Posted on August 22, 2017 at 7:24 PM
SwiftQueue’s Vulnerability Threat to Millions of NHS Patient Files
According to an exclusive report by the Sun newspaper, the NSH has suffered a data breach in its SwiftQueue appointment booking system. As told in the report, its database holds confidential records on up to 1.2 million people.
In the same report is a quote by SwiftQueue that states that their database isn’t as big as it is claimed and by their estimations, only 32,501 lines of administrative data have been accessed. That data includes patients’ personal details, like names, dates of birth, phone numbers and email addresses, but not patients’ medical records. Also, patients’ passwords are all encrypted.
A website managed by SwiftQueue is used by NHS patients to book GP, appointments, and check-in on arrival. As the Sun reports, someone claiming to be Anonymous said that they believe the public has the right to know how such sensitive data is being handled by big companies such as SwiftQueue. The same person also said that the way the data has been accessed by using a weakness in the SwiftQueue’s system that should have been fixed years ago. In addition, the person said they are in the possession of the company’s entire database which is 11 million records big and, in fact, includes passwords, contrary to what SwiftQueue have said.
The Metropolitan Police told the paper that they are working on the case and that they have officers in touch with the organization affected. There have been no arrests yet.
Thomas Fischer, global security advocate at Digital Guardian stated in an email that this type of attack shows us that hackers don’t always need to break a software to exploit it since sometimes the software is already broken. He continued by saying that enterprises need to secure all points of access to protect their customers. And while many companies are focusing on how they can protect their own data, not many are looking into how third parties treat the data they’ve been handed.
There has been another report that says that a Dutch tech company Philips has come to find out that a web-based reporting tool that tracks radiation doses delivered by X-ray machines and related devices contains security vulnerabilities that could be a threat to patient confidentiality, system integrity, or system availability.
The report posted online on 17th August says that the back-end system for its Philips DoseWise Portal (DWP) uses hard-coded database login credentials, and stores these credentials in clear text. As the notification said, the firm did not receive any report that showed an exploit of the vulnerabilities.
But attacker that have better privileges are able to access the back-end system files and can exploit the said flaw and get into the database. Philips plans to publish a product update this month to eliminate the problem, but in the meantime, users are advised to block Port 1433, except where a separate SQL server is used.