U.Ok. Information safety authorities have imposed a provisional fine of over £6 million on NHS supplier Superior, following revelations that the company failed to adequately safeguard the personal data of hundreds of people, which was subsequently stolen in a devastating ransomware attack.
The United Kingdom today announced The UK’s Information Commissioner’s Office (ICO) revealed that it has launched a probe following a high-profile ransomware attack in August 2022, which initially compromised several health and social care systems by exploiting an unsecured buyer account lacking multi-factor authentication?
The NotPetya cyberattack on Superior’s IT systems had a ripple effect throughout the UK at the time, causing widespread disruptions that left the NHS non-emergency 111 service crippled and forcing hospitals and medical practices to revert to manual record-keeping methods for several weeks. Physicians at NHS trusts impacted by the crisis revealed that they
According to Mandiant, which analyzed the hacking incident, the attackers leveraged malware linked to the notorious LockBit ransomware group, despite the fact that LockBit never publicly acknowledged involvement through its dark web leak site. The possibility that a hacked firm has paid a ransom could be indicated by this. What a concept?
By October 2022, Superior revealed that its community was breached by cybercriminals who exploited authentic third-party login credentials, suggesting a lack of robust multi-factor authentication measures.
The ICO appears to be corroborating this notion.
The UK Information Commissioner’s Office has provisionally imposed a fine of £6.09 million (approximately $7.75 million), following an investigation that found Superior had breached information security legislation by failing to implement adequate safeguards prior to the breach, thereby putting personal data at risk.
The watchdog further confirmed that the cyberattack resulted in the theft of personal data affecting nearly 83,000 people in the UK, including phone numbers, medical information, and details on how to gain access to the homes of 890 individuals receiving in-home care, according to the ICO.
The quality is provisional, the watchdog noted, implying that the potential penalty may fluctuate. ICO Commissioner John Edwards explained that the decision to publicly disclose this case was motivated in part by a desire to prevent similar incidents from occurring at a later date.
Edwards urges organizations, especially those handling sensitive healthcare data, to immediately secure external connections with robust multi-factor authentication in place.
Superior spokespeople failed to respond to queries prior to publication.
