UK Data Breach: Hackers Exploit SharePoint Flaws, Leaking Confidential Data
Hackers successfully exploited recently discovered vulnerabilities in local Microsoft SharePoint servers, resulting in the leakage of personal data in the United Kingdom. Within days of the flaws being disclosed, three British organizations reported breaches of confidential information to the Information Commissioner’s Office (ICO). The names of the affected entities remain undisclosed, yet experts note that SharePoint is extensively used across government agencies, universities, and corporations, where vast amounts of sensitive data are stored.
On July 19, Microsoft issued what specialists described as an unprecedentedly severe warning. Clients were urged to immediately reconfigure their systems or disable SharePoint servers entirely until a patch became available. The urgency of the situation was heightened by the fact that exploits were weaponized almost immediately after discovery. The initial wave of attacks, dubbed ToolShell, was attributed by investigators to at least two state-sponsored Chinese groups. Shortly thereafter, another group — likely motivated by financial gain — joined the campaign. Whether these actors operated in coordination or independently remains unclear.
On July 22, the UK’s National Cyber Security Centre (NCSC) announced that, in collaboration with Microsoft, it was monitoring a limited number of active attacks in the country. However, it did not specify which sectors had been targeted. Given that on-premises SharePoint servers remain prevalent within government institutions and organizations, the prospect of widespread repercussions has raised grave concern. At that point, exploitation of the zero-day vulnerability CVE-2025-53770 had already impacted at least 100 organizations, including multinational corporations and government agencies.
According to an ICO response to a Freedom of Information request, as of July 28 the agency had received no fewer than three official breach notifications directly tied to the SharePoint vulnerability. The true number, however, may be higher. The ICO’s internal reporting system lacks a dedicated field for identifying specific cyberattacks behind incidents, and organizations filing notifications are not required to disclose such details.
Some reports were manually linked to the SharePoint vulnerability based on information provided, while officials acknowledged that other submissions could also be related to this campaign, though definitive confirmation has yet to be established. Upon further analysis, some of these cases may ultimately be attributed to different causes.