NHS Data Breach – Trust or trust? | Smart Thinking Solutions

Barts Health NHS Trust is one of the largest in the country – and it’s cyber security has been breached by the BlackCat ransomware gang. Some of the data has already been leaked as a “proof of breach” to the Trust and to the members of staff whose data, held in trust by the Trust, has been stolen. The leaked data has included some of the most valuable to the individual and also to the hacker, copies of passports and driving licenses, financial information, personal details etc.

Everyone is waiting for the extortion to begin…

Barts NHS hack leaves folks on tenterhooks over extortion • The Register

At the moment it is unclear whether patient data has been stolen.

BlackCat are also known as AlphaV and have been linked to the Russian DarkSide squad. Recently they have been targeting health care providers around the world and then using the triple extortion technique:

First steal the data
Second encrypt the data on the host systems
Third release a little of the data referring to individuals

Then issue the ransom demands and depend on the individuals with compromised information to bring pressure to the organisation to pay up.

However on this case there have been no reports of encrypted data on the Bart’s network, so it may be a data grab. But it was a big grab – it has been reported that over 7TB of data has been stolen.

Investigations are ongoing…

How much data?

7TB. That is a lot of data. The question I have is how did the network monitoring miss that?

At university we discussed and experimented with exfiltrating data from a system so slowly that we did not trip the network Security Operations Centre (SOC) sensors. It could be done but the data transfer rate was slow – impractically slow if you wanted to transfer 7TB of data, even if you used multiple streams, which would also set alarms ringing.

So again. How did this volume of data leaving the secured network not be noticed?

I have not tested our SOC for this but I am sure it would raise an alarm to the cyber security technician who man the centre, if this amount of data was stolen over a reasonable time span. Then someone could check it was legitimate.

Do you want to know more?

How

How did this start?

There is no official word on this but let’s speculate – a phishing email opened by a stressed employee of the NHS.

Cyber Security Awareness Training

Clive Catton MSc (Cyber Security) – by-line and other articles

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

How much data?

How

Further Reading