The have computers?
When it's 2pm in London, it's 1975 in Lincoln.
A 0-day security breach at Lincolnshire County Council has exposed locals' medical records, addresses, and bank details, claimed an anonymous tipster, though the council denies any data was stolen. The breach was reported by The Lincolnite, which stated "anonymous reports from inside the council" suggested a major breach of …
Problem is the NHS is split, NHS England is a fragmented mess, NHS Wales does it's own thing as does NHS Scotland, they work under the same banner but they're entirely separate entities.
Difference is that the NHS tends to keep it's public facing infrastructure segregated from everything else, that's changing though and it's politicians driving it as patients demand access..
Because if they say it's a zero day it sounds better than "but LiveUpdate has said there's no updates for Symantec Antivirus for ages... I mean, 2001 is still the latest version our IT policy allows us to support, but you know - we are quite busy with all the austerity and everything. I mean, all these benefit appeals won't deny themselves..."
I've dealt with Public Sector outsourcing companies on they other end of the phone\e-mail for a number of years now and they are_without_ exception ****ing useless. The money the Council will now piss away in fixing this could have been better spent by ensuring adequate levels of skilled internal resource. you know the kind of people who actually understand your site...
I hope who ever approved using Serco is now getting a rather stern talking to. The fact that they had to resort to simply turning everything off is rather telling. IMHO, the Council CIO should be considering their position.
InfoSec we've heard of it...
Having said that, they probably work for Serco as well. I look forward to the inevitable Freedom Of Information requests. The people who fought this internally will also now be looking for blood.
"As part of a campaign into UK councils' cyber security conducted last year, The Register was told that Lincolnshire County Council's AV solution(s) - the specifics of which the council declined to disclose - had thrown up 196,553 malware alerts in 2015."
195,553? WTF? Where were they browsing?? I had exactly 2 malware detections via Malwarebytes in 2015 - both from files I probably shouldn't have downloaded - and none whatsoever from spam emails.
"Where were they browsing??"
Idle hands... :-) I'm only half kidding, and it's not just a government thing. I post on The Reg and the like while I'm trying to solve a problem or wait for something to finish. There are some people in large companies (and local councils also) who do very little beyond manning a desk for the entire day. I think God that I've never had to manage the internet connection at some of the places I've worked, but I've heard many stories.
Anecdotal evidence is all well and good but I imagine you don't have quite the same footprint as an entire county council. I agree that if those detections are desk side then that's poor, but if they're on the appliances they use to filter overall access to the outside world then I'm sort of surprised they're so low. The AV on our outermost mail filter has picked up more than that from spam floods in the last six months.
Please open this invoice and all that.
The worst thing that has happened recently to places that have no IT, or awful contracted IT, is Cryptolocker and the like. It's the perfect storm of users demanding to be administrators, looking for dodgy Internet content and never backing up their stuff. It may have been a zero day breach, or it may have been an "Oh crap, shut everything off before the entire file server gets encrypted!"
Staff at Lincolnshire are warned that the normal activation at 10:00 am is still on to accommodate early starters, however there is a noted overlap with the closing down of the LAN to accommodate the early leavers.
On X's return to work from Anuual Leave it is expected for re-infection to occur so we can all have some well deserved downtime again.
Ok, admittedly I live in a country far, far away from the UK, but I'm struggling to think of why a local council would have access to anyone's medical records.
Because, in the fucked up remains of the NHS, social care services (and mental health care, in some cases) are largely controlled and run by local councils nowadays.