View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
March 13, 2017updated 14 Mar 2017 8:25am

NHS Wales staff data stolen in cyber security breach

Thousands of NHS Wales staff have had personal data stolen by hackers who attacked third-party contractor.

By Tom Ball

Personal data details of thousands of Welsh NHS staff including names, dates of birth, National Insurance numbers and radiation dosage has been stolen following a breach of a third-party contractor server.

The third-party contractor, Landauer, was compromised last October, and from the system details were taken from members of staff who work with X-rays. Landauer are contracted to process the data associated with this area.

A key question of concern is when the hackers will choose to put the stolen data to use, with previous examples involving a significantly staggered time period before any further action. This was evident in recent news of leaked gamer details stolen in 2015.


                                 READ MORE: Huge data loss scandal rocks NHS

Laurance Dine, Managing Principal, Investigative Response, Verizon, said: “Details on how this breach was perpetrated haven’t been disclosed, but in the coming days and weeks we will almost certainly see a great deal of speculation over how, who and why. However, what certainly isn’t new here is the five-month delay between when the incident occurred and when those affected were notified.”

Dine highlights another key area of concern, as the time between the breach and the notification of affected individuals is extensive, bringing into question how long it took before the breach was even noticed.

Rashmi Knowles, Chief Security Architect, RSA, said: “The Welsh NHS must consider itself very lucky that the EU GDPR is not yet in play. Otherwise it would be facing a colossal fine, and rightly so. The breach itself is not even the biggest issue. The most disappointing part is the way that the NHS responded to it or, more accurately, failed to respond. The EU GDPR stresses privacy by design, meaning that following bad processes is what will cause the biggest fines – as is the case here. Under the new regulations, all organisations will need to disclose within 72 hours of the breach being discovered. The five months it has taken in this case is quite frankly shocking.”

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.