In a significant escalation of a previously disclosed cybersecurity threat, NHS Dumfries and Galloway has witnessed the full release of over 3 terabytes of confidential data on the dark web.

This follows a prior breach where cybercriminals issued a ‘proof pack’ to demonstrate their possession of the data, initially reported by the UK Defence Journal.

I spent much of this morning reviewing what has been released, and, quite frankly, it’s incredibly concerning. The breach involved the release of over 3 terabytes of highly sensitive information encompassing a broad spectrum of operational and personal data.

The leaked content includes extensive SQL database backups, which likely contain critical system and patient information. Various department-specific documents were also exposed, revealing potential details about patient treatments and diagnostics in areas such as biochemistry, cancer services, and accident and emergency departments.

Particularly alarming is the exposure of data related to children and vulnerable groups. Files from the Child and Adolescent Mental Health Services may include sensitive health information about minors, highlighting the severity of the breach in terms of potential harm to vulnerable populations. Additionally, resources used for creating communication aids, possibly for children with learning difficulties or communication impairments, were also leaked.

The breach extends into sensitive administrative areas as well, with substantial volumes of internal communications, human resources data, and even details from Freedom of Information requests being made public. This not only poses a risk to the privacy of staff members but also jeopardises the integrity of operational data, such as staff leave records.

NHS Dumfries and Galloway Chief Executive Julie White said:
“This is an utterly abhorrent criminal act by cyber criminals who had threatened to release more data. We should not be surprised at this outcome, as this is in line with the way these criminal groups operate. Work is beginning to take place with partner agencies to assess the data which has been published. This very much remains a live criminal matter, and we are continuing to work with national agencies including Police Scotland, the National Cyber Security Centre and the Scottish Government.”
Mrs White added: “NHS Dumfries and Galloway is conscious that this may cause increased anxiety and concern for patients and staff, with a telephone helpline sharing the information hosted at our website now available. Data accessed by the cyber criminals has now been published onto the dark web – which is not readily accessible to most people. Recognising that this is a live criminal matter, we continue to follow the very clear guidance being provided to us by national law enforcement agencies.”
Avatar photo
George has a degree in Cyber Security from Glasgow Caledonian University and has a keen interest in naval and cyber security matters and has appeared on national radio and television to discuss current events. George is on Twitter at @geoallison
Subscribe
Notify of
guest

22 Comments
oldest
newest
Inline Feedbacks
View all comments

Athelstanthecurious
Athelstanthecurious (@guest_816561)
21 days ago

Time we started weaning ourselves off all things Chinese, whilst there’s still time to do it gradually and not upset the global economy. You never know some of the muscles might even stop.

GR
GR (@guest_816562)
21 days ago

Maybe be government bodies should be connected to an intranet that is air gapped from the internet so that it cannot be hacked from state sponsored criminal gangs in Russia.

ChrisJ
ChrisJ (@guest_816570)
21 days ago
Reply to  GR

The NHS like all other public institutions relies on the internet just as much as any modern private business. Cutting off access won’t do anything to improve patient services.

What needs to happen is the government needs to provide the resources to provide the equipment and staffing necessary to adequately secure the systems in use.

Most NHS trusts rely on outdated firewalls and a single brow-beaten “IT Security” specialist who has to do everything from managing individual access rights to defending against state sponsored bad actors.

Expat
Expat (@guest_816578)
21 days ago
Reply to  ChrisJ

Perhaps the NHS should contract a private company to manage their cyber security. ooops sorry mention the P word and HNS is the same sentence.

ChrisJ
ChrisJ (@guest_816585)
21 days ago
Reply to  Expat

You won’t find any argument from me there, something needs to change for any improvement to occur.

Whether it be paying a private company to do it in full, with severe penalties for failure or adequately resourcing the existing IT departments to provide the service. Something needs to change.

Jonathan
Jonathan (@guest_816599)
21 days ago
Reply to  Expat

The NHS does use private contractors all the time…same one as the post office on a lot of things…the entire IT infrastructure is constructed by private businesses….you have to remember the NHS does not exist as an entity…it’s not a private or public sector organisation..it’s a construct..it’s actually around 50,000 organisations ( public owned, private profit making,social enterprises and charities) that all have the right via contract to us the NHS logo…they each contract their own IT infrastructure.. the only national control on this is a set of standards IT companies and systems must comply with.

Last edited 21 days ago by Jonathan
Paul.P
Paul.P (@guest_816651)
21 days ago
Reply to  Expat

Fujitsu?

Jonathan
Jonathan (@guest_816598)
21 days ago
Reply to  GR

The NHS is actually about 50,000 completely independent organisations…each with its own systems that in some way need to communicate with other systems.

Paul.P
Paul.P (@guest_816652)
21 days ago
Reply to  Jonathan

Divide and conquer?

Jonathan
Jonathan (@guest_816674)
21 days ago
Reply to  Paul.P

It’s never been what people thought it was…it’s always been a mixed private..public amalgamation or lots of different types of organisations…always makes me laugh when people call the NHS a public sector organisation..its not it’s a system of different organisations that the government purchases healthcare from on behalf of the population…always been based around contracts..it’s just some of the organisations that the NHS contract to are own by the public and held in trust…the vast bulk of NHS healthcare provision has always been provided by private providers ….pharmacies, GP practices, dentists, optometrists, out of hours services..infact the only services that… Read more »

Paul.P
Paul.P (@guest_816691)
21 days ago
Reply to  Jonathan

NHS is a brand. That’s what IBM became.

Cognitio68
Cognitio68 (@guest_816571)
21 days ago

Great…public sector IT strikes again. If you create bureaucracies full of middle managers all squawking away about their own parochial nonsense then important things tend to get overlooked or if they are lucky enough to be noticed then there never is enough funding or organisational energy to deal with it timeously.
The only answer to bad practise in information technology are regular audits and career ending consequence for budget holders who refuse to take action.

Expat
Expat (@guest_816580)
21 days ago
Reply to  Cognitio68

I would think the NHS is non unfamilair with audits😀, but actualy firing someone. In all my years and its quite a few I have never met a public sector employee who was fired or dismissed.

Lonpfrb
Lonpfrb (@guest_816603)
21 days ago
Reply to  Expat

Clinical Audits, yes.
Financial Audits, definitely.
I.T.Security Audits, hmm..

Jonathan
Jonathan (@guest_816607)
21 days ago
Reply to  Expat

As a person who had a job in looking for failure in both staff and contracted companies in the NHS..I assure you we end contracts, both individually and corporate…we also follow up and essentially make sure they never work in the industry again if we think they have crossed a line as well as ensure they loss their licence or are prosecuted…if the NHS thinks you’ve crossed a line loss if your contract is generally the lest of your worries….once the NHS gets going it can be evangelical in its approach to discipline( essential with patient facing clinical staff) the… Read more »

Last edited 21 days ago by Jonathan
ChrisJ
ChrisJ (@guest_816587)
21 days ago
Reply to  Cognitio68

It’s the last sentence of your message that’s the problem.

There are loads of examples of low level public sector IT people being sacked for failings, which usually occured because they were expected to perform tasks significantly above their pay scale/level of experience. I experienced this very issue myself in my early career when I worked for one of the largest NHS trusts in the country.

On the other hand, the budget holder/finance officer who refused time and time again to allocate the appropriate resources, despite repeated warnings about the consequences, almost always walks away scott free.

Last edited 21 days ago by ChrisJ
Cognitio68
Cognitio68 (@guest_816697)
21 days ago
Reply to  ChrisJ

Chris, I’ve experience working in both public and private sectors. I also have friends working in NHS IT. In the Financial Sector you are audited regularly and failing an audit is a big deal. You could not only be heavily fined the regulator could also remove your license to operate. So audit failures automatically gain the attention of the CEO and usually go straight onto the business Risk Register. A Risk Register which is itself audited. The last thing in the world a business unit leader wants is to draw that sort of career ending attention. Audits are treated exceptionally… Read more »

Jonathan
Jonathan (@guest_816608)
21 days ago
Reply to  Cognitio68

I agree the issue is unfortunately money money money and where you put your resources…the NHS always has to look in year and if your PAS system needs updating..but the procurements costing you a million quid and your orthopaedic waits are over 18 weeks and the only way to get them in line is to spend a million quid on fast track private ortho…then you spend the money on the ortho capacity….it’s a simple truth money on the IT infrastructure is money that is not going into direct patient care….yes we know IT can support changes in practice and effectiveness…but… Read more »

Lonpfrb
Lonpfrb (@guest_816600)
21 days ago

Where is GCHQ expertise and support when a critical government department needs it.

Of course the health board can’t afford to have World class skills and experience on hand permanently but surely any major change requires the security to be audited before it can go live.

Database backups are routine so must always be kept safe. Operations 101.

Dragonwight
Dragonwight (@guest_816662)
21 days ago

Unencrypted, SQL backups? Somebody needs firing.

Last edited 21 days ago by Dragonwight
Cognitio68
Cognitio68 (@guest_816699)
21 days ago
Reply to  Dragonwight

I know this is bizarrely wrong. Either somebody has got hold of unencrypted backup media or has gained access to a file share which contains SQL backups. These are novice level errors. Can you imagine what else is wrong at this datacenter?
I think this Health Authority has Financial problems which is probably the root cause. However the solution to these problems is not to take money away from securing your IT systems.

John Boulton
John Boulton (@guest_818261)
15 days ago

Come on George, would you like to explain it to us, please? Was that data encrypted? If not, then why not? I appreciate that it costs money (computer power) to run full encryption, but surely any sensitive data held in any database these days should be encrypted? The technology and decent systems techs are there to make it damned difficult to get the data out and lots of power required to run decryption if it should escape. Surely the NHS/Admins are at fault here for holding such data in so easily accessible format in SQL/MySQL? presumably also on a leaky… Read more »