Personal data of thousands of NHS staff members in Wales was breached from the servers of third-party contractor Landauer last October. The breached data includes Welsh NHS employee names, dates of birth, radiation dosage and National Insurance numbers, more details can be found here. IT security experts from RSA,Verizon and ViaSat Europe commented below.
Rashmi Knowles, CISSP Chief Security Architect EMEA at RSA:
“The fact that this attack was via a third party is also a timely wake up call. Just because the Welsh NHS can make the tired claim that this attack was not its fault, it is still very much its problem and liability. Throughout the NHS and in the entire public sector, third party risk should be a top priority. This means determining which parts of operations rely on third party relationships, which relationships pose the greatest risk, and giving those risks higher visibility, action and oversight. Thankfully no patient information has been affected, but highly sensitive employee data certainly falls into the category of high value and high risk. The NHS should have known that and acted accordingly.”
Laurance Dine, Managing Principal, Investigative Response at Verizon:
“The Data Breach Investigations Report series has consistently shown the existence of a growing detection deficit. Whilst most hackers compromise their targets within just minutes and steal data within days, less than a quarter of breaches are detected within that same timeframe. Most take weeks, if not months or even years to identify – and when they are identified, it’s usually law enforcement or another third-party that notifies the victim, rather than internal security teams. This really highlights that most organisations are struggling to monitor and traverse the growing threat landscape effectively and safely, without outside help from cybersecurity professionals.”
Marc Agnew, Vice President at ViaSat Europe:
Indeed, data security should form a key part of any contract that is signed and should be monitored rigorously, with failure to comply being met with hefty penalties. Otherwise, contractors that show a flagrant disregard for security will be a continuing weak link for a public sector desperately improving its data protection.”