Personal data of thousands of NHS staff members in Wales was breached from the servers of third-party contractor Landauer last October. The breached data includes Welsh NHS employee names, dates of birth, radiation dosage and National Insurance numbers, more details can be found here. IT security experts from RSA,Verizon and ViaSat Europe commented below.
Rashmi Knowles, CISSP Chief Security Architect EMEA at RSA:
“The Welsh NHS must consider itself very lucky that the EU GDPR is not yet in play. Otherwise it would be facing a colossal fine, and rightly so. The breach itself is not even the biggest issue. The most disappointing part is the way that the NHS responded to it or, more accurately, failed to respond. The EU GDPR stresses privacy by design, meaning that following bad processes is what will cause the biggest fines – as is the case here. Under the new regulations, all organisations will need to disclose within 72 hours of the breach being discovered. The five months it has taken in this case is quite frankly shocking.
“The fact that this attack was via a third party is also a timely wake up call. Just because the Welsh NHS can make the tired claim that this attack was not its fault, it is still very much its problem and liability. Throughout the NHS and in the entire public sector, third party risk should be a top priority. This means determining which parts of operations rely on third party relationships, which relationships pose the greatest risk, and giving those risks higher visibility, action and oversight. Thankfully no patient information has been affected, but highly sensitive employee data certainly falls into the category of high value and high risk. The NHS should have known that and acted accordingly.”
Laurance Dine, Managing Principal, Investigative Response at Verizon:
“Details on how this breach was perpetrated haven’t been disclosed, but in the coming days and weeks we will almost certainly see a great deal of speculation over how, who and why. However, what certainly isn’t new here is the five-month delay between when the incident occurred and when those affected were notified.
“The Data Breach Investigations Report series has consistently shown the existence of a growing detection deficit. Whilst most hackers compromise their targets within just minutes and steal data within days, less than a quarter of breaches are detected within that same timeframe. Most take weeks, if not months or even years to identify – and when they are identified, it’s usually law enforcement or another third-party that notifies the victim, rather than internal security teams. This really highlights that most organisations are struggling to monitor and traverse the growing threat landscape effectively and safely, without outside help from cybersecurity professionals.”
Marc Agnew, Vice President at ViaSat Europe:
“Increasing financial pressure means that sub-contracting is likely to become common in more parts of the public sector. As vital tasks become shared across more and more organisations, it’s crucial that the NHS control not only its own data protection policies, but also those of any contractors.
Indeed, data security should form a key part of any contract that is signed and should be monitored rigorously, with failure to comply being met with hefty penalties. Otherwise, contractors that show a flagrant disregard for security will be a continuing weak link for a public sector desperately improving its data protection.”