The computer systems of dozens of public bodies from hospitals and councils to museums and watchdogs have been breached more than 400 times in the last three years by cyber criminals seeking to extort money, cause disruption or extract data, Johnston Press Investigations can reveal.
The ability of hackers to provoke chaos in Britain’s public sector was confirmed in alarming fashion in May when the WannaCry data-encryption ransomware attack struck hospitals across the UK, forcing the cancellation of thousands of operations and appointments.
But data obtained under Freedom of Information rules can reveal for the first time the full extent to which the cyber defences of Britain’s public bodies are being penetrated on a regular basis.
Between March 2014 and April this year there were 424 successful attacks, mostly using ransomware, on the computer systems of 182 NHS bodies, local authorities and other public bodies. A total of 111 UK councils reported 256 ransomware incidents.
These incidents, the vast majority of which have not been previously made public, range from the blocking hospital websites for months at a time to the encryption of 20,000 adult social care records at an English local authority.
Despite such attacks being criminal acts, many are going unreported to the police or are undetected when they are reported. Nine health service trusts and several councils confirmed that they had not reported successful breaches of their security systems to law enforcement while one NHS trust said it had been told by police that an attacker had been found to be outside the European Union and therefore no further action was taken.
One leading expert told JP Investigations that hackers were targeting with the NHS with “murderous intent” in the full knowledge that attacking the computer systems of hospitals put lives at risk.
The investigation also shows that the Wannacry attack, which affected 47 NHS trusts in England and Wales and 11 NHS boards in Scotland, was preceded by more than 50 other successful cyber attacks on the health service. They ranged from denial of service attacks and the defacing or blocking of websites to 36 ransomware incidents at 17 hospitals where data was encrypted and users received a demand for payment to secure its return.
In keeping with government policy on ransomware attacks, none of the NHS trusts, councils or other public bodies whose systems were breached paid for the release of the data and all insisted that no data was stolen.
The investigation revealed one incident in which a ransom had been paid. Queen’s University Belfast told JP Investigations that it was aware of an incident in which £400 was paid by a “user” of its networks, understood to have been a researcher. In a statement, the university, which also hosts one of Britain’s leading cyber security research units, said it had not sanctioned the payment, adding: “It should be noted that university policy is that ransoms are not paid - this was an exception.”
Public sector organisations are not alone in suffering a daily onslaught of attempts to infiltrate their computer systems. At least one in five British companies reported that they were victims of at least one hacking attack last year.
Tens of thousands of attacks are successfully repelled by public and private sector bodies on a weekly basis. But many corporations and large organisations have privately reconciled themselves to the fact that a number of hacking attempts will be successful each year and begun to take out insurance policies to cover themselves for such eventualities..
The new figures emphasise the particular vulnerability of public bodies to the growth in cyber crime because of the highly confidential nature of the data that many hold and the years of under-investment in computer security and the legacy systems that many operate.
Barts Health NHS Trust in London, which had to cancel more than 400 operations as a result of the Wannacry attack, acknowledged that it had “paid a price for very long-term under-investment in IT infrastructure”.
One leading expert told JP Investigations that there should be no doubt about the motives of those behind attacks on hospitals, which can have effects from locking up vital data to rendering computerised equipment inoperable.
Dr Tim Owen, director of the University of Central Lancashire’s Cyber Crime Research Unit, said: “These people targeted the NHS because they wanted to cause maximum danger and disruption to people’s lives. These individuals had murderous intent.
“These are not lovable rogues - they want money, but they also want to cause maximum disruption to an entire society. Hacking into the NHS means people’s lives can be put into grave danger.”
The enhanced threat from cyber criminals has coincided with many public organisations refusing to reveal details of the number and nature of nature of attacks against them, arguing that to do so would make them more vulnerable to attack.
All Whitehall departments refused to disclose any information and more than half of NHS trusts and one in ten councils who responded to the FOI request from JP Investigations refused to answer any of the questions put to them, with several citing terror laws as grounds for withholding information.
One trust, Dorset County Foundation NHS Trust, rejected the request by quoting the “Freedom of Information Amendment (Terrorism and Criminal Intelligence) Act 2004”. This is a law drawn up for New South Wales in Australia and has no validity in Britain.
Where data was provided, it shows the wide range of information and effects of cyber attacks.
Milton Keynes Council revealed it had seen 20,000 of its adult social care records encrypted in a ransomware attack in the last financial year. The local authority admitted that some of the files were confidential but said it had been able to restore the information from a back-up and had not paid the ransom.
Several prominent organisations, including the Human Tissue Authority (HTA), the National Gallery in London and UK Sport, said they had been the victim of attacks.
The HTA, the regulator for the use of human tissue and organs, admitted that one of its laptops was infected with ransomware last year but said no data had been lost and no ransom paid.
The National Gallery said it had suffered two successful ransomware attacks by a predecessor to the Wannacry bug, known as Cryptolocker, between 2014 and 2016; while UK Sport said an “unauthorised person” had gained access to one of its email accounts for three hours to conduct an attempted phishing scam which had resulted in the disclosure of 26 email addresses.
Several organisation were hit by repeated ransomware attacks, including Barnsley Metropolitan Borough Council, which suffered 13 incidents in the last three years, and Stockport NHS Foundation Trust, which saw six attacks between 2014 and 2016. In neither case was data lost nor a ransom paid.
A number of NHS organisations also had websites defaced, including Princess Alexandra Hospital in Harlow, Essex, which saw one of its sites taken offline for several months. The Pennine Acute Hospitals Trust in Great Manchester said its website had been replaced for a period last year with an image of a hacker in a hooded top.
NHS Digital, which oversees computer security for the health service, insisted that successful attacks on the health service remained rare but emphasised that individual health trusts had an obligation to report all incidents to the authorities.
A spokesman said: “It is important that health and care organisations meet their obligations to report serious cyber incidents to NHS Digital and all relevant authorities. Such incidents are not routinely published due to security risks but occur rarely.”
The Local Government Association said councils recognised that they held “incredibly sensitive information”. Gerald Vernon-Jackson, former vice chairman of the LGA, said: “If that information gets into the wrong hands it puts them at significant risk. On the whole council IT systems are particularly good because they rely on them so much. Without decent IT, all councils would find things very, very difficult - but like with the NHS it can be that we get stuff that gets through.”