <div>. Although Google has released mitigations since similar attacks surfaced in 2024, the method remains viable and continues to pose risks.

0din warns that Gemini email summaries should not be considered trusted sources of security information and urges stronger user training. They advise security teams to isolate emails containing zero-width or hidden white-text elements to prevent unintended AI execution.

According to 0din, prompt injections are the new equivalent of email macros—easy to overlook and dangerously effective in execution. Until large language models offer better context isolation, any third-party text the AI sees is essentially treated as executable code.

Even routine AI tools could be hijacked for phishing or more advanced cyberattacks without the userćs awareness. Google notes that as AI adoption grows across sectors, these subtle threats require urgent industry-wide countermeasures and updated user protections.

Users are advised to delete any email that displays unexpected security warnings in its AI summary, as these may be weaponised.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

AI fake news surge tests EU Digital Services Act

Europe is facing a growing wave of AI-powered fake news and coordinated bot attacks that overwhelm media, fact-checkers, and online platforms instead of relying on older propaganda methods.

According to the European Policy Centre, networks using advanced AI now spread deepfakes, hoaxes, and fake articles faster than they can be debunked, raising concerns over whether EU rules are keeping up.

Since late 2024, the so-called ‘Overload’ operation has doubled its activity, sending an average of 2.6 fabricated proposals each day while also deploying thousands of bot accounts and fake videos.

These efforts aim to disrupt public debate through election intimidation, discrediting individuals, and creating panic instead of open discussion. Experts warn that without stricter enforcement, the EU’s Digital Services Act risks becoming ineffective.

To address the problem, analysts suggest that Europe must invest in real-time threat sharing between platforms, scalable AI detection systems, and narrative literacy campaigns to help citizens recognise manipulative content instead of depending only on fact-checkers.

Publicly naming and penalising non-compliant platforms would give the Digital Services Act more weight.

The European Parliament has already acknowledged widespread foreign-backed disinformation and cyberattacks targeting EU countries. Analysts say stronger action is required to protect the information space from systematic manipulation instead of allowing hostile narratives to spread unchecked.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Diplo chatbot can make mistakes. Consider checking important information.