Stolen login details for Foreign Office staff and local council employees are being traded on dark web forums. The breach is part of a months-long campaign targeting government networks and raises fresh questions for the UK's cyber insurance market.
The National Cyber Security Centre (NCSC) issued an urgent alert on July 5 confirming a brute force attack on Fortinet firewall and VPN systems. Organisations have been directed to audit their networks and isolate any breached devices. The Telegraph first reported the breach. An operator using the handle "SantaAd" is offering stolen credentials on dark web forums for as much as US$60,000 (£44,000).
The attack, dubbed FortiBleed by researchers, has been active since at least February 2026. More than 80,000 Fortinet firewalls have been compromised across 194 countries. Cybersecurity firm SOCRadar has verified a database of more than 86,644 working login credentials. UK accounts in the dataset include IT staff at British embassies in Thailand and Mauritius and local government workers in Derbyshire and Waltham Forest.
Credentials belonging to NHS organisations, pharmacies, and medicine suppliers feature in the exposed dataset. Dr Saif Abed, a former NHS doctor and cyber security expert, warned the breach could have catastrophic consequences for patient safety.
"NHS organisations, pharmacies, labs, and their suppliers are highly dependent on products like those compromised by FortiBleed," he told The Telegraph. "This is exactly the type of hack that's the first step for launching catastrophic ransomware attacks that can threaten patient safety across the country."
That warning is grounded in recent history. A June 2024 ransomware attack on pathology supplier Synnovis cancelled more than 1,000 operations and 2,000 appointments. It has since been linked to at least one patient death and more than 120 cases of harm.
FortiBleed sits within a broader pattern of public-sector cyber failure that has tested the limits of cover. A separate attack at Higham Lane School in Nuneaton disabled IT systems, fire alarms, and electronic gates. Brokers have warned that incidents of this scale raise hard questions about what cyber insurance can realistically absorb across underfunded public bodies.
Fortinet confirmed FortiBleed exploits poor password hygiene rather than a new product vulnerability. Threat actors recycled credentials from previous incidents and applied brute force techniques against devices that lacked multi-factor authentication (MFA).
Researcher Volodymyr Diachenko, who first identified the breach, said the stolen data provided access to "core networks" within the Foreign Office. He warned that other government departments could be affected. The underlying code is written in Russian, per The Telegraph. No evidence of direct state involvement has been established.
The NCSC has previously warned of growing links between Russian intelligence services and proxy hacker groups operating with effective state tolerance.
That attribution gap has direct implications for cyber policy response. Under Lloyd's LMA5567 wording, state-linked attacks are excluded only where they cause major detrimental impact on a state's essential services. Most commercially targeted incidents will not reach that threshold. Attribution uncertainty still creates claims handling complexity that insurers and policyholders must address in policy language before an incident occurs.
The FortiBleed campaign arrives at a difficult moment for UK cyber underwriters. Malware and ransomware accounted for 51% of all UK cyber insurance claims in 2024. That was up from 32% the year prior, per the Marsh UK Cyber Insurance Claims Trend Report 2024.
A government proposal to ban ransomware payments by public bodies sharpens the exposure further. The ban covers the NHS, local councils, and schools.
Ethan Godlieb, associate partner at Consilium, warned that removing the payment option leaves public bodies without a key recovery tool. IT security budgets in the public sector remain constrained. "If you exclude what is often the biggest single cyber risk to organisations — ransomware — you're undermining the whole point of the product," he said. Organisations using Fortinet systems have been told to reset all default or reused passwords and register for the NCSC's Early Warning service without delay.