NHS boss says Scottish trust wouldn't give cyberattackers what they wanted
- Reference: 1718710151
- News link: https://www.theregister.co.uk/2024/06/18/nhs_dumfries_and_galloway_letter/
- Source link:
Residents of Dumfries and Galloway in Scotland will soon be receiving a letter from the CEO of the regional National Health Service org explaining in full the February cyberattack that may affect them.
Draft copies of the letters to be sent this week were posted on NHS Dumfries and Galloway's website on Monday. It explains in plain terms what happened, what the attack means for residents, and how to stay safe online in the wake of the incident.
[1]
"In February this year, NHS Dumfries and Galloway was the victim of a targeted attack by cybercriminals," said Julie White, chief exec at NHS Dumfries and Galloway, in the [2]letter [PDF]. "This did not interrupt the care provided to patients, and no data on our systems was deleted or changed. However, the criminals were able to access and copy large amounts of patient and staff-identifiable data.
[3]
[4]
"When their demands weren't met, they published the stolen files onto the internet on May 6, 2024. We are advising people in Dumfries and Galloway that the best approach to take is to assume that some data relating to you is likely to have been copied and published.
"This is an extremely serious situation, and everyone is asked to be on their guard for any attempts to access their computer systems, or any approaches by anyone claiming to hold their data or someone else's data."
[5]
White went on to say that because millions of files were copied, analyzing them all has been challenging, thus analysis efforts have prioritized the most vulnerable patients.
Those considered to be both affected by the breach and one of the high-risk data subjects – generally this refers to the most vulnerable patients – will be contacted directly and separately from the generalized letters going out this week.
White said the four main risks people in the region must be aware of are identity theft, the cybersecurity of their devices (mainly phishing attempts), extortion, and the mental health ramifications of the breach.
[6]Leicester streetlights take ransomware attack personally, shine on 24/7
[7]Nearly 1M medical records feared stolen from City of Hope cancer centers
[8]INC Ransom claims to be behind 'cyber incident' at UK city council
[9]INC Ransom claims responsibility for attack on NHS Scotland
Without explicitly naming the organizations at the center of the incident, she cited 2022's [10]Medibank attack in Australia as a similar example of what unraveled in southern Scotland this year.
Medical records belonging to more than 10 million people were stolen by the former ransomware juggernaut REvil, White said, but the insurer [11]refused to pay its ransom demand. Australia fingered Russian national [12]Aleksandr Ermakov for carrying out the attack and plonked him on its sanctions list for good measure.
[13]
White said the "sheer scale" of the Medibank incident limited its overall impact on those it affected, and that one cybersecurity expert working alongside the NHS has suggested the same could be said for [14]Dumfries and Galloway's attack in an apparent attempt to quell residents' nerves.
The CEO closed the letter by saying: "On behalf of NHS Dumfries and Galloway, I would like to apologize for the anxiety which may have been caused to you due to this situation. We have sought to be as open as possible while adhering to the very explicit guidance we have received from Police Scotland and partner agencies."
Overleaf is a more easily [15]digestible summary [PDF] of the letter's contents, complete with a frequently asked questions section which does a solid job of explaining the facts of the attack.
None of the information is new – it has all been previously reported – but it does a good job of putting all the details, the most important of which were dispersed over multiple weeks. ®
Get our [16]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZnGvJ3brcmxIEr7ctGYWLQAAAAA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://www.nhsdg.co.uk/wp-content/uploads/2024/06/130624-p1-cyber-flyer-A3.pdf
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZnGvJ3brcmxIEr7ctGYWLQAAAAA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZnGvJ3brcmxIEr7ctGYWLQAAAAA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZnGvJ3brcmxIEr7ctGYWLQAAAAA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2024/04/23/leicester_streetlights_ransomware/
[7] https://www.theregister.com/2024/04/03/city_of_hope_data_theft/
[8] https://www.theregister.com/2024/04/02/inc_ransom_leicester_council/
[9] https://www.theregister.com/2024/03/28/nhs_scotland_cyberattack/
[10] https://www.theregister.com/2022/10/20/medibank_data_breach_worsens/
[11] https://www.theregister.com/2022/11/07/medibank_breach_n0_ransom_payment/
[12] https://www.theregister.com/2024/01/23/australia_medibank_private_attacker_named/
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZnGvJ3brcmxIEr7ctGYWLQAAAAA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[14] https://www.theregister.com/2024/03/28/nhs_scotland_cyberattack/
[15] https://www.nhsdg.co.uk/wp-content/uploads/2024/06/140624-cyber-flyer-p2-A3.pdf
[16] https://whitepapers.theregister.com/
The summary text is described as easy to read. Many of the recipients will have ageing eyes. Thin sans-serif text is not easy to read*, especially when on a grey background. It could have been made a great deal easier if they hadn't (presumably) frittered away money on a graphic designer and just used a higher contrast print.
* It isn't that easy to read here, either, even on a white background, especially when the composition text is a smaller font.
I'm not sure if it's a novel idea but what if all executives who run organisations dealing with personal information had to store a stack of very private material about them on every 'secure' server? That way, they'd have a personal incentive for cybersecurity.
The information would be appreciate to the broader type of information being stored. For example, a health executive would have to provide photos and details of any especially embarrassing parts of their body, to be afforded all the same security, but no more, as that which they provide to their customers.
The same concept could be applied to anyone proposing key escrow or other broken security for E2EE. Secure their nude photos with the same key used to decrypt everyone else's data and put the encrypted file online.
*The information would be appropriate to the broader type of information being stored
SCOTLAND!!!