The Sellafield nuclear waste dump is to be prosecuted for alleged information technology security offences, the industry watchdog has said.
The Office for Nuclear Regulation (ONR) said on Thursday that it had notified the state-owned Cumbrian nuclear company that it would be prosecuted under industry security regulations.
The prosecution follows the Guardian’s revelations last year of multiple cyber failings at the vast site, part of a year-long investigation into cyber hacking, radioactive contamination and an unhealthy workplace culture at Sellafield.
The ONR said: “These charges relate to alleged information technology security offences during a four-year period between 2019 and early 2023. There is no suggestion that public safety has been compromised as a result of these issues. The decision to begin legal proceedings follows an investigation by ONR, the UK’s independent nuclear regulator.”
Sellafield, which has more than 11,000 staff, was placed into a form of “special measures” for consistent failings on cybersecurity in 2022, according to sources at the ONR and the security services.
Among the Guardian’s revelations in December were that groups linked to Russia and China had penetrated its computer networks, embedding sleeper malware that could lurk and be used to spy or attack systems. At the time Sellafield said it did not have evidence of a successful cyber-attack.
The site has the largest store of plutonium in the world and is a sprawling rubbish dump for nuclear waste from weapons programmes and decades of atomic power generation.
Other findings in the Guardian’s Nuclear Leaks investigation included concerns about external contractors being able to plug memory sticks into its computer system while unsupervised.
The Guardian also revealed that cyber problems have been known by senior figures at the nuclear site for at least a decade, according to a report dated from 2012, which warned there were “critical security vulnerabilities” that needed to be addressed urgently.
Sellafield’s computer servers were deemed so insecure that the problem was nicknamed Voldemort after the Harry Potter villain, according to a government official familiar with the ONR investigation and IT failings at the site, because it was so sensitive and dangerous.
At the time, Sellafield said that “all of our systems and servers have multiple layers of protection”. “Critical networks that enable us to operate safely are isolated from our general IT network, meaning an attack on our IT system would not penetrate these,” it said.
This week, the Guardian revealed that Richard Meal, Sellafield’s chief information security officer, is to leave the site after more than a decade. He will be the second senior leader to leave this year, after the top director responsible for safety and security, Mark Neate, announced in January that he planned to leave.
In January, Sellafield appointed Graeme Slater as its chief digital information officer, responsible for cybersecurity.
The ONR said details of the first court hearing would be announced “when available”.
Britain’s public spending watchdog, the National Audit Office, last month launched an investigation into risks and costs at Sellafield.
A spokesperson at the Department for Energy Security and Net Zero, which funds Sellafield, said: “Safety and security at our former nuclear sites is paramount and we fully support the Office for Nuclear Regulation in its independent role as regulator.
“The regulator has made clear that there is no suggestion that public safety has been compromised at Sellafield. Since the period of this prosecution, we have seen a change of leadership at Sellafield and the ONR has noted a clear commitment to address its concerns.”
Sellafield said: “The Office for Nuclear Regulation’s Civil Nuclear Security and Safeguards has notified us of its intention to prosecute the company relating to alleged past nuclear industry security regulations compliance.
“As the issue is now the subject of active court proceedings, we are unable to comment further.”
