Cyber expert urges against 'panic' over NHS data leak

The founding chief executive of the UK's National Cyber Security Centre has urged people not to panic after a Scottish health board was targeted by cyber criminals.

Ciaran Martin said it was very rare that data breaches involving medical information result in "actual harm" to members of the public.

A ransomware group has dumped an estimated three terabytes of data stolen from NHS Dumfries and Galloway on the dark web.

It is believed to include clinical information on thousands of patients, including children, and financial data on staff.

Mr Martin, once called Britain’s “top cyber spy,” led the National Cyber Security Centre (NCSC) when it was established as part of GCHQ intelligence gathering agency in 2016.

The NCSC is one of several organisations now responding to the attack on NHS Dumfries and Galloway by a group called INC Ransom.

The board has said the stolen data contains correspondence between clinicians which includes the contact details and medical history of some patients.

Some of the data came from the Child and Adolescent Mental Health Service (Camhs) and efforts are under way to identify any individuals who have been affected.

People in Dumfries and Galloway have been advised to remain vigilant and to contact the police if they are approached by someone claiming to have their personal data or NHS data.

Extra insurance has been offered to the board’s 5,000 staff to protect them from identity theft or fraud.

Ciaran Martin
Ciaran Martin said it was 'unusual' for patients to come to direct harm due to the leaking of data [BBC]

Mr Martin, who left the role in 2020 and is now a professor at the University of Oxford, said: "It's a very difficult situation but experience from the rest of the world suggests that even when this data is dumped on the dark web, relatively little direct harm occurs.

"A good example is Australia, where over a third of the population's full medical records were leaked onto the dark web."

Mr Martin said a concerted government-led effort minimised the impact of the Australian leak.

"Police and other authorities were clear that there'd be consequences if there was any sort of extortion," said Mr Martin.

"Although it's very unpleasant, the data just sort of sat there and there's no evidence of any direct harm, even though nearly 10 million people's full medical records were affected.

"People shouldn't panic. There isn't going to be a Google searchable database of people's medical records or people's bank details. That's not the way this works.

"It is relatively rare, not unknown, but relatively rare for individuals to suffer direct sort of harm, embarrassment or extortion."

So far, there has not been any messaging from Police Scotland warning people not to access or share the stolen data.

INC Ransom has been linked to a series of cyber attacks in the United States and Europe since last year.

Mr Martin said international agencies will be trying to disrupt their activities and pointed to recent success against LockBit, which was believed to have been the most prolific ransomware group in the world.

A campaign led by the UK's National Crime Agency infiltrated and took over the group's network.

Sanctions against the group's alleged leader Russian national Dmitry Khoroshev have been announced and a $10m reward for information leading to his arrest and/or conviction has been offered by the United States.

Mr Martin said: "It's relatively rare for ransomware criminals to suffer consequences, simply because of the awkward fact that they tend to be based in Russia.

"It's the world's largest open camp and safe haven for cyber criminals and the Russian police don't go after them most of the time.

"Russia does not extradite its own citizens, so the chances of somebody behind this horrible attack being behind bars, either in Russia or, more appropriately in Scotland are, I'm afraid, pretty low.

"We have just seen a superb operation by the UK National Crime Agency which destroyed the infrastructure of the LockBit ransomware group and exposed their ringleader.

"But it's very difficult when there's large scale crime happening remotely from an unfriendly jurisdiction."