Investigation of Russian hack on London hospitals may take weeks amid worries over online data dump

An investigation into a ransomware attack earlier this month on London hospitals by the Russian group Qilin could take weeks to complete with some patients needing to undergo repeat tests

ByPAN PYLAS Associated Press

June 22, 2024, 7:20 AM

LONDON -- An investigation into a ransomware attack earlier this month on London hospitals by the Russian group Qilin could take weeks to complete, the country's state-run National Health Service said Friday, as concerns grow over a reported data dump of patient records.

Hundreds of operations and appointments are still being canceled more than two weeks after the June 3 attack on NHS provider Synnovis, which provides pathology services primarily in southeast London.

The attack affected King’s College and Guy’s and St Thomas’ hospital trusts, which run several south London hospitals, as well as clinics and doctors’ practices across a swath of the city. A memo to staff called it a “critical incident” and said it had a “major impact” on services, particularly blood transfusions.

NHS England said Friday that it has been “made aware” that data connected to the attack have been published online. According to the BBC, Qilin shared almost 400GB of data, including patient names, dates of birth and descriptions of blood tests, on their darknet site and Telegram channel.

“The National Crime Agency and National Cyber Security Centre are working to verify the data included in the published files as quickly as possible," NHS England said in a statement. “These files are not simple uploads and so investigations of this nature are highly complex and can take weeks if not longer to complete.”

According to Saturday's edition of the Guardian newspaper, records covering 300 million patient interactions, including the results of blood tests for HIV and cancer, were stolen during the attack.

A website and helpline has been set up for patients affected.

“We understand the distress this will cause patients who have to re-test," NHS England said.

The National Crime Agency has confirmed that it is leading the criminal investigation but said it is unable to comment further.

Ransomware involves criminals paralyzing computer systems with malware, then demanding money to release them. Ransomware is the costliest and most disruptive form of cybercrime, affecting local governments, court systems, hospitals and schools as well as businesses. It is difficult to combat as most gangs are based in former Soviet states and out of reach of Western justice.

Britain’s state-funded health system has been hit before, including during a 2017 ransomware attack that froze computers at hospitals across the country, closing down wards, shutting emergency rooms and bringing treatment to a halt.

Qilin, also known as Agenda, advertises on dark web cybercrime forums and leases malware to affiliates who use it to conduct attacks for a percentage of ransom payments, said Louise Ferrett of Searchlight Cyber, a threat intelligence company. The group has listed more than 100 victims.

Car dealerships are being disrupted by a multi-day outage after cyberattacks on software supplier

Car dealerships across North America have faced a major disruption this week

ByWYATTE GRANTHAM-PHILIPS AP business writer

June 21, 2024, 12:29 PM

NEW YORK -- Car dealerships across North America have faced major disruptions this week.

CDK Global, a company that provides software for thousands of auto dealers in the U.S. and Canada, was hit by back-to-back cyberattacks on Wednesday. That led to an outage that continued to impact many of their operations on Friday.

For prospective car buyers, that may mean delays at dealerships or vehicle orders written up by hand, with no immediate end in sight. Here's what you need to know.

CDK Global is a major player in the auto sales industry. The company, based just outside of Chicago in Hoffman Estates, Illinois, provides software technology to dealers that helps with day-today operations — like facilitating vehicle sales, financing, insurance and repairs.

CDK serves more than 15,000 retail locations across North America, according to the company. Whether all of these locations were impacted by this week's cyberattacks was not immediately clear.

CDK is “actively investigating a cyber incident” and the company shut down all of its systems out of an abundance of caution, spokesperson Lisa Finney said Wednesday.

CDK “executed extensive testing," consulted third-party experts, and restored its core DMS and Digital Retailing solutions by the afternoon, Finney said in a prepared statement.

CDK experienced another "cyber incident” Wednesday evening, Finney said in a update the following day. “We remain vigilant in our efforts to reinstate our services and get our dealers back to business as usual as quickly as possible,” she said.

When that will be is still unknown. As of Friday morning, a recorded message from CDK on a hotline detailing updates for its customers said “we do not have an estimated time frame for resolution — and therefore our dealer systems will not be available, likely for several days.” Customer care support channels also remain unavailable, it said.

The message added that the company was aware of “bad actors” posing as members or affiliates of CDK to try to obtain system access by contacting customers. It urged employers to be cautious of any attempted phishing.

Several major auto companies — including Stellantis, Ford and BMW — confirmed to The Associated Press Friday that the CDK outage had impacted some of their dealers, but that sales operations continue.

In light of the ongoing situation, a spokesperson for Stellantis said that many dealerships had switched to manual processes to serve customers. That includes writing up orders by hand.

A Ford spokesperson said that the outage may cause “some delays and inconveniences at some dealers and for some customers.” However, many Ford and Lincoln customers are still getting sales and service support through alternative routes being used at dealerships.

With many details of the cyberattacks still unclear, customer privacy is also at top of mind — especially with little known about what information may have been compromised this week.

In a statement sent to the AP on Friday, Mike Stanton, president and CEO of the National Automobile Dealers Association said that “dealers are very committed to protecting their customer information and are actively seeking information from CDK to determine the nature and scope of the cyber incident so they can respond appropriately."