Welcome to our June 2023 review of cyber attacks and data breaches, where we review the biggest security incidents across Europe.
That includes a pair of data breaches in Ireland in which employees leaked sensitive information, and a ransomware attack targeting the Swiss government. You can find out about each of those incidents in our latest article.
Public Appointments Service leaks jobseekers’ info in ‘admin error’
The authority that handles recruitment to Ireland’s civil service admitted this month that it had accidentally leaked candidates’ personal data.
In a message sent to affected individuals, the PAS (Public Appointments Service) said that 15,471 people were affected by the incident.
The PAS described the incident as an “administrative error”, and explained that an employee inadvertently included candidates’ names and a list of job roles they wished to be notified about in a mass email.
According to the Business Post, 529 people opened the email before the publicjobs.ie portal recalled the message.
The recipients were current or prospective employees of the civil service, and although the data breach is closely linked to the Irish government, the PAS is an independent agency that provides recruitment, assessment and selection services to public sector clients.
In its notification, the PAS wrote: “Due to an administrative error when collating the mailing list for this message, your name and list of Job Alert notifications you have subscribed to may have been provided to another candidate as part of this message.”
It added that those who “may have received a message containing another person’s name and Job Alert list” should delete it.
The PAS has notified the Data Protection Commission about the incident, and confirmed that “no further personal information, bar the list of job alerts subscribed to by the named person, and that person’s name, was involved in this data breach, and that all potentially impacted persons have now been contacted”.
UL Hospitals Group discloses major data breach
There’s more bad news for Ireland’s public sector, as the UL Hospitals Group disclosed a data breach at the beginning of June in which over 1,000 patients’ data was compromised.
The hospital group, which manages six hospitals in the Mid-West Region, said that a member of staff had accidentally emailed sensitive data to an unidentified recipient.
This included patients’ names, dates of birth, medical chart numbers and “limited medical information”. However, it did not include contact details such as phone numbers or email addresses.
In a statement, UL Hospitals Group explained that the affected patients included those who received gastroenterology services at University Hospital Limerick, Ennis Hospital and Nenagh Hospital between 2018 and 2023.
The organisation reportedly discovered the breach in January and promptly disclosed the incident to the Data Protection Commissioner. It has since attempted to retrieve the email and discover the identity of the recipient, but it has been unsuccessful so far.
It has also completed an investigation into the data breach, which indicated that the recipient has not attempted to use the compromised information for malicious purposes.
Although this is positive news for affected patients, who are only now being informed of the breach, it doesn’t necessarily mean that this was a false alarm. Any time that confidential information is improperly disclosed it poses a risk, and the fact that this incident went undetected for five years should be concerning.
After all, the UL Hospitals Group has a poor recent record with data security. In April 2020, allegations emerged that an unauthorised employee shared personal and medical data of 630 patients, including 95 children, who visited the Emergency Department at University Hospital Limerick.
The group was also embroiled in the 2021 ransomware attack against the Health Service Executive, which crippled hospital systems and compromised 100,000 people’s personal data.
This latest incident looks as though it poses a much less significant risk, but the continued reports could contribute to a negative public perception regarding the safety of their health data.
Swiss government fears that data was stolen in ransomware attack
Police in Switzerland have launched an investigation after a ransomware attack took down the IT services of several government departments.
The Swiss government confirmed that the malware infected Xplain, a third-party software provider used by the country’s army and various national and regional government departments.
Xplain said the attack began on Saturday, 3 June, with its systems being crippled and data encrypted. It attributed the attack to Play, a ransomware group that emerged last summer in a series of high-profile attacks.
The ransomware group has reportedly posted some of the data on the dark web, while Xplain said it has refused to negotiate with the gang. This follows the guidance often given by cyber security experts, who note the many problems with giving in to cyber criminals’ demands.
For a start, paying off the criminals encourages – and could even fund – further attacks, and your own organisation could be targeted again.
There is no guarantee that the crooks will stick to their word and return the data once they’ve been paid, and victims are still subject to their data breach notification requirements even if they get their information back.
Are you prepared for a cyber attack?
If you’re facing a cyber security disaster, IT Governance is here to help.
Our Emergency Cyber Incident Response Service offers the necessary support to deal with the incident, as our experts guide you through the recovery process.
They’ll review the breach, mitigate the damage and ensure that you are up and running again as soon as possible.