Health Service Ireland (HSE) has become the latest victim of a supply chain cyber attack launched against document transfer service MOVEit. The attack was launched by ransomware gang, Clop.
Clop were able to infiltrate MOVEit by exploiting a zero-day vulnerability that allowed the malicious group to break into company networks and steal data. Professional services partnership EY was also impacted by the cyber attack, leading to the breach.
HSE was working with EY to automate its recruitment process using software provided by MOVEit. On June 8, HSE was alerted to the fact that EY had been impacted by the cyber attack on MOVEit. Following this, HSE investigated the impact of the cyber attack on HSE and its data.
Following an investigation and analysis of the attack, HSE has determined that “no more than 20 individuals involved in the recruitment process” were affected by the data breach. The data potentially accessed by the hackers includes the names, addresses, mobile numbers and position of those on the recruitment panel, as well as more general information about the job roles to be filled. No other personally identifying or financial information was accessed during the cyber attack.
HSE is working with the relevant authorities including the Irish Data Protection Commission (DPC) regarding the cyber attack and data breach. The organization is in the process of contacting those affected by the breach.
Other companies affected by the breach include those who use the payroll services provider, Zellis. The network infiltration of Zellis led to the breach of more than 100,000 employees’ data from companies including the British Broadcasting Company (BBC), health and beauty retailer Boots and flag carrier of Ireland Aer Lingus.
The ransomware gang later took to the dark web in an ettempt to extort victims of the data breach. Clop issued an ultimatum to the data breach victims, saying that comapnies affected by the attack need to contact them by June 14, or their personal data would be leaked online.
Clop claimed that all those who worked for local or national government or the police services were exempt from this threat. The ransomware gang addressed them directly, saying they should “not worry”. They continued, saying “we erased your data you do not need to contact us. We have no interest to expose [sic] such information”, although the legitimacy of this statement has been called into question.