Data protection and cyber security elearning for care workers
Date: Tuesday 12 December 2023
“I cannot express the emotional stress the cyber attack caused. It felt like we were watching a burglary on CCTV without any power to intervene.”
Despite having strong IT systems in place, this care service – which wishes to remain anonymous – was vulnerable to a cyber breach because of the actions of an individual.
In 2019, the company experienced a cyber breach which caused significant disruption across the whole organisation’s operations and service delivery.
Employee rosters were deleted affecting care arrangements across several service locations. Passwords to senior managers’ emails and service users’ digital records were changed and the company’s website was removed.
An internal investigation suggested that the most likely source of the breach was a former staff member who had recently left. They had changed passwords and administrator permissions but had not disclosed or communicated this prior to their departure.
A care manager at the time explains:
“We had actually invested huge amounts into IT and digital solutions and thought we were safe. We had initial conversations with cyber security professionals who said we had ‘pretty good infrastructure’ – but we had essentially left the front door unlocked meaning a rogue individual could just ‘walk in’ and do what they wanted.
“I cannot express the emotional stress this caused. It felt like we were watching a burglary on CCTV without any power to intervene. Email accounts literally disappeared mid-email. It felt like being in a Hollywood film about it. As soon as we made a fix on one area something else went down or became disrupted.”
The company alerted the police to the cyber breach who directed their issue to the National Fraud Intelligence Bureau and the relevant regulatory services including the Information Commissioner’s Office.
The company had to reverse the unauthorised amendments which included contacting their username holders and their domain controller who refused to engage in conversations with the company or the police. The police were unable to trace the source of the system changes, so no individual could be prosecuted.
Following this incident – which went on for several days before they got full control back – the company reviewed all IT system processes and accounts and enhanced security to mitigate further breaches so far as was practically possible. This included some complex arrangements, as well some very simple procedures such as changing passwords when someone leaves. No further incidents of breaches to this extent have occurred.
How to reduce the risk of a cyber attack
What to do in the event of a cyber attack
National Cyber Security Centre’s Small Organisation’s Newsletter
Back to News