UK National Federation of Subpostmasters hit by ransomware via a cPanel flaw; disruption persists into June

The UK National Federation of Subpostmasters (NFSP) was struck by ransomware around 30 April 2026 after attackers exploited a vulnerability in cPanel to gain initial access, manipulate server-side files, and lock out administrative accounts before deploying ransomware (Computer Weekly, 2026-06-04; Risky Business, 2026-06-05). As of early June the parent Post Office had suspended all email to and from the @nfsp.org.uk domain as a precaution; NFSP says no data was lost and reported the incident to the ICO. The entry vector is the operative detail: cPanel — ubiquitous in shared hosting and small-org infrastructure — remains under-patched, and authentication-bypass / privilege-escalation flaws in it map cleanly to T1190 (Exploit Public-Facing Application) followed by T1486 (Data Encrypted for Impact).