The NHS has confirmed that 113 internal email accounts were compromised and used to send malicious spam outside the health service around two weeks ago.
A brief NHS Digital statement issued on Friday revealed that the incident occurred between Saturday May 30 and Monday June 1 2020.
It claimed the security snafu affected a “very small proportion” of NHS email accounts, around 0.008% of the 1.4 million total, and was linked to a wider campaign designed to steal victims’ log-ins.
“There is currently no evidence to suggest that patient records have been accessed. We are working closely with the National Cyber Security Centre (NCSC), who are investigating a widespread phishing campaign against a broad range of organizations across the UK,” it added.
In fact, the NCSC first raised the alarm about the campaign back in October last year, claiming that automated attacks designed to harvest credentials had been active since at least July 2018 and were spreading “indiscriminately” across multiple verticals.
“In this campaign, the user receives a phishing email from a legitimate and known email account which has been compromised. Phishing emails were previously sent from contacts in recent email communications with the recipient, and the subject lines often mirrored the most recent email exchange. This created an initial plausibility for the user to trust the email,” it explained.
“More recently, the subject lines include the compromised user’s address-book entry for the recipient of the phishing email. This could be in the recipient’s name, the email address or may just be blank.”
Clicking on a link in the email would take the user to a fake log-in page featuring their organization’s logo and their email, the NCSC said.
All those affected by the latest NHS-based attacks will have been notified by today, NHS Digital claimed. It argued that since implementing a “new password approach” there has actually been a 94% decrease in phishing emails sent to NHSmail accounts over the past year.
“We are investigating this issue and have taken the precaution of asking all mailboxes that have a similar configuration to the compromised accounts to change their passwords with immediate effect,” NHS Digital concluded.
“We have worked with the organizations involved to isolate affected accounts, supported them to make any necessary changes and have advised affected individuals.”