U.K. police investigate "spear phishing" sexting scam as lawmaker admits to sharing colleagues' phone numbers

London — British police have opened an investigation into explicit messages sent to a lawmaker as part of an alleged sexting scam targeting legislators, in the latest cybersecurity scare to hit parliament. Conservative member of Parliament William Wragg acknowledged late Thursday that he had sent the personal phone numbers of several colleagues to a man he met on a gay dating app.

Wragg, 36, told The Times newspaper he did so under pressure, as the recipient claimed to have compromising material on him.

"I was worried because he had stuff on me. He gave me a WhatsApp number, which doesn't work now," said the Conservative party MP, who is standing down at the next election.

"I've hurt people by being weak. I was scared. I'm mortified," he was quoted as saying.

The scam has been described as a "spear phishing" attack, in which supposedly trusted senders steal personal or sensitive information.

Britain's Chancellor of the Exchequer, a senior cabinet member in charge of the nation's finances, said the allegations of a cyberattack against Wragg were "a great cause for concern." 

Jeremy Hunt praised Wragg for giving what he called "a courageous and fulsome apology," but added that the "lesson here for all MPs is that they need to be very careful about cybersecurity," which he said applied to "members of the public as well, because this is something that we are all having to face in our daily lives."

China accused of cyberattacks on U.K.

Last month, the U.K. government summoned China's top envoy in London to complain about a series of cyberattacks, including against MPs, and previous claims of espionage against lawmakers by Beijing.

There was no explicit evidence of Chinese involvement in the targeting of Wragg and his colleagues, which was first reported by Politico this week. But it will again raise questions about cybersecurity for MPs and in the U.K. parliament as a whole.

According to The Times, two MPs also responded to the initial message to them with explicit personal photos.

Leicestershire Police in central England said officers were "investigating a report of malicious communication" sent to a local MP last month.

"They were reported to police on Tuesday March 19. Inquiries are currently ongoing," a statement read.

U.S. charges Chinese hackers

The revelation about the phishing attacks against British lawmakers came less than two weeks after the U.S. Justice Department announced charges against seven Chinese nationals linked to a state-sponsored group, who were accused of targeting U.S. businesses, along with political officials, candidates and campaign staff to promote the Chinese government's "economic espionage and foreign intelligence objectives."

CBS News' Kaia Hubbard reported that the seven people were accused by the U.S. of being part of a "group of malicious cyber actors" behind a conspiracy to commit computer intrusions and wire fraud, some of which resulted in successful compromise of email accounts and phone records.

"This case serves as a reminder of the ends to which the Chinese government is willing to go to target and intimidate its critics, including launching malicious cyber operations aimed at threatening the national security of the United States and our allies," Attorney General Merrick Garland said in a statement at the time.

• FBI chief warns Congress of Chinese hackers targeting U.S. infrastructure

Unlike the phishing attacks described by officials in Britain, which appeared to rely on messaging of a sexual nature, the alleged hacking scheme at the heart of the latest prosecutions in the U.S. were centered around emails sent to people and businesses that appeared to be from news outlets or journalists, but which contained hidden phishing links that would send information back to a server controlled by the alleged hackers.

Officials said staff at the White House and federal agencies, and members of Congress from both political parties and, in some cases their spouses, were among those targeted.

Deputy Attorney General Lisa Monaco said in a statement that the scheme involved "over 10,000 malicious emails, impacting thousands of victims, across multiple continents."

"As alleged in today's indictment, this prolific global hacking operation — backed by the PRC government — targeted journalists, political officials, and companies to repress critics of the Chinese regime, compromise government institutions, and steal trade secrets."

Hubbard said the Justice Department had made it clear, however, that the U.S. indictment did not "allege that the hacking furthered any Chinese government influence operations against the United States," which was consistent with a 2021 official report that found, while some information had been gathered by Chinese actors, it was not used in influence operations. 

In:
• Cybercrime
• Cybersecurity and Infrastructure Security Agency
• Cyberattack
• China
• Sex Scandal