The cyber criminal organisation behind the developing ransomware attack on the University of Manchester appears to have accessed and stolen personally identifiable information (PII) on over a million NHS patients whose data was held by the university for research purposes.
According to The Independent, which was first to report the latest development, the dataset relates to trauma patients – including terror attack victims – treated at more than 200 hospitals, and the compromised information supposedly includes NHS numbers and the first three characters of patients’ home postcodes.
The university is said to have contacted NHS Trusts over the past few days to warn them of their potential exposure. It’s understood that impacted patients may not have known their data had been shared, and so should be alert to follow-on attacks, phishing emails or contact from the ransomware gang – which has already been harassing Manchester students.
NHS England declined to comment on the story, while the University of Manchester did not confirm specific details of the incident.
“We confirmed on 23 June that our systems have been accessed and student and alumni data has been copied,” said a university spokesperson. “Individuals have been informed of this cyber incident, and offered support and advice to further protect their data.
“Our investigations into impact are ongoing and we are continuing to work with relevant authorities and partners, including the Information Commissioner’s Office, the National Cyber Security Centre (NCSC), the National Crime Agency and other regulatory bodies.
“Our in-house data experts and external support are working around the clock to resolve this incident and respond to its impacts, and we are not able to comment further at this stage.”
Forensics experts
The attack on the University of Manchester’s systems came to light earlier in June, and since then, it’s been working with third-party forensics experts and organisations including the NCSC, National Crime Agency (NCA) and the Information Commissioner’s Office (ICO) to establish its impact.
Data that is confirmed to have been affected includes information on students applying for student accommodation and information held on past alumni. The university said it has no evidence to suggest any banking or payment details were accessed.
At the time of writing, its IT teams have successfully restored most of its systems, although some issues are still occurring. Its GlobalProtect VPN service for remote and hybrid workers has been taken offline for all off-campus users, and is not expected to be restored for at least another month.
Additionally, it is ramping up its data protection and cyber security training for staff, and has offered staff and postgraduate research students a year’s subscription to Experian.
The identity of the ransomware operator behind the attack remains undisclosed.
Jake Moore, global cyber security advisor at ESET: “Any personally identifiable data stolen is worrying but when the data includes sensitive medical data, the level of concern is heightened. Ransomware attacks are more commonly turning out to be data releasing exercises and so, having data backed up is now no longer enough to withstand these attacks.
“Once threat actors get their hands on crucial sensitive information, they can ransom the data for any value they wish. Unfortunately, the release of data into the internet oblivion is fast becoming the usual scenario.”
Check Point’s field chief information security officer (CISO), Deryck Mitchelson, who was formerly director of national digital and CISO at NHS National Services Scotland, questioned why the university had access to PII on NHS patients.
“How many other universities have this type of data stored on their own servers? Was the data obfuscated or de-identified? Where patient information is being used for research, there should be as much openness and transparency about that use as possible,” he said.
“Was this the case? What safeguards did the university have in place around its research data? Are research data sets segmented from others? Is it fully encrypted at rest with key rotation in place. Is data access auditable? All of this opens up far more concerning conversations around data sharing between public and private organisations, which needs to be addressed.”