The Target: The NHS, the United Kingdom’s National Health Service.
The Take: Exposure of 14,000 employee records containing Personally Identifiable Information including: names, physical addresses, Date-of-Birth, NI numbers, gender, ethnicity, and salary.
The Vector: The unencrypted and unprotected file was accidentally sent to hundreds of in-firm managers, but also to twenty-four external email accounts. The file in question was a spreadsheet which had hidden tab containing the information.
This breach is a stark reminder of how critical data processes and protocols are when handling sensitive information. Furthermore, the information stolen in this attack could lead to highly targeted phishing campaigns against the victims. Regular training social engineering training, specifically around the human need to get tasks done quickly with a focus on “stop and think” methodology is a key component in cybersecurity.