[BreachExchange] St John Ambulance praised for response to ransomware attack

[Destry Winant]

https://www.computerweekly.com/news/252466303/St-John-Ambulance-praised-for-response-to-ransomware-attack

St John Ambulance has reported that it was hit by a ransomwareattack
this week, but was able to isolate the attack and resolve it within
half an hour.

Fortunately, the ransomware did not affect operational systems, but
blocked access to the charity’s booking system for training courses
and encrypted customer data.

The charity has been praised for its swift, effective and transparent
response to the ransomware attack, which is currently the most common
cyber criminal activity affecting individuals and businesses in the
UK, according to the police.

Although the data included personal information such as the names of
course attendees, contact details and even driving licence data, St
John Ambulance said it is “confident” that data has not been shared
outside the charity.

However, the organisation said it has informed the UK’s data
protection authority, the Information Commissioner’s Office (ICO) and
the Charity Commission.

“We have received a report from St John Ambulance and we will assess
the information provided,” an ICO spokesperson in a statement.

The charity reportedly did not pay any ransom for the release of the
data, in line with police guidelines, and also recognised the
ransomware attack as a crime and reported it to the police.

Police are encouraging all UK individuals and organisations to report
cyber crime to ensure that UK policing has as much data as possible to
help ensure an appropriate response, and has revealed plans to improve
the cyber crime reporting process for business in early 2020.

“It is crucial that businesses report cyber crime to us because every
incident is an investigative opportunity,” Rob Jones, director of
threat leadership at the UK National Crime Agency (NCA), told Computer
Weekly in a recent interview.

UK police are also encouraging individuals and organisations to do all
they can to reduce the likelihood of becoming victims of cyber crime.

“The best way to prevent ransomware attacks is for companies to ensure
they are not vulnerable by following best practices on cyber security
basics to ensure good cyber hygiene,” said Jones.

“Having good, functional data backups, treating your data as an asset,
having appropriate policies around your data, and having incident
response available to you are all simple ways of mitigating the harm
from ransomware, which is the most prevalent form of attack we see.”

As well as containing and reporting the incident to the relevant
authorities, St John Ambulance contacted those affected, published
support information on its website, and set up a dedicated email
address for questions relating to the incident: infosec at sja.org.uk.

St John Ambulance said no banking information provided during the
booking process is stored by the charity and no passwords were stored
in the database affected by the ransomware attack.

“The only data that has been affected relates to our training course
delivery,” it said. “It does not cover supplies, events, ambulance
operations, volunteering, volunteer data, employee data, clinical data
or patient data.”

Addressing the issue of trust, St John Ambulance said: “We work as
hard as we can to protect our data systems from these types of attack
and employ a range of third-party partners and cyber-crime solutions
to continually update our protection.”

Although there is no need for any customers to take any immediate
action, the charity has advised anyone working for its corporate
customers to pass on information about the incident to the person in
their organisation who is responsible for data protection.

Javvad Malik, security awareness advocate at KnowBe4, said the attack
appears to be limited to a segregated training [booking] system and
contains limited data.

“It is worth noting that St John Ambulance has demonstrated strong
incident response procedures here with a transparent and timely
response notifying the public, police and the ICO,” said Malik.

“Beyond that, it is unclear how the ransomware infected the systems,
but it wouldn’t be surprising to hear that the infection arose from a
phishing attack.

“This serves as a reminder that organisers should train their staff on
being able to identify a phishing email and not click on malicious
links.”

Independent security consultant Graham Cluley said St John Ambulance
appears to have had emergency recovery plans in place to restore data
from unaffected backup systems.

“The news that St John Ambulance had calmly resolved the incident
within half an hour seems pretty impressive to me, and, together with
the transparency they show in their disclosure, will hopefully
reassure those who deal with the charity,” he wrote in a blog post.

“If only all organisations and companies could put themselves in a
recovery position so confidently.”