In the past year or two, we’ve documented the rise of the teenage hacker – a class of cyber criminal that has orchestrated some of the most sophisticated cyber attacks. What’s shocking is the age of some of the perpetrators and the scale of damage they have managed to cause – some criminals can’t yet legally drink in the US and yet have stolen millions from their victims. But the tide seems to be turning, with both UK and US authorities now circling.
In other news, we cover the startling phenomenon of the North Korean IT worker and why businesses need to be extra vigilant that they are not inadvertently funding a rogue regime.
Also this month, the eye-watering sums behind recent cyber incidents: a £14 m fine slapped on Capita for poor data protection and an estimated £1.9bn figure for the financial impact of the JLR hack – the costliest cyber event to hit the UK.
And finally, advice from the NCSC on what to do in the event of IT system failure. Top Tip: keep that pen and paper ready.
The rise and fall of the teenage hacker
The arrival of the Scattered Spider hacking group caused a stir in cyber circles when it emerged that most of its members were English-speaking teenagers. The hackers chalked up some notorious attacks, including US casinos, British retail institutions (M&S, Co-op, Harrods) and major transport authority TfL (Transport for London).
But this teenage joy ride has come to a screeching stop with three recent arrests and charges swiftly following.
A 19-year-old British teenager called Thalha Jubair faces a maximum 95 years in US prison for allegedly scamming American company helpdesks for ransom. Jubair is believed to have carried out a ransomware campaign that hit 47 American businesses and 120 computer networks, including American courts and critical infrastructure. Jubair managed to extract $115 million from his victims before his reign of cyber terror came to an end.
Also, Jubair and 18-year-old Owen Flowers from Walsall have been arrested and charged in relation to the cyber attack on TfL as well as other offences. The TfL attack is believed to have cost the authority £39 million.
Jubair was finally tracked down because of – and it’s hard to resist this phrase – a schoolboy error. Investigators were able to trace ransom payments sent to a bitcoin wallet on a server under Jubair’s control. Funds from one such wallet were used to buy teenage essentials – gaming and food delivery gift cards that were delivered to his flat.
In a separate incident in the US, another Scattered Spider-affiliated teenager handed himself in to authorities and was booked under charges of extortion and computer crime in relation to the 2023 attacks on MGM Resorts and Caesars Entertainment.
Serious question: could your new hire be funding Kim Jong Un’s nuclear program?
It might seem like the plot of a far-fetched spy film, but the news of North Korea’s remote IT worker scam is all too true. The FBI is offering a $5 million reward for information that can help disrupt the activities of four North Korean nationals, who were hired as remote IT workers and are on the run after stealing virtual currency from two US companies they worked for.
Last year, an American court indicted 14 North Koreans who reportedly earned $88m while working in disguise and extorting US firms over six years.
American law enforcement agencies and cyber security experts have warned businesses to stay alert to such fraud schemes. Authorities believe that in the last five years, North Korean IT workers funnelled hundreds of millions to fund their heavily sanctioned regime including its notorious nuclear programme.
The scheme works like this: cells of highly trained IT workers are sent abroad by the regime to sympathetic countries such as China and Russia. From here, they set about disguising their identities (often using AI and identity theft) to get jobs as highly paid, remote IT workers often within Fortune 500 companies in the West. They also enlist American nationals to fool companies into believing that they are based in the USA and to verify false documents for the North Korean applicants. Once successfully hired, the North Korean IT workers often earn thousands of dollars a month. However, they are used as slave labour and frequently the majority of their earnings are confiscated by the North Korean regime.
Cyber security experts have warned that such schemes have also been seen in Europe, Saudi Arabia and Australia.
Cyber security firm Knowb4 has posted of its own experience of nearly falling for such a scam and also shared useful tips to warn other businesses. Advice includes more thorough vetting of remote devices, job applications and social media profiles; and enhanced security awareness training, focusing on social engineering tactics.
Capita fined £14m for failing to protect 6m people’s data
Outsourcing giant Capita has been ordered to pay a reduced fine of £14 million by the Information Commissioner’s Office following a hack in 2023 because it “failed to ensure the security of processing of personal data which left it at significant risk”.
In the aftermath of the 2023 ransomware hack, it emerged that Capita had previously exposed a vast collection of unsecured data online.
Hackers used ransomware to steal personal data from over 6.5 million people. Personal information, including home addresses, passport images, financial data and criminal histories, is believed to have been stolen.
Information Commissioner John Edwards said, “The scale of this breach and its impact could have been prevented had sufficient security measures been in place.”
The ICO had originally set the fine at £45m, but then reduced the amount after Capita undertook various mitigating steps. These included strengthening its cyber resilience, offering support to those affected and engaging with regulators such as the NCSC.
JLR hack most expensive in UK history
Close on the heels of media reports that JLR didn’t have cyber insurance in place before the devastating cyber attack hit, comes news that the hack could be the costliest in UK history. Insurance experts estimate that the financial impact is around £1.9bn and affected over 5000 businesses.
The hack led to production freezes for over five weeks before the government stepped in with £1.5bn loan guarantee to support its supply chain.
Supply chain attacks involving third-party providers handling sensitive data on behalf of client organisations are on the rise. M&S, Co-Op and JLR have all fallen victim due to weaknesses in their supply chain.
Latest cyber resilience tools announced by NCSC… pen and paper
The National Cyber Security Centre has advised chief executives to have cyber emergency plans on pen and paper, should the worst happen.
The advice to have analogue backups comes after a series of devastating cyber attacks this year (M&S, Co-Op, JLR and Asahi) that left supermarket shelves empty and production lines frozen.
Richard Horne, Chief Executive of the NCSC, said organisations need to “have a plan for how they would continue to operate without their IT, (and rebuild that IT at pace), were an attack to get through”.
A few organisations had no choice but to go analogue when cyber attacks hit this year. These include European airport staff who had to rely on pen and paper to board passengers; and makers of Asahi Japanese beer, which used pen, paper and fax machines to process orders and shipments manually.
IBM’s X‑Force 2025 Threat Intelligence Index names the UK as the most targeted European country for cyber attacks.
Other vulnerabilities
Oracle E‑Business Suite Vulnerability
Watchguard critical Vulnerability