Sellafield Limited, the operator of the world’s largest plutonium stockpile, has pled guilty to all criminal charges related to historic cybersecurity failures. The UK’s Office for Nuclear Regulation confirmed the plea but clarified that there was no evidence of hacking or exploitation of vulnerabilities, despite media reports suggesting otherwise. The charges, spanning from 2019 to 2023, involve lapses in adhering to strict cybersecurity regulations.
The legal issues center on the site’s failure to protect sensitive information on its IT network. Although there was no compromise to public safety, the company admitted to not meeting cybersecurity standards and acknowledged historical offenses. A sentencing hearing is scheduled for August 8 at Westminster Magistrates Court.
In December 2024, reports emerged of potential intrusions by Russian and Chinese hackers, involving access to sensitive information and possibly sleeper malware dating back to 2015. These breaches were not disclosed to regulators for years, coming to light only after staff at an external site discovered they could access Sellafield’s servers and reported it.
Despite these issues, Sellafield’s cybersecurity is now described as “robust” by its lawyers. The company has cooperated fully with regulators throughout the legal process and has committed to improving its security posture moving forward.
Reference:
