A cybersecurity researcher based in Dublin, Aaron Costello, has uncovered a significant breach involving the personal data of 1.1 million NHS employees, which was made publicly accessible online due to improper configuration settings in Microsoft Power Pages. This particular software platform, utilized by over 250 million individuals each month for website creation, has now come under scrutiny.
The exposed data from the NHS includes sensitive employee details such as email addresses, phone numbers, and home addresses, raising profound concerns about privacy and security.
However, the ramifications of this breach extend far beyond the NHS, affecting organizations across various sectors globally, as well as government agencies worldwide.
In addition to the NHS, other sensitive data that has been compromised includes internal organizational documents and information belonging to companies utilizing the platform, alongside data from external users who are registered on the compromised websites.
Many of the compromised records contained full names, email addresses, phone numbers, and home addresses, further exacerbating the privacy risks involved.
Speaking with BreakingNews.ie, Mr. Costello emphasized the urgent need for organizations to comprehend the access controls associated with Software as a Service (SaaS) applications like Microsoft Power Pages, which are often overlooked.
“When you make these kinds of mistakes where you accidentally expose data, Microsoft has done a great job of incorporating warning banners and signs in your admin panel on Power Pages. However, I think what has been missing is an understanding of the consequences,” he stated.
He further elaborated, “My research highlights that there are these publicly accessible pages on the internet, allowing anyone to obtain this data. That’s the consequence; it truly becomes public.”
Mr. Costello explained that public entities, such as the NHS, often find themselves in a rush to implement essential services, whether it be Covid-19 appointment bookings or payroll systems for NHS employees. “Security then goes to the back of mind,” he remarked, stressing the need for better security practices.
Despite the Health Service Executive (HSE) using Power Pages, Mr. Costello expressed confidence that they were not impacted by this specific issue but highlighted the necessity of maintaining robust cybersecurity practices at all levels.
He highlighted that the breaches discovered at both the NHS and HSE should serve as a critical reminder about the importance of dedicated cybersecurity funding across sectors. “From a military perspective, people often talk about how Ireland is underfunded, but from a cyber perspective, we are also massively underfunded,” he said.
Mr. Costello added, “A contributory factor to our military issue is we’re a small country, we don’t have numbers, but we have a ton of tech talent in Ireland and in our universities that we should be investing in.”
Commenting on the broader implications of cybersecurity threats, he noted, “When it comes to the likes of the HSE cyberattack and all the ransomware, that’s still echoing today, so we’re not in a place to say ‘oh if it happens, we’ll deal with it then’.”
He further asserted the urgent need to enhance Ireland’s cyber defenses: “We know for a fact that state-nation hacking groups are active, and it’s a gold mine. An attack like this takes minutes to carry out, and who knows what a nation might do with this information? Targeting individuals in these public entities could lead to extortion or blackmail, and the threat is undoubtedly greater than that posed by private organizations.”
Stressing preventative measures, Mr. Costello remarked, “Prevention is much, much better. If you’re a public entity, it’s incomparable in terms of the time it would take to rectify the damage as opposed to properly assessing your access controls and remedying the findings.”
He commented on the historical context of cyber threats, pointing out, “When it comes to the likes of the HSE cyberattack and all the ransomware, that’s still echoing today, so we’re not in a place to say ‘oh if it happens, we’ll deal with it then’.”
Mr. Costello urged that the forthcoming government prioritize cybersecurity and consider the establishment of a framework for national compliance and standards. “If you look at places like the US and Australia, it is a requirement to adhere to frameworks that mandate specific access controls and encryption for public sector devices,” he articulated. “It’s not optional, but here it seems more lax.”
He called for a foundational plan for a national compliance framework that establishes baseline security standards in Ireland, describing it as a positive step forward.
Pointing to the personal impact of cybersecurity breaches, Mr. Costello acknowledged, “I’ve had family impacted by these issues, even among those who wouldn’t be significantly tech-savvy. A national campaign to educate the public about basic security practices would be immensely beneficial.”
“Raising awareness on issues like multi-factor authentication and advising against sharing banking information over the phone would serve as a fantastic incentive for improved cybersecurity practices nationwide,” he concluded.
**Interview with Cybersecurity Researcher Aaron Costello on the NHS Data Breach**
**Interviewer:** Thank you for joining us today, Aaron. You recently uncovered a significant data breach impacting 1.1 million NHS employees. Can you give us an overview of what happened?
**Aaron Costello:** Thank you for having me. The breach occurred due to improper configuration settings in Microsoft Power Pages, which resulted in sensitive personal data being made publicly accessible online. This included email addresses, phone numbers, and home addresses of NHS employees, which raises serious privacy and security concerns not just for the NHS but for any organization using similar SaaS platforms.
**Interviewer:** It sounds alarming. What are the broader implications of this breach beyond the NHS?
**Aaron Costello:** The consequences are far-reaching. The exposed data isn’t limited to just NHS employees; it also includes sensitive internal documents from various organizations and information about users registered on the compromised platforms. This breach highlights the vulnerabilities in how many organizations handle access controls and data protection in a digital-first world.
**Interviewer:** You mentioned the need for organizations to better understand access control in SaaS applications. Can you elaborate on that?
**Aaron Costello:** Absolutely. Many organizations overlook the complexities of access controls in SaaS applications like Microsoft Power Pages. While Microsoft includes warning signs in their admin panels, there’s often a disconnect in understanding the true ramifications of mishandling these settings. My research shows that public entities, especially under pressure during events like the Covid-19 pandemic, sometimes neglect security—putting sensitive data at risk.
**Interviewer:** What can be done to prevent such breaches in the future?
**Aaron Costello:** Organizations must prioritize cybersecurity by investing in dedicated training and funding. This incident is a reminder of the critical need for strong cyber defenses. Current investments in cybersecurity are insufficient, especially in countries like Ireland, which has a wealth of tech talent that should be harnessed to bolster our defenses against increasing threats from state-sponsored hacking groups.
**Interviewer:** You’ve pointed out that the General Data Protection Regulation (GDPR) and other privacy legislation are not enough if practices are not followed. How can organizations ensure compliance and safeguard data effectively?
**Aaron Costello:** Compliance is just the baseline. Organizations need to foster a culture of cybersecurity awareness that goes beyond compliance checklists. This includes regular training for employees, thorough risk assessments, and continuous monitoring of their systems. By integrating security into their operational practices, organizations can better protect sensitive data and prevent breaches.
**Interviewer:** what message would you like to convey to organizations about cybersecurity moving forward?
**Aaron Costello:** The key takeaway is that cybersecurity should be a top priority, not an afterthought. With the rise in cyber threats, organizations must remain vigilant and proactive. Waiting until a breach occurs to react is no longer viable; they must invest in prevention now, or risk facing severe implications down the line.
**Interviewer:** Thank you, Aaron, for your insights on this critical issue.
**Aaron Costello:** Thank you for having me. It’s important we continue the conversation around cybersecurity to keep our data safe.