Anonymous LulzSec Group Hacks NHS
OTOH: Good job they were only in it for the lulz
Published 15:15, 10 June 11
On the one hand, how dare these spotty hackers break into our wonderful NHS?
On The Other Hand, it's a good job they had no malicious intent, or things could have been much, much worse.
Plus, today's skateboarding duck: Top 10 Photoshop Failures...
Jeremy Kirk reports:
Lulz Security apparently obtained administrative passwords for a website for a local NHS organization. ... The NHS did not reveal the name of the organization ... [but] none of its information systems had been affected.
Lulz, which frequently writes of its exploits on Twitter, wrote ... it had warned the NHS of the compromise by e-mail, and posted an image of the message. ... "We did stumble upon several of your admin passwords. ... We mean you no harm and only want to help you fix your tech issues."
Denis Campbell adds:
Hospital trusts and primary care trusts (PCTs) across England have been alerted to the security breach by ... the Department of Health's IT branch. ... The perpetrators were self-styled international "pirate-ninja" hackers LulzSec ... the same group that conducted cyber assaults on Sony and Nintendo.
The breach was uncovered by the magazine Health Service Journal. LulzSec claimed to have obtained the passwords "months ago" ... [but] claims it contacted the NHS on Wednesday to alert them to its breach of IT security.
John Oates is slightly, subtly, suitably sarcastic:
The Department of Health claimed ... no national systems were hit - given the slow progress of creating such national systems this might not be a surprise.
At least Kate Solomon clears up one weird mystery:
Concluding on a somewhat irrelevant note ... "We hope that little girls feasts on the bones of many giving souls."
A reference to Alice Pyne, a 15-year-old girl with terminal cancer whose bucket list includes a wish to "make everyone sign up to be a bone marrow donor."
But Adam Shostack hates the implication for enterprise IT security:
We’re being out-communicated by folks who can’t spell. ... Because we expect management to learn to understand us, rather than framing problems in terms that matter to them. ... And why are we being out-communicated? Because every time there’s a breach, we ... claim it wasn’t so bad. ... And so we’re left with the Lulz crowd breaking and entering for ***** and giggles.
We should start talking openly about breaches. ... Then, we’d get somewhere without needing to see Sony, PBS, and Infraguard attacked. ... One or more of those organizations would have learned from the pain of others.
Chris Marling tries to make sense of it all:
Like many hacking groups, LulzSec is fairly loose-knit and ill-defined, and ... in the game for the hell of it. Its claims may be gospel truth, partially true, or much exaggerated ... but if there are security vulnerabilities in [NHS] systems containing sensitive information ... perhaps there is value in that fact being brought to light.
Meanwhile, Matthew Broersma seeks the Simon Cowell angle -- and finds it:
The group first made headlines in May when it published a database of more than 70,000 American X Factor contestants ... including dates of birth and phone numbers.
[This] raises fresh concerns about the security of digital NHS patient data. Last year the Information Commissioner’s Office ... said the NHS had been responsible for almost one-third of all ... breaches in the UK over the previous three years.
Today's Skateboarding Duck...
Don't miss out on OTOH:
- Follow @richi on Twitter
- Pretend to be richij's friend on Facebook
- Catch up with posts from the previous few days
Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. His writing has previously won American Society of Business Publication Editors and Jesse H. Neal awards. A cross-functional IT geek since 1985, you can also read Richi's full profile and disclosure of his industry affiliations.