Weekly podcast: NHS upgrade, $242m Equifax loss and prison hacker jailed

This week, we discuss a new deal between the NHS and Microsoft, the financial cost of Equifax’s massive data breach, and a jail sentence for a hacker who altered prison records

Hello and welcome to the IT Governance podcast for Friday, 4 May 2018. Fourth of may be with you. Or something like that. Here are this week’s stories.

The Department of Health and Social Care has signed a deal with Microsoft to upgrade the NHS’s extensive IT estate to Windows 10 in an attempt to bolster its cyber resilience in the wake of last year’s WannaCry ransomware outbreak.

WannaCry had a major impact on the NHS, affecting at least 81 trusts, a further 603 primary care and other NHS organisations, and 595 general practices. Thousands of operations and appointments were cancelled as a result of the infection according to the 2017 National Audit Office (NAO) report on the incident, Investigation: WannaCry cyber attack and the NHS.

Cindy Rose, the chief executive of Microsoft UK, said: “The importance of helping to protect the NHS from the growing threat of cyber-attacks cannot be overstated. The introduction of a centralised Windows 10 agreement will ensure a consistent approach to security that also enables the NHS to rapidly modernise its IT infrastructure.”

The upgrade is part of a £150 million investment over the next three years to bolster the NHS’s cyber defences.

Rob Shaw, the deputy chief executive of NHS Digital, commented: “The additional funding will mean we can add an extra layer of protection, whilst boosting our existing services, with real time monitoring of NHS networks and the ability to see potential threats right down to individual NHS organisations.”

Equifax’s huge data breach, which compromised the personal data of 147.9 million people last year, has so far cost the consumer credit reporting agency $242.7 million according to its financial report for the first quarter of 2018.

However, a large part of the loss has been offset by the company’s cyber insurance: Equifax announced that it maintains “$125 million of cybersecurity insurance coverage, above a $7.5 million deductible”, and, since announcing the cyber security incident in September 2017, has “recorded insurance recoveries of $60.0 million and received payments of $50.0 million for costs incurred to date”.

Unsurprisingly, Equifax plans to spend heavily on IT and data security in the coming months. On a conference call with analysts, Equifax’s new CEO, Mark Begor, said:

“We’re being very aggressive about attracting the absolute best talent in the IT and data security space. We’re investing heavily to ensure we’re market leaders around data security and we will also enhance the transparency of all our transformation efforts with all our constituents, our customers, consumers and the public as we drive this transformation forward.”

Finally, when 27-year-old Konrad Voits of Ypsilanti, Michigan, hacked into the network of the Washtenaw County Jail last year in an attempt to get an inmate released early by altering their records, he probably wasn’t expecting to end up with an 87-month prison sentence himself.

Bleeping Computer reports that “Voits used email spear-phishing and telephone social-engineering to trick Washtenaw County Jail employees into downloading and running malware on their computers.”

Using this malware, Voits obtained the usernames, passwords and other information of more than 1,600 Washtenaw County employees, which he used to access the County Jail’s records. He then modified at least one entry in an attempt to get an unnamed inmate released early. Jail employees noticed the modification and alerted the FBI.

According to a press release from the US Department of Justice’s Eastern District of Michigan, “Washtenaw County spent thousands of dollars and numerous extra work hours responding to and investigating the breach, resulting in a loss of at least $235,488”.

As well as being jailed for up to seven years and three months, “Voits forfeited all interests he had in some bitcoins, and in various electronic devices, including a laptop, an integrated circuit component, and several cellular phones”.

Nice try, Konrad.

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog.

Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.