NHS Data Breach – Trust or trust?

Barts Health NHS Trust is one of the largest in the country – and it’s cyber security has been breached by the BlackCat ransomware gang. Some of the data has already been leaked as a “proof of breach” to the Trust and to the members of staff whose data, held in trust by the Trust, has been stolen. The leaked data has included some of the most valuable to the individual and also to the hacker, copies of passports and driving licenses, financial information, personal details etc.

Everyone is waiting for the extortion to begin…

Barts NHS hack leaves folks on tenterhooks over extortion • The Register

At the moment it is unclear whether patient data has been stolen.

BlackCat are also known as AlphaV and have been linked to the Russian DarkSide squad. Recently they have been targeting health care providers around the world and then using the triple extortion technique:

  • First steal the data
  • Second encrypt the data on the host systems
  • Third release a little of the data referring to individuals

Then issue the ransom demands and depend on the individuals with compromised information to bring pressure to the organisation to pay up.

However on this case there have been no reports of encrypted data on the Bart’s network, so it may be a data grab. But it was a big grab – it has been reported that over 7TB of data has been stolen.

Investigations are ongoing…

How much data?

7TB. That is a lot of data. The question I have is how did the network monitoring miss that?

At university we discussed and experimented with exfiltrating data from a system so slowly that we did not trip the network Security Operations Centre (SOC) sensors. It could be done but the data transfer rate was slow – impractically slow if you wanted to transfer 7TB of data, even if you used multiple streams, which would also set alarms ringing.

So again. How did this volume of data leaving the secured network not be noticed?

I have not tested our SOC for this but I am sure it would raise an alarm to the cyber security technician who man the centre, if this amount of data was stolen over a reasonable time span. Then someone could check it was legitimate.

How

How did this start?

There is no official word on this but let’s speculate – a phishing email opened by a stressed employee of the NHS.

Clive Catton MSc (Cyber Security) – by-line and other articles

Further Reading

This sounds similar to a post from yesterday:

What happens when a company leaks data? | Smart Thinking Solutions