What is a "Cyber Attack"?
Terminology is hard. Computer terminology is even harder. Humans are animals who just love to classify things. We have a fundamental need in our delicious meaty brains to put things into conceptual buckets. This, I think, leads to some unfortunate consequences when our categories don't match up with other people's categories.
For example, take this news story and this journalist's response to it:
100,000 taxpayers will be told shortly that their @HMRCgovuk accounts have been hacked and £47m stolen by thieves claiming fake tax repayments bit.ly/4mSDrMs extraordinary admission to MPs from top official who claims it wasn’t a cyberattack!
— Paul Lewis (@paullewismoney.bsky.social) 2025-06-05T06:33:24.098Z
I think it is pretty reasonable to say that having 100,000 accounts breached using a computer is a "cyberattack". So how do the UK tax authorities square that circle? Angela MacDonald, the deputy chief executive of HMRC, said:
MacDonald stressed that the breach was “not a cyberattack, we have not been hacked, we have not had data extracted from us”.
She later said: “The ability for somebody to breach your systems and to extract data, to hold you to ransomware and all of those things, that is a cyberattack. That is not what has happened here.”
…
“This was not a cyberattack — it involved criminals using personal information from phishing activity or data obtained elsewhere to try to claim money from HMRC. We’re writing to those customers affected to reassure them we’ve secured their accounts and that they haven’t lost any money.”
Ah. I think that's pretty reasonable. Well, up to a point.
If you set your HMRC password to be "password" and someone guesses that - it is you who has been attacked; not the online service.
Here's what has probably happened in this case.
- You signed up to an online service.
- You used your regular email and password.
- The service got hacked and leaks everyone's details.
- A criminal went credential stuffing and tried all the usernames and password on lots of sites.
- One of those sites was HMRC and the criminal started filling their pockets.
Who is being "cyberattacked" here? HMRC say that no individual lost any money - although I suspect people will possibly feel various administrative repercussions. It is hard to feel that the individual is the victim.
HMRC didn't have any malware or ransomware installed. None of their computers were misused. Vast globs of data were not exfiltrated.
But were HMRC's digital defences breached? Maybe…
Let's suppose that the cybercriminal who did this was an idiot. Here's what they might have done:
- Used a single IP address
- From a "dangerous" country
- Trying 1,000 passwords per second
At which point, HMRC's systems should have started flashing red, sirens wailing, and countermeasures deployed. Any one or combination of the above should have been enough to trigger a "something fishy is going on here" alert. I think that scenario would be fair to describe it as looking like a cyberattack - although, depending on their risk tolerance it might be described as "not great, not terrible".
But if the attacker was smart, they'd have rotated through thousands of UK-based IP addresses and kept their stuffing volume below the noise threshold. Whereupon their attempts would likely have gone unnoticed.
Is a small and subtle attack still an attack? Yes.
Was this a cyberattack?
I don't think it matters. Sorting things into predefined buckets is often just a way to bypass responsibility and accountability. Concentrating on the name of the thing rather than the thing itself doesn't help victims and doesn't prevent the incident from happening again.
Every counter-measure which HMRC could deploy will negatively affect legitimate users. Getting bombarded with emails saying "did you just try to log in?" is an annoyance, mandating 2FA excludes less technical users, banning suspicious IP addresses inevitably leads to false positives, rate-limits hit legitimate users. And, ultimately, (whisper it) users bear some of the blame for their poor password practices.
I'm sure HMRC will tighten up their monitoring, I'm sure some individuals will have better password hygiene, and I'm sure criminals will find a way to bypass both.
As ontology is difficult, I'll leave you with this instructional video.
I was listening to a podcast just yesterday on this, about the TalkTalk data breaches. Dido Harding used this distinction in the parliamentary committee and I think she was correct but it really sounded like she was trying to wriggle off the hook.
| Reply to original comment on bsky.app
Its interesting to compare with this recent article1 where North Face explicitly called credential stuffing a "specific type of cybersecurity attack"2. Perhaps it is the different target audience between MPs and the general public.
Alas, if only WebAuthn was actually practical.
Mike says:
I think someone should come up terminology to replace the use of "cyber" in talking about computer things. Or just a way to stop people saying "cyber", as I don’t think it ever adds any truly useful meaning and I can’t shake the cringe factor of it. Whenever I hear about a cyberattack I always want to ask, did Deckers break through the ICE on a company’s Matrix node? Or was it an attack by The Cybermen?
More comments on Mastodon.