NHS Denies Data Was Exposed in Stor-a-File HackAll Affected Clients Contacted, Including a Small Number of NHS Trusts
Reports of National Health Service (NHS) data in England being exposed following a ransomware attack on U.K.-based data capture and storage company Stor-a-File are incorrect, an NHS England spokesperson tells Information Security Media Group. Stor-a-File's clientele includes NHS hospital trusts, GP practices, local councils and others, but the spokesperson tells ISMG, "Most NHS data was held offline and not affected in the Stor-a-file hack."
This contradicts an earlier report by the U.K.-based newspaper The Daily Mail, which claimed that NHS records containing sensitive medical documents have been dumped on the dark web.
"NHS trusts have a responsibility to ensure records and data are stored securely. While police continue with their investigation, Stor-A-File Ltd has contacted all clients who have been affected by this breach, including a small number of trusts, so they can take appropriate action," the NHS England spokesperson says.
The data storage company confirmed this statement, telling ISMG, "The 950,000 boxes of documents that Stor-a-File holds for clients have not been affected, and this includes the various NHS trusts data." The company spokesperson says the business has always taken both on-site security and cybersecurity extremely seriously and adds, "The National Crime Agency has been offering support and advice to some of those affected by this incident."
ISMG contacted the agency, which stated, "The NCA is aware of a data breach incident that impacted Stor-A-File Ltd. and has offered its expertise and support to partners."
For further information, the NCA directed ISMG to the Leicestershire Police Department, which it confirmed is investigating the incident. The police department did not provide details on the progress it has made, simply telling ISMG that it had "received a report relating to a data breach at a company in Syston, Leicester, and enquiries are ongoing."
"In early September, we became aware that we had become the victim of a sophisticated ransomware attack by a criminal organization," a Stor-a-File spokesperson tells ISMG. A total of 13 companies were affected, six of which were health-related, the spokesperson adds.
These include Lister Fertility Clinic and Nuffield Health Leicester Hospital, according to British news agency the BBC, and clinics run by Marie Stopes and the British Pregnancy Advisory Service, according to the The Daily Mail report. The Lister clinic said its medical records included consent forms, medical history and test results, recommendations for treatment and fertility treatment records but did not include financial information such as credit or debit card details.
The Cl0p ransomware group has been identified as being involved in this attack, the Stor-a-File spokesperson tells ISMG, citing the initial findings of the cybersecurity specialists and the police department investigating the incident.
Stor-a-File says that it appears the cybercriminals gained access through a security vulnerability in its third-party SolarWinds' Serv-U FTP software. It did not disclose the exact details of the vulnerability, so any assessment is speculative, but according to SolarWinds' July advisory, a vulnerability tagged as CVE-2021-35211, if exploited, gives privileged access to the machine hosting Serv-U software.
"This attack is a Return Oriented Programming (ROP) attack," the advisory notes. "When exploited, the vulnerability causes the Serv-U product to throw an exception and then intercepts the exception handling code to run commands."
The vulnerability, which was found by Microsoft Threat Intelligence Center, was affecting Serv-U version 15.2.3 HF1 and all prior builds. MSTIC at the time noted that threat actors were actively targeting this vulnerability in the wild, but the security blog made no mention of the Cl0p ransomware group.
Stor-a-File confirmed that it did not pay any ransom to the attackers and instead used its backed-up data to return to normalcy. "We have cleaned, restored and patched our affected systems using backups, and Stor-a-File is now operating as normal," the company spokesperson says. As a countermeasure and to avoid such incidents in the future, the company has removed all third-party software from its critical systems.
The Information Commissioner's Office, the NCA and the Leicestershire Police Department were all informed immediately after discovery, due to GDPR compliance concerns. The ICO acknowledged this and tells ISMG, "People have the right to expect that organizations will handle their personal information securely and responsibly. We are thus enquiring into this incident so that such incidents are not repeated."
Claims of Data Dump
In contrast to what the compromised company and the authorities have told ISMG, the earlier report by The Daily Mail claimed that NHS records containing sensitive medical documents have been dumped on the dark web, citing Stor-a-File's decision not to pay a ransom as the reason behind it.
The Cl0p ransomware group is known to publish or dump such records on its own Clop Leaks website hosted on Tor. ISMG did not find any data dumps related to the NHS or its respective trusts on this leak site when we checked it prior to publication, but we did find a message posted on its homepage in which the operators alert site visitors about other groups impersonating it and using its brand name to siphon off money.