On 23 June, the UK Parliament was subject to a sustained cyber attack. Over a period of 24 hours, hackers made 200,000 attempts to access online user accounts, including those of Members of Parliament.
Rob Greig, Director of the Parliamentary Digital Service, told the BBC that the attack had been sophisticated and was more likely to be the result of “state activity” than anything else. Fortunately, Greig and his team spotted the attack in its early stages, but the hackers still managed to access 50 email accounts belonging to around 30 users.
According to the National Cyber Security Centre (NCSC) there has been a “step-change” in state-linked cyber attacks against political institutions, political parties and parliamentary organizations. It also revealed that government departments had dealt with 188 high-level cyber attacks in a three month period and had blocked 34,550 potential attacks on government departments and members of the public in just the last six months.
In addition to attacks against government departments, public sector organizations are also vulnerable to cyber attacks.
The attack against Parliament came one month after the global ransomware attack known as WannaCry caused widespread disruption for the UK’s National Health Service (NHS). Around 40 NHS trusts and hospitals were affected by that malware outbreak.
Cyber attacks like those against Parliament and the NHS show that the public sector is as much a target for cyber criminals as private companies.
Cyber security experts responded to the attacks by highlighting apparent weaknesses in public sector cyber security. Many public sector organizations run on old computers and IT systems while cyber security resources are likely to be under pressure. Although public sector bodies are often supported by central government cyber security and intelligence agencies, like the NCSC.
Public Sector Data Breaches
Data security and privacy is a particularly sensitive issue for public sector organizations, such as healthcare, social services and education, which hold large volumes of personal information.
In July, Newcastle City Council revealed that it had leaked the details of thousands of children and their adoptive parents. Personal information on 2,743 individuals contained in a spreadsheet was sent to 77 people in an email attachment by mistake last month, the authority said.
This followed a recent Google DeepMind trial with the NHS reportedly breaking data protection laws, while Gloucester City Council was fined USD 130,000 by the Information Commissioner’s Office (ICO) for a 2014 data breach.
Public sector data breaches have been grabbing the headlines in other countries. Two years ago, a data breach at the US Office of Personnel Management resulted in the theft of more than 18 million social security numbers and other personally identifiable information.
More recently, Canada suffered one of its largest data breaches at a federal department when the personal information of almost 13,000 public servants was inadvertently attached to a department-wide email. In Australia, hackers were found to be offering the details of Medicare card holders on the ‘dark web’.
Tougher data protection laws in Europe are likely to add additional pressure to public sector bodies. For example, the penalties for data breaches in the EU are set to increase substantially under the General Data Protection Regulation (GDPR), which comes into force in May, 2018.
Yet research by the ICO found that public sector bodies in the UK still have plenty of work to do if they are to comply with the GDPR. For example, the ICO found that only a quarter of local authorities have a data protection officer in place, despite the GDPR requirement to do so from May. Another survey found that over half of public sector bodies are unaware of the implications of the GDPR while 75% say they are unprepared.
For further information, please contact Martin Delaney, Senior Vice President - Leader, Cyber and Risk Management Services at ClientFirst@jltcanada.com.