BreachExchange mailing list archives
NHS HACK ATTACK Anonymous hacker claims to have stolen private data on up to 1.2million NHS patients
From: Destry Winant <destry () riskbasedsecurity com>
Date: Mon, 21 Aug 2017 07:29:32 -0500
https://www.thesun.co.uk/tech/4274225/anonymous-hacker-claims-to-have-stolen-the-nhs-medical-records-of-1-2million-brits/ SwiftQueue is paid by eight NHS trusts to manage a website, through which patients can book appointments with a GP, hospital or clinic. They also operate terminals within waiting rooms, where patients can check-in upon arrival. The firm has called in cops from the Met’s specialist Cyber Crime Unit. Security experts have expressed alarm at the breach and called on the health service to contact affected patients as a matter of urgency. Someone claiming to represent Anonymous told The Sun: “I think the public has the right to know how big companies like SwiftQueue handle sensitive data. “They can’t even protect patient details.” The source said the hack exploited weaknesses in SwiftQueue’s software, which should have been patched several years ago. They claim to have downloaded the company’s entire database, containing 11million records, including passwords. But SwiftQueue said their database is not that big and their initial investigation suggests only 32,501 “lines of administrative data” have been accessed. This includes patients’ personal details, such as names, dates of birth, phone numbers and email addresses. The company said they do not hold patients’ medical records and passwords are encrypted. The accessed data is thought to relate to just one NHS trust but they refused to say which one or how many patients are affected. Sam Smith, from campaign group MedConfidential, said: “Patients will be alarmed that a company trusted by the NHS to hold their private data has been compromised in this way. “Firms should take every step possible to keep private data secure, which does not appear to have happened in this case. “The NHS should be doing more to ensure their suppliers meet the highest possible standards of data security. “The priority now should be informing affected patients and making sure such a breach cannot happen again.” The breach follows May’s WannaCry attack, when malware infected at least 47 NHS trusts, leading to the cancellation of more than 15,000 appointments and operations. A review of NHS organisations earlier this year by NHS Digital – responsible for the NHS IT network – found systems missing security updates and a quarter of users using “very weak” passwords. SwiftQueue said: “We recently became aware of a cyber attack which affected a small subset of administrative data sets, with the breach fixed within three hours. “There were 32,501 lines of administrative data, some of it test data which related to ‘dummy’ patients. We are in the process of informing the patients affected. “No medical records have been illegally accessed and we have reported the incident to the Metropolitan Police Cyber Crime Unit which is investigating.” NHS Digital, said: “SwiftQueue does not hold medical information, but has told us that one of their databases may have been unlawfully accessed, affecting 32,500 lines of administrative data. “This is limited to names, dates of birth, phone numbers and, in some cases, email addresses. “We will continue to support SwiftQueue and the NHS as investigations continue.” The Metropolitan Police said: “The Met’s Cyber Crime Unit received a referral from Action Fraud following an allegation of computer misuse related to a data breach on Thursday, 10 August. “Officers are in touch with the organisation affected and are investigating. “There have been no arrests and enquiries continue.” _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- NHS HACK ATTACK Anonymous hacker claims to have stolen private data on up to 1.2million NHS patients Destry Winant (Aug 21)