NCSC Issues Fortinet Edge-Device Alert and 74,000 Credential Sets Are Out in the FortiBleed Dataset: What UK Schools, Charities and Businesses Should Do This Weekend

On Thursday 18 June 2026, two things happened that the boards of every UK organisation running a Fortinet firewall need to know about by Monday morning. The National Cyber Security Centre issued an alert advising UK organisations to act on a global credential-harvesting campaign targeting Fortinet firewalls and SSL VPN gateways, with indications that UK estates are caught in it. On the same day, CISA in the United States issued a parallel hardening advisory, and security researchers published the headline number that gave the campaign its name: a verified, working dataset of roughly 74,000 Fortinet credential sets across more than 190 countries, in what has been dubbed FortiBleed.

The next morning, Friday 19 June 2026, the new data protection complaints duty under Section 164A of the Data Protection Act 2018, inserted by Section 103 of the Data (Use and Access) Act 2025, switched on for every UK controller. By the time this post lands, that duty is in its first working week. If a school, a charity or a small business has a Fortinet edge device whose SSL VPN credentials are in the FortiBleed dataset, the same staff and pupil and donor records that sit behind that device are now also covered by a statutory complaints route the public can use from this morning.

This is the supplier-cascade and edge-device story <a href="/resources/blog/ncsc-rusi-contest-2026-what-uk-schools-charities-smbs-should-do">the NCSC CEO described at RUSI on Tuesday last week</a>, rendered as a worked example five days later. What follows is the practical version of the alert: what FortiBleed is, why a school, charity or small business should care this weekend, and the four-day, 30-day and 90-day plan for what to do about it.

What the NCSC actually said on Thursday

The NCSC's 18 June alert is short, careful and unusually direct. UK organisations using Fortinet edge devices, in particular those with SSL VPN enabled, are advised to take immediate action: investigate any potentially malicious activity on the device, monitor the network for unusual activity, follow Fortinet's hardening guidance, and rotate credentials. The centre does not put a UK casualty number on it but says it has indications of potential impact in the UK. Coming on a Thursday afternoon from an organisation that does not issue alerts lightly, that wording is the audible version of get on with it.

CISA's hardening advisory the same day says the same thing in a different accent. Reset Fortinet credentials, enforce multi-factor authentication on every administrative and VPN login, restrict management interfaces to trusted networks rather than the public internet, audit accounts and policies for tampering, and check logs back to before the campaign started.

Independent researchers have explained the shape of the campaign. A threat actor compiled the database by scanning the internet for FortiGate devices, trying a curated list of passwords against each one, and recording every successful login. Compromised devices were then used as listening posts: SSL VPN traffic flowing through exposed additional usernames and passwords, which were fed back into the scanner to compromise the next set. The verified working dataset is reported between 73,000 and 87,000 firewalls across 194 countries; researchers estimate roughly half of internet-reachable FortiGate devices may be in scope. The campaign is distinct from the 2025 Belsen Group Fortinet leak; the affected IP addresses are different.

The piece worth pulling out for a non-technical board is that this scanning is automated, untargeted and continuous. A 12-pupil rural primary, a four-trustee mental-health charity and a 22-person scaffolding business are inside the same internet the scanners run across. Being too small to interest a human attacker is not a defence against a script that tries a password and writes down the answer.

Why a school, charity or small business is in scope

Fortinet devices are popular with UK SMBs, multi-academy trusts, charities and the managed service providers that look after all three. A FortiGate is an enterprise-capable firewall at a price point a primary school's IT budget can carry, and it has been a default recommendation for years among MSPs serving the lower mid-market. By sheer base rate, the FortiBleed dataset will include some of them.

Three failure modes are worth naming because they are how the dataset became as big as it is. The first is reused passwords: a FortiGate admin or VPN password that the same person used somewhere else on the public internet is, by definition, already in any well-curated breach dictionary. The Cyber Security Breaches Survey 2025/2026 keeps reporting that around three-quarters of UK businesses do not have a written password policy. The second is multi-factor authentication configured on paper but not enforced on the device — often because the MSP that deployed the kit five years ago has never been asked to come back and turn it on. The third is a management interface still answering on the public internet rather than from a small allow-list. NCSC, CISA and Fortinet have asked the industry to stop doing this for years; the FortiBleed dataset measures how much of the industry has not.

What Friday's complaints duty changes

The detail of what the public-facing complaints page has to contain is in <a href="/resources/blog/data-protection-complaints-19-june-2026-what-uk-schools-charities-smbs-should-do">the post from earlier this month</a>. From Friday morning, every UK controller, with no carve-outs for small organisations, has to facilitate complaints from data subjects, acknowledge each one within 30 days, investigate without undue delay, communicate a clear outcome, and signpost the right to escalate to the ICO. The ICO has signalled a measured approach during the initial transition, but the duty itself is in force as of this weekend.

The FortiBleed connection is straightforward. If an attacker walked through an SSL VPN credential into a network holding pupil records, a charity's beneficiary list or a business's customer database, every individual whose data was touched now has a statutory complaint route from this morning. The board pack from Monday onwards needs to carry the running numbers — complaints received, acknowledged, escalated — the same dashboard <a href="/resources/blog/three-uk-education-cyberattacks-duaa-friday-2026-what-schools-charities-smbs-should-do">the three June UK education incidents</a> already made unavoidable.

The next four days

Four jobs need to be finished before close of business on Tuesday 23 June. The first three are the NCSC's; the fourth is the DUAA's.

First, rotate every FortiGate credential. Administrator passwords, SSL VPN local user passwords, VPN pre-shared keys, SNMP community strings, API tokens. Treat any password that has been on the device since before the weekend as exposed, whether or not it is in the FortiBleed dataset, because the dataset is verified working credentials rather than every credential the scanners tried. Force a re-hash by changing the password on updated firmware; on older firmware that has not been patched in a while, that is also the moment to patch.

Second, enforce multi-factor authentication on every administrative login and every SSL VPN user account. MFA on its own would have stopped most of FortiBleed from being usable. On a FortiGate, that means token-based or app-based MFA on the admin interface and on every VPN user, not just on a privileged subset. The same principle applies to the complaints inbox the school or charity went live with on Friday: <a href="/resources/blog/ncsc-passkeys-april-2026-what-uk-schools-charities-smbs-should-do">phishing-resistant authentication</a> on that mailbox is now a high-priority control by statute.

Third, take the management interface off the open internet. Restrict HTTPS and SSH admin access to a small allow-list of trusted internal IPs or to the MSP's jump host. If SSL VPN is enabled but not actually used, disable it. If it is used, plan the move to ZTNA over the next 90 days; the SSL VPN family of features is the one Fortinet has been pointing customers away from for two years.

Fourth, check the logs. Look back at least to the start of June for the patterns CISA, NCSC and Fortinet have named: successful admin or VPN logins from unfamiliar countries or anonymising infrastructure, new or modified admin accounts that nobody on the team created, unexpected configuration changes, VPN sessions outside business hours or from impossible-travel locations, and any periods where logs were cleared or disabled. If anything in those categories shows up, treat it as an incident and follow the resilience plan from <a href="/resources/blog/cyber-resilience-pledge-2026-what-uk-smbs-charities-schools-should-do">Action 3 of the Cyber Resilience Pledge</a>.

The DUAA piece this weekend is operational rather than legal. Make sure that the public-facing complaints page is live and findable on the site footer, that the acknowledgement template fires on every inbound complaint within hours rather than weeks, that the log is being kept, and that an out-of-office cover is in place because the August holiday is closer than it feels.

The next 30 days

By mid-July the goal is to have the FortiBleed lessons baked into routine and the two artefacts Horne's RUSI lecture asked for sitting on the next board pack.

Add the FortiGate and any other internet-facing edge device to the one-page exposure map: what it protects, what data sits behind it, which suppliers can reach it, who owns the credentials, and when MFA was last verified as enforced rather than just configured. That map is the input to Action 1 of the Cyber Resilience Pledge.

Run a 30-minute tabletop where the scenario is a working SSL VPN credential that has arrived in the wrong inbox. Walk the first 24 hours: who notices, who calls who, how lateral movement is contained, how the incident is recorded for ICO purposes if customer or pupil data is involved, and how the DUAA route is briefed for the staff answering inbound calls. Time the acknowledgement on a complaint that lands during the rehearsal.

Move identity controls forward. Wherever single sign-on exists, push more services behind it and enforce MFA in front; the Cyber Essentials April 2026 update tightened the rules around cloud services, MFA and software updates, and renewal cycles are quietly demanding a higher baseline than a year ago. Sign the organisation up to the NCSC Early Warning service if it is not already.

The next 90 days

By mid-September the cadence Horne described as a contest rather than a risk needs to be invisible.

Add edge-device questions to the supplier questionnaire. Which suppliers run an internet-facing firewall or VPN gateway, which brand, what firmware level, when it was last patched, whether MFA is enforced on the management interface, whether that interface is reachable from the public internet at all, and whether the supplier has reset credentials and run an IoC sweep on the FortiBleed pattern. The supplier-cascade frame <a href="/resources/blog/gchq-moment-of-consequence-2026-what-uk-schools-charities-smbs-should-do">GCHQ set out at Bletchley Park on 27 May</a> is why this row now belongs in the questionnaire rather than the next review. Refresh the AI procurement row at the same time; <a href="/resources/blog/agentic-ai-ncsc-five-eyes-2026-what-uk-schools-charities-smbs-should-do">the agentic AI post from May</a> explained why defaults in AI products are now a procurement question, and FortiBleed underlines that defaults on edge devices are too.

Put a standing quarterly slot on the board pack for complaints volumes, acknowledgement times, ICO escalations, supplier incidents and any edge-device anomalies. Three months of running data is what turns the new DUAA duty from a compliance task into management information boards can actually use.

The Cyber Security and Resilience Bill, which cleared its Commons third reading on 10 June and is now in the Lords for the summer, is the regulatory backdrop. Most ReadyToday-audience organisations will not be in direct scope but will be in its supply-chain shadow, because regulated buyers will keep pushing the Bill's expected due-diligence expectations down their procurement chains long before Royal Assent. A second tabletop in late August closes the loop: three plausible complaints, one tied to a hypothetical edge-device breach, walked end to end before the autumn term.

Why this weekend matters more than last weekend

Last weekend the DUAA was 36 hours away. This weekend FortiBleed is 96 hours old, the NCSC has issued an alert, the ICO is now receiving complaints under a brand-new statutory route, and any UK organisation whose Fortinet device has been sitting on the open internet with reused passwords and no MFA has been bidding to be on the wrong end of both stories simultaneously. The Friday morning after a NCSC keynote of the scale of <a href="/resources/blog/ncsc-rusi-contest-2026-what-uk-schools-charities-smbs-should-do">the RUSI lecture</a> was the worst possible moment to be running edge devices with the defaults from 2021. The Monday morning after is the moment to fix them.

Five practical takeaways.

• The NCSC issued an alert on Thursday 18 June 2026 advising UK organisations on the FortiBleed Fortinet credential-harvesting campaign, with around 74,000 verified working credential sets in the public dataset across 194 countries. If your organisation runs a Fortinet edge device, treat its credentials as exposed until proven otherwise.
• Rotate every FortiGate credential by close of business Tuesday: admin passwords, SSL VPN user passwords, pre-shared keys, SNMP community strings and API tokens. Enforce multi-factor authentication on every administrative and VPN login at the same time. MFA on its own would have stopped most of FortiBleed from being usable.
• Take the management interface off the open internet. Restrict admin access to a small allow-list, and disable SSL VPN if it is not actually being used. If it is being used, plan the move to ZTNA over the next 90 days.
• Check FortiGate logs back to the start of June for unfamiliar admin or VPN logins, new accounts you did not create, unexpected configuration changes, impossible-travel sessions, and any gaps where logs were cleared. Treat anything in those categories as an incident and run the resilience plan.
• The DUAA Section 164A complaints duty is in force as of Friday 19 June 2026. Make sure the public-facing complaints page is live and findable, acknowledgements fire within hours, the log is being kept, and the board pack carries the running numbers from Monday onwards.

If you would like a second pair of eyes on the FortiGate position, the credential rotation and the supplier list this week, that is exactly the kind of short, time-bounded job our <a href="/services/cybersecurity-resilience">cybersecurity and resilience</a> work is built for. A <a href="/contact/discovery">30-minute discovery call</a> will get you a one-page plan that covers this weekend, the next 30 days and the next 90 days.