Sellafield Pleads Guilty to Historic Cybersecurity Offenses

Written by

The organization managing the world’s largest stockpile of plutonium has pleaded guilty to all criminal charges, in a first-of-its-kind case related to historic cybersecurity failings.

A spokesman from the UK's Office for Nuclear Regulation (ONR) acknowledged the plea in a brief statement, but also confirmed Sellafield’s assertion that it wasn’t hacked, as per previous media reports.

“We acknowledge that Sellafield Limited has pleaded guilty to all charges. There is no evidence that any vulnerabilities have been exploited,” he said.

“As the details of the case have yet to be heard in court, we are unable to provide further comments at this stage. A sentencing hearing has been scheduled for 10am on Thursday, August 8 at Westminster Magistrates Court.”

Read more on nuclear sector threats: New Initiative Aims to Strengthen UK's Nuclear Cybersecurity Posture

The charges relate to offenses spanning a four-year period (2019-23), when strict cybersecurity regulations “were not sufficiently adhered to,” according to lawyers acting for Sellafield.

That apparently includes a failure by the site to ensure sensitive information on its IT network was adequately protected.

“We have pleaded guilty to all charges and cooperated fully with ONR throughout this process. The charges relate to historic offences and there is no suggestion that public safety was compromised,” a Sellafield spokesperson told The Guardian.

report published in December 2024 claimed that Russian and Chinese hackers had managed to access sensitive information potentially including details of emergency planning, movement of radioactive waste and monitoring for leaks.

It was claimed that successful intrusions featuring “sleeper malware” dated back to 2015, and that the site had failed to inform regulators for years about sub-par security, including unpatched critical vulnerabilities.

An insider told The Guardian that these issues only came to light after staff working at an external site realized they could access Sellafield’s servers, and subsequently reported it to the ONR.

Sellafield’s cybersecurity has reportedly now been described by its lawyers as “robust.”

What’s hot on Infosecurity Magazine?