Is this going to work? Can you really sue to prevent the publication of documents that were stolen from you?
Barts Health seeks High Court block after Clop pillages NHS trust data
Barts Health NHS Trust has confirmed that patient and staff data was stolen in Clop's mass-exploitation of Oracle's E-Business Suite (EBS), and says it is now taking legal action in an effort to stop the gang publishing any of the snatched information. The UK's largest NHS trust, which runs five major hospitals across London, …
-
-
Monday 8th December 2025 13:31 GMT alcachofas
Re: Your data is perfectly safe.
Yeah that’s a crummy statement. Especially as they’re just throwing words in to make it sound like a higher bar.
Access to compressed files means nothing. That sentence should just read “the risk is limited to those able to access the dark web”. Which frankly isn’t much of a relief!
-
-
-
-
Monday 8th December 2025 12:59 GMT Anonymous Coward
Re: Is this an attempt to stop the press talking about Barts?
Maybe they're trying to limit reporting. Maybe they're setting it up so that if people use the data to try to blackmail/extort then they'll be able to get an easy conviction for breaching the injunction by using/sharing the data.
-
Monday 8th December 2025 22:51 GMT Tron
Re: Is this an attempt to stop the press talking about Barts?
I think it is just to stop the media reporting stuff in the UK. The government use D-Notices. Celebs use superinjunctions.
If UK celebs were involved, foreign media wouldn't be interested. It is just to block the UK tabloids and TV news. It may be that they are better protected from being sued if they have made an effort to block data releases.
Now they have done this, there is more chance that the Streisand effect may kick in.
Stuff gets hacked all the time, most of the data is dull and worthless, and sorting anything juicy from the noise is next to impossible. The NHS can't afford ransoms. I doubt they can afford lawyers, so I'm not sure there was much point in all this.
Weirdly, hackers never seem to go after government e-mails, which would be interesting. I guess they are more interested in bagging a few quid from low hanging fruit.
As always: Design out the problem. Your intranet (and infrastructure) should never connect to the public internet. Ditch the scams of SaaS, AI and cloud storage, which are designed to make money for GAFA at the expense of your security. Treat internet-connected systems as high risk and disposable, retaining minimal data on them, transiently. Air gap your net connected systems from your intranet with staff. Two screens on each desk. Use the larger webmail services for your company e-mail and benefit from their malware filters.
-
-
Monday 8th December 2025 12:16 GMT Alan Mackenzie
Negligence?
> Barts is now one of the highest-profile victims to confirm data exfiltration, joining a growing list of public bodies, universities, and other organizations caught in the blast radius.
It seems abundantly clear that storing personal data on an internet facing computer is unsafe. Given how easy it is to "steal" such data, it would appear to be negligent on the part of the data controllers to store it so accessibly.
How long is it going to be before a victim of such negligence (successfully) sues the data controllers?
-
-
-
Monday 8th December 2025 18:13 GMT CorwinX
Re: Negligence?
Sounds right to me.
It's not just about OS/DB systems. Who is the "owner/controller" of the data and what steps did they take to keep it secure?
That's not scapegoating - very little anyone can do about zero-days in advance.
It's about how effective the *response* is to what's already happened.
To use the venerable "horses have bolted" analogy - first fix the gate *then* round up the horses"!
-
-
-
Tuesday 9th December 2025 17:44 GMT Herring`
Re: Negligence?
It's an interesting question. I mean, I have a static IP address, I could stand up a box at home with MS Access and offer to host people's sensitive data. Anyone taking me up on the offer would be negligent. Given the repeated high-profile breaches, are data controllers who choose any of the major cloud providers negligent? Proving that in court would be tricky but I would love to watch the fallout..
-
-
Monday 8th December 2025 12:25 GMT may_i
Negligence
Sensitive personal data should be encrypted at rest.
If proper IT policies were in place at Barts, it should have been impossible to steal any data. So why was it possible and when will the responsible people at the trust be held accountable for their negligence?
Proving that you have absolutely no idea what you are talking about by saying things like "risk is limited to those able to access compressed files on the encrypted dark web." does not help your case.
-
Monday 8th December 2025 13:35 GMT alcachofas
Re: Negligence
“Sensitive personal data should be encrypted at rest”
Do we know it wasn’t? This was an exploit of the software that reads the sensitive data, which will definitely have the means to read the data.
Your database files can be as encrypted as you like but if you give me a login to your database I can read your files…
(Though I totally agree on their awful statement)
-
-
Monday 8th December 2025 16:20 GMT Anonymous Coward
Here we go again...
When will Barts start parroting "the security of our patients data is very important to us"?
Because it clearly wasn't.
In 'Ye Olde Days' (tm) of IT when we had computers the size of football pitches, we used to have regular audits, of security, processes, resilience and recoverability (hot standby/DR etc.) to ensure these dirt of things couldn't happen.
Today it seems you just hire numpties who get AI to do all their work, then just dump terabytes of personal customer or business data into some random cloud, and hope for the best.
Where is the accountability? At any level? In 'Ye Olde Days' I and others would have lost our jobs immediately over something less than half as bad as this complete omnishambles.
Biting the hand that feeds IT
