Full Report
NCFE is actively responding to a cyber security incident after we discovered suspicious activity on our systems late last week. While this remains ongoing, we wanted to make customers and stakeholders aware of this incident at the earliest opportunity. We immediately took our systems offline as a precautionary measure – and as a result, we are experiencing disruption to our network. Our teams, supported by external experts, are working hard to get our systems back up and running as soon as possible.
Analysis Summary
# Incident Report: NCFE Operational Disruption Due to Cybersecurity Incident
## Executive Summary
NCFE is actively managing a cybersecurity incident discovered late last week, which has led to significant operational disruption. As a precautionary measure, the organization immediately took core systems offline, resulting in the unavailability of services like phone lines, live chat, and the main portal. An investigation is underway with the support of external experts to restore operations while minimizing impact on critical activities like T Level assessments.
## Incident Details
- Discovery Date: Late last week (relative to the report date)
- Incident Date: Occurred sometime leading up to the "late last week" discovery.
- Affected Organization: NCFE
- Sector: Education/Qualifications/Certification
- Geography: Not explicitly stated, but implied UK-based due to references to T Levels and Functional Skills.
## Timeline of Events
### Initial Access
- Date/Time: Unknown (Discovery was "late last week")
- Vector: Undisclosed, but described as "suspicious activity."
- Details: The discovery prompted immediate system shutdowns.
### Lateral Movement
- Details: Unknown. The investigation is in its early stages.
### Data Exfiltration/Impact
- Details: Unknown if data exfiltration occurred. The primary impact detailed is operational disruption from system shutdowns.
### Detection & Response
- Detection: Suspicious activity discovered late last week.
- Response actions taken:
1. Immediately took systems offline as a precautionary measure.
2. Suspended email systems proactively.
3. Launched a comprehensive investigation with external experts.
4. Established a service continuity webpage with FAQs and an enquiry form for urgent queries.
## Attack Methodology
(Note: Specific technical details are unavailable as the investigation is ongoing.)
- Initial Access: Unknown.
- Persistence: Unknown.
- Privilege Escalation: Unknown.
- Defense Evasion: Unknown.
- Credential Access: Unknown.
- Discovery: Unknown.
- Lateral Movement: Unknown.
- Collection: Unknown.
- Exfiltration: Unknown.
- Impact: Primarily operational impact due to mandated system shutdown.
## Impact Assessment
- Financial: Not specified, but costs associated with external expertise and operational recovery are likely.
- Data Breach: Unknown whether data was compromised. Certificate claiming and learner registration are currently under disruption.
- Operational: **Severe disruption.** Phone lines, live chat, and the Portal are unavailable. Email systems are suspended. Paper-based assessments and most face-to-face/remote endpoint assessments (EPA) are cancelled/rescheduled for the week commencing December 1st. Term-time checkpoint deadlines were delayed until January 5th, 2026.
- Reputational: An apology was issued by the CEO to manage stakeholder confidence.
## Indicators of Compromise
- Indicators: No specific C2 servers, hashes, or file names were disclosed in this public communication.
- Behavioral indicators: Suspicious activity leading to an internal alert/detection.
## Response Actions
- Containment measures: Immediate precautionary shutdown of network systems and proactive suspension of the email system.
- Eradication steps: Currently underway, involving external experts.
- Recovery actions: Teams are working to restore systems. Specific allowances were made for assessments (e.g., T Level assessments proceeding, re-sit fees waived, EPA timings paused).
## Lessons Learned
- The need for rapid, decisive action (system shutdown) when suspicious activity is detected, even at the cost of immediate operational disruption.
- The complexity of maintaining business continuity when core reliance systems (Portal, email, phone) must be isolated.
## Recommendations
- Prioritize forensic analysis to determine the initial access vector and scope of compromise beyond the immediate operational shutdown.
- Establish clear, tested emergency communication protocols independent of primary corporate infrastructure (e.g., secondary communication channels).
- Migrate critical functions (like Surpass for on-demand Functional Skills) to platforms confirmed to be outside the scope of the immediate incident, if possible, to maintain essential services.