Irish researcher finds 11 million NHS employee records were leaked

pA Dublin cybersecurity researcher Aaron Costello has found that 11 million NHS employee records were leaked online because of improper configuration settings in Microsoft Power Pages a software platform used by over 250 million people a month to build websitesppMr Costello who works with AppOmni previously discovered a computer glitch meant the HSEs Covid vaccination portal left the data of one million people vulnerableppThe NHS employee information exposed was email addresses phone numbers and home addressesppBut this issue affects organisations in every sector across the globe as well as government entitiesppAside from NHS other data exposed includes internal organisation files sensitive information for companies using the platform and outside users registered on the affected websitesppMany of these also included full names email addresses phone numbers and home addressesppSpeaking to BreakingNewsie Mr Costello said There is a systemic issue with understanding the access controls of software as a service SaaS applications like Microsoft Power PagesppWhen you make these kinds of mistakes where you accidentally expose data Microsoft has done a great job of putting these warning banners and signs in your admin panel on Power Pages However I think what has been missing is an understanding of the consequencesppMy research highlights that there are these pages that anyone can access on the internet and they can see this data Theres your consequence it really is publicppppHe said the main similarity between the NHS breach and the previous issues with HSE data is they were both publicly accessible portals one for a Covid portal and the other for NHS payroll information and both were configured and deployed by contractorsppTypically what we see with public entities is they have identified a need for some service a crucial service whether thats Covid appointments or payroll information for NHS employees and theyre in a rush to get this out and functional Security then goes to the back of mind he explainedppWhile the HSE does use Power Pages Mr Costello said he does not believe they were affected by this issueppHe said the breaches identified at the NHS and the HSE should serve as a reminder of the importance of cybersecurity fundingppFrom a military perspective people often talk about how Ireland is underfunded but from a cyber perspective we are also massively underfundedppA contributory factor to our military issue is were a small country we dont have numbers but we have a tonne of tech talent in Ireland and in our universities that we should be investing inppWhen it comes to the likes of the HSE cyberattack and all the ransomware thats still echoing today so were not in a place to say oh if it happens well deal with it thenppWe need to upskill our cyber defences We know for a fact that statenation hacking groups are active and its a gold mine An attack like this takes minutes to carry out and who knows what a nation might do with this information Targeting individuals in these public entities could lead to extortion blackmail but it definitely is a much greater threat than with private organisationsppPrevention is much much better If youre a public entity its incomparable the amount of time that it would take to undo the damage as opposed to assessing your access controls appropriately audit them and remedy the findingsppWhen it comes to the likes of the HSE cyberattack and all the ransomware thats still echoing today so were not in a place to say oh if it happens well deal with it thenppMr Costello called on the next government to make cybersecurity a priority and look at a plan for national frameworksppIf you look at places like the US and Australia its a requirement to follow frameworks that require certain access controls and encryption on public worker devices Its not optional but here it seems more laxppA foundation plan for some form of national compliance and a baseline for security standards in Ireland would be a positive moveppIve had family impacted by these things people who wouldnt be massively tech illiterate A national campaign to inform the public about the basics would be greatppThings like multifactor authentication dont give your bank information over the phone I think it would be a fantastic incentiveppMessage submitting Thank you for waitingppppWant us to email you top stories each lunch timep