[BreachExchange] NHS HACK ATTACK Anonymous hacker claims to have stolen private data on up to 1.2million NHS patients
Destry Winant
destry at riskbasedsecurity.com
Mon Aug 21 08:29:32 EDT 2017
https://www.thesun.co.uk/tech/4274225/anonymous-hacker-claims-to-have-stolen-the-nhs-medical-records-of-1-2million-brits/
SwiftQueue is paid by eight NHS trusts to manage a website, through
which patients can book appointments with a GP, hospital or clinic.
They also operate terminals within waiting rooms, where patients can
check-in upon arrival.
The firm has called in cops from the Met’s specialist Cyber Crime Unit.
Security experts have expressed alarm at the breach and called on the
health service to contact affected patients as a matter of urgency.
Someone claiming to represent Anonymous told The Sun: “I think the
public has the right to know how big companies like SwiftQueue handle
sensitive data.
“They can’t even protect patient details.”
The source said the hack exploited weaknesses in SwiftQueue’s
software, which should have been patched several years ago.
They claim to have downloaded the company’s entire database,
containing 11million records, including passwords.
But SwiftQueue said their database is not that big and their initial
investigation suggests only 32,501 “lines of administrative data” have
been accessed.
This includes patients’ personal details, such as names, dates of
birth, phone numbers and email addresses.
The company said they do not hold patients’ medical records and
passwords are encrypted.
The accessed data is thought to relate to just one NHS trust but they
refused to say which one or how many patients are affected.
Sam Smith, from campaign group MedConfidential, said: “Patients will
be alarmed that a company trusted by the NHS to hold their private
data has been compromised in this way.
“Firms should take every step possible to keep private data secure,
which does not appear to have happened in this case.
“The NHS should be doing more to ensure their suppliers meet the
highest possible standards of data security.
“The priority now should be informing affected patients and making
sure such a breach cannot happen again.”
The breach follows May’s WannaCry attack, when malware infected at
least 47 NHS trusts, leading to the cancellation of more than 15,000
appointments and operations.
A review of NHS organisations earlier this year by NHS Digital –
responsible for the NHS IT network – found systems missing security
updates and a quarter of users using “very weak” passwords.
SwiftQueue said: “We recently became aware of a cyber attack which
affected a small subset of administrative data sets, with the breach
fixed within three hours.
“There were 32,501 lines of administrative data, some of it test data
which related to ‘dummy’ patients. We are in the process of informing
the patients affected.
“No medical records have been illegally accessed and we have reported
the incident to the Metropolitan Police Cyber Crime Unit which is
investigating.”
NHS Digital, said: “SwiftQueue does not hold medical information, but
has told us that one of their databases may have been unlawfully
accessed, affecting 32,500 lines of administrative data.
“This is limited to names, dates of birth, phone numbers and, in some
cases, email addresses.
“We will continue to support SwiftQueue and the NHS as investigations continue.”
The Metropolitan Police said: “The Met’s Cyber Crime Unit received a
referral from Action Fraud following an allegation of computer misuse
related to a data breach on Thursday, 10 August.
“Officers are in touch with the organisation affected and are investigating.
“There have been no arrests and enquiries continue.”
More information about the BreachExchange
mailing list