UK's Sellafield nuke waste processing plant fined £333K for infosec blunders The outfit that runs Britain's Sellafield nuclear waste processing and decommissioning site has been fined £332,500 ($440,000) by the nation's Office for Nuclear Regulation (ONR) for its shoddy cybersecurity practices between 2019 and 2023. Sellafield, located in Cumbria, England, manages more radioactive waste than any other …
This penalty isn't even a slap on the wrist for an entity the size of "Sellafield Ltd." (which I've never heard of, despite being aware of what they do and where). The radioactive waste they are dealing with is seriously nasty stuff. How come the directors are not facing gaol sentences?
There might as well not be any laws mandating data security if this is all that happens when they are broken. The judge has effectively said "Just carry on doing what you've been doing, and don't worry too much about it".
Working as a senior consultant across public sector IT (this isn't my real name), I have seen some security horrors, the worst by far being the NHS. NHS Digital specifies strict and reasonably secure standards for NHS organisations to follow, but the truth is many parts of the NHS take no notice. The security in some trusts is beyond terrible; each trust operates hospitals, provides care for up to a million or more patients and is trusted with ALL our clinical records. However, I have seen trusts with hundreds of external users (no MFA) who have had these accounts for years and from anywhere on the internet, have full access to the trust's clinical records, where the trust has NO idea who these people are or when they log on, what they access, how they use the system, etc. Worse still, even senior IT staff and executive management don't understand that this is in any way bad. It's bonkers. I have had conversations with trust chief execs, trying to get them to realise how bad this sort of thing is, and there is almost no realisation or engagement forthcoming. I'm not making this up!
This is just one example of the sorts of things I have seen. Another is lax network and server security. I have seen trusts with tons of unpatched Windows 2008 servers with SMB1 enabled and no SMB1 enabled between all subnets on the network FOUR years after wanna cry. I have seen the Oracle DB hosting all clinical records for one trust published to the internet via ODBC and a simple (trivial to guess) username-password combo. There is very rarely any monitoring, SIEM, log interrogation, etc., in place at any NHS org I have worked with.
All these examples are within the last 3-5 years. I can confidently predict that there are few places in our NHS that haven't already been compromised by bad actors, and that should worry us all.
Having had a similar conversation with some quite senior ICO staff in the past the answer is that they do care, but only after it's gone wrong. They don't seem to have any concept about risky behavior also being a breach or proactively preventing breaches other than through general awareness and publications.
If you know a company/organisation that is playing fast and loose with special category data with very poor security (as I did 3-4 yr ago), they just don't know how to act with that information. After it's gone wrong, yup they have their processes but left of bang, they haven't a clue.
If it was only that issue it would be bad enough.
The ICO also appears to be actively seeking to cover up its own breaches of the law it is responsible for.
Witness all those stories in CW re Police illegal processing.
The ICO 's been found doing the exact same things as the rozzers, but instead of fixing stuff they're spending all their time trying to cover that up.
Having worked in the NHS in IT, the main cause of breaches was NHS Digital itself: They gave access to the NHS Net to 3rd parties and were not too diligent to ensure the rules for such connections were enforced - our network team traced one such connection out onto the internet so shut it down, much to the annoyance of said 3rd party who kicked up a fuss until confronted with that trace information...
But there were also individual departments who felt having internet access was necessary without having that PC isolated from the network (hence why our network guys ran network traces like that - wanted to keep our network safe, and we had segmented networks and internal and external firewalls - sounded like overkill but it worked, which was the main thing)... was more pronounced amongst GP surgeries, and small trusts than the larger ones. Issue is funding and understanding of IT - the trust I was with barely funded IT, but we managed and were originally a rather disciplined team. Change in leadership (got a director who was ex-NHS Digital) and things took a nose dive, resulting in some irritating incidents but no actual breaches (thankfully). But yes, I think there's a lot of security nightmares out there in IT land, not just public sector, but the root cause is likely the underfunding and poor understanding and poor resourcing of IT departments. Makes me think BOFH should be the play book for all IT professionals on how to handle manglement :p
Excuse my ignorance here, but every time I see a breach and they tell me that "there is no evidence that vulnerabilities have been exploited", I ask myself two questions:
1. Because you have not seen any pilfered data in the wild, it does not mean it hasn't been taken. Not all of it ends up in ransom.
2. If I were a clever bad actor, I would make sure not only that you cannot find me, but also that you did not see me get in. A bit like avoiding cameras during a break in.
These clichés statements really get up my t**s. Just a way of saying, I'm sorry BUT it doesn't matter anyway as nothing happened.
Think it's so overused it's a bit of a red flag in itself. The frequency with which "We have no evidence...." is swiftly follwed by "we were hollowed out by Russian Skiddies and they'd been in the network for the last 4yr", is just a bit too high not to make anyone suspicious when it's wheeled out.
follow the gravy train .....
1) Sellafield ltd ..... The chair is appointed by the NDA. The board consists of 5 non-executive directors including the chair, the chief executive officer, 1 executive director and 2 NDA-nominated non-executive directors.
2) NDA ...... We are a ****non-departmental public body*** led by our Board and team of Executive Directors.
One government department fining another government department. The money will go from Sellafield to the Treasury, then come back to Sellafield next year. Nothing really happened.
Sellafield gets government money to do stuff. That stuff still has to be done, and still has to be paid for. So they need the fine money back. They will have to get more money from the Treasury to make up for it. Either by getting larger budget, or by delaying stuff so they get the same annual budget over more years.
It's theatre so they can pretend someone was punished. There's no real punishment there. No consequences.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
