Analyst Insight
This week in cyber, three significant incidents caught attention. The Washington Post confirmed that several journalists’ Microsoft email accounts were breached in a suspected nation-state supported attack, prompting immediate password resets and an internal probe. Over 46,000 public Grafana instances remain exposed to the high-severity CVE‑2025‑4123 XSS flaw, allowing plugin-based account takeover, despite a May patch. In addition, the UK’s ICO fined 23andMe £2.31 million following a 2023 credential-stuffing breach that compromised sensitive genetic and personal data of more than 150,000 UK users. Meanwhile, the UK’s Cyber Growth Action Plan aims to boost the £13.2 billion security sector, backed by an expert-led review, £16 million in targeted funding, and a refreshed advisory board, with findings set to feed into the National Cyber Strategy this summer. These events highlight continued pressure on corporate email security, open-source infrastructure hygiene, and regulatory enforcement on data protection.
Washington Post Journalists Targeted by Cyberattack on Email Accounts
Multiple Washington Post journalists are reported to be compromised, as it’s believed a cyberattack was carried out by a foreign government, the breach was detected last Thursday. In response, the newspaper reset all employee passwords and initiated a full investigation. The compromised accounts affected Microsoft email services, potentially exposing sensitive communications. Executive Editor Matt Murray confirmed the incident in an internal memo, assuring staff that no other systems or customer data were impacted.
46,000 Grafana Instances Exposed to High Severity XSS Vulnerability
Over 46,000 internet-facing Grafana instances remain vulnerable to a high-severity account takeover bug, CVE-2025-4123. Discovered by bug bounty hunter Alvaro Balada, this flaw allows attackers to exploit an open redirect vulnerability to execute malicious plugins, potentially leading to full account compromise. Despite a patch released on May 21, 2025, researchers from OX Security found that approximately 36% of exposed Grafana instances have not been updated, leaving them susceptible to exploitation.
UK Fines 23andMe £2.31 Million Over 2023 Data Breach
This week, the UK’s Information Commissioner’s Office (ICO) fined genetic testing company 23andMe £2.31 million for a 2023 data breach that compromised the personal information of over 150,000 UK residents. The breach exposed sensitive data, including health reports, family histories, and personal identifiers, due to inadequate security measures and delayed response. Hackers exploited reused login credentials in a “credential stuffing” attack, gaining unauthorized access over several months. The ICO criticized 23andMe for failing to implement basic protections, such as multi-factor authentication, and for not promptly detecting the breach. The company has since taken steps to enhance security and privacy protections.
UK launches Cyber Growth Action Plan to boost £13.2 billion cyber security sector
This week the UK government unveiled its Cyber Growth Action Plan, an initiative designed to accelerate the expansion of its cyber‑security industry, which now generates £13.2 billion in annual revenues and supports over 67,000 jobs. The plan includes a comprehensive review led by the University of Bristol and Imperial College London’s Centre for Sectoral Economic Performance to assess supply‑chain dynamics, identify high‑potential tech areas like AI and quantum cryptography, and deliver actionable recommendations by late summer ahead of the upcoming National Cyber Strategy.
Complementing the review, the government has promised £16 million in fresh funding, £10 million going towards the CyberASAP academic accelerator aiming to develop 25 ventures and attract £30 million in private investment, and £6 million for the Cyber Runway programme to help UK cybersecurity startups scale internationally. As well as this, a refreshed Cyber Advisory Board has been formed, featuring leading industry leads including representatives from BAE Systems, AWS, Microsoft and Google DeepMind, will advise on boosting cyber resilience across public sector services.
Go Back
Blog & News
