Multiple UK councils have warned that citizens’ personal data may have been breached following a ransomware attack on a medical equipment supplier.
Nottingham Rehab Supplies (NRS) Healthcare, which supplies health and care equipment numerous local authorities across the UK, was hit by a ransomware attack at the start of April 2024.
The attack resulted in the NRS website being taken offline.
The company said it is currently in its “recovery phase” following the incident.
A number of UK local authorities have now revealed that NRS has informed them that personal data of residents may have been breached by the attackers.
East Lothian Council said in a statement on May 14 that specialist teams are currently investigating the extent of the attack, although it does not yet know if any personal data has been compromised.
Similarly, Waltham Forest Council said on May 16 that it has been made aware of a possible breach, but does not currently know whether personal data has been compromised.
“If Waltham Forest is advised that residents’ data is included in the breach, we will immediately contact both the Information Commissioner’s Office (ICO) and the individual themselves. The safety and security of our residents is our top priority,” the council commented.
Camden Council in London has also reportedly been affected by the attack but is unaware of whether personal data has been accessed.
Buckinghamshire Council stated on May 16 that personal data has been breached as a result of the attack on NRC.
“The council is working with NRS Healthcare to understand the extent of the breach and will contact our affected clients directly if their information has been taken,” Buckinghamshire Council said. “We have also informed the ICO and will work with them on any further steps we need to take,” wrote Buckinghamshire Council.”
Residents Told to Prepare for Social Engineering Attacks
The impacted councils have warned their residents to be vigilant for social engineering attacks, showing extra cautious about unsolicited emails, text messages, phone calls and home visits.
East Lothian Council said: “Please remember that any official visitors will carry branded identification badges, which you should ask to see before you allow access to your home. Genuine callers will always be happy to present their ID badges.”
East Lothian is also recommending service users consider regularly changing their key safe number, if they have one.
William Wright, CEO of Closed Door Security, said that the delay between the attack taking place and customers being warned potentially means residents across the UK have had their data lying in the hands of a dangerous ransomware group for many weeks.
“NRS Healthcare has a duty to provide information on this attack as a priority. If the data of councils across the UK has been compromised, these victims must be aware of this so they can take necessary steps to protect themselves online,” Wright added.
Another Reminder of Third Party Risk
The incident is another reminder of the risk posed to organizations by sharing confidential data with third party suppliers.
Brian Boyd, Head of Technical Delivery at i-confidential, stated: “You can't outsource accountability for the security of your data. This incident is a reminder to understand the data your suppliers hold and how secure each supplier is. This shouldn’t only be done when contracts are signed, but continually, based on their risk profile, to ensure their defences are keeping pace with modern attack trends.”
On May 14, banking giant Santander confirmed that customer and employee data was breached following a compromise of a third-party provider.