In October 2016, hackers stole the personal information of thousands of medical staff working for NHS Wales after storage servers were attacked at a third party premises.
The data was stored and processed by private IT contractor, Landaur, who looked after this information on behalf of NHS Wales. A total of 4,766 people were affected by the incident including 3,423 NHS Wales staff and 1,343 customers using private hospitals, dentists and vets in England and Scotland. Amongst the information stolen was names, dates of birth, national insurance numbers and data on radiation exposure from staff who worked with x-ray equipment.
The extent of this attack cannot yet be quantified as the hackers have yet to use this information but it is thought that data of this kind could be sold and used by others to obtain loans or mortgages under false names in the future.
Despite the incident occurring in October 2016, the NHS trust in Wales was not informed of this breach until January this year and have currently announced that they are ‘working with Landaur’ to understand the delay in communication and prevent further incidences of this kind occurring.
This statement as a response to the breach comes across as pretty lame given the extent of the damage caused by compromised data, and it is clear that both NHS Wales and Landaur will be suffering the reputational and financial damage for years to come.
The impact that this kind of attack can have on any business is huge and whilst it might seem that the effects on a company like the NHS are proportional to their size, a data breach like this can often be far more damaging to smaller companies who are less prepared.
It tends to boil down to this: small businesses are less likely to have robust security protection on their data due to the limitations of budget and resources. This makes them an easier target for hackers and increases the chances of an attack. Whilst a security breach on a larger company can appear to be devastating, small businesses suffer the financial implications far harder as their recovery processes may not be as well equipped to deal with the fallout, facing not only the damaging impact of reputation loss but also the crippling fines associating with data protection breaches.
Cases like NHS Wales demonstrate that cyber security is no longer simply a consideration for a business but should become a priority, ensuring companies are fully protected in the event of a cyber attack.