Having worked several times and in various roles for the UK's National Health Service in the course of an embarrassingly long career, I feel I have a certain professional interest in its welfare, apart from a vested interest in seeing its health preserved so that it can continue to preserve mine.
It was interesting, therefore, to notice on the Twitter account owned by the Bash Street Kids – sorry, wrong comic – by LulzSec that the lads and possibly ladettes had turned their attention to the NHS. Curiously enough, they seem to have been restrained and even responsible: while there's an image out there of a message they claim to have sent to an administrator at an unidentified NHS site, they blacked out the details.
I think it's a little naive of both The Register and the BBC to take the image completely at face value. (SoftPedia was a little more cautious.) After all, while LulzSec's PR has more in common with Malcolm McLaren and the Sex Pistols than it does with the Red Cross or Marks & Spencer, it undoubtedly is a publicity drive. Still, I have no reason at present not to accept the possibility that someone at LulzSec is combining another publicity stunt with a genuine wish to promote the British Bone Marrow Registry, and as someone with one foot – well, a couple of toes – in the marketing/PR camp, I don't actually have a problem with that in principle.
According to the BBC, the Department of Health, which occupies the deck immediately above the NHS in the Ship of State, has said:
"This is a local issue affecting a very small number of website administrators. No patient information has been compromised," a Department of Health spokesperson told the BBC.
"No national NHS information systems have been affected. The Department has issued guidance to the local NHS about how to protect and secure all their information assets."
Which certainly suggests that there was a real issue. But the DoH's damage limitation statement actually makes sense. While it's usually assumed that the NHS is one huge monolith, it's really more of an umbrella organization, with several overarching units at the top overseeing thousands of semi-autonomous sites. It sounds as if the Lulzers have picked up admin passwords for one or more local sites, rather than the big projects run by National Programme, or whatever it's called nowadays. Let's hope they've notified someone who can actually take appropriate action: in an organization with over a million people, it's easy for individual messages (in a broad sense) to get lost in the general noise.
Memo to John Oates and The Register: the reference to "little girls feasting" comes from this site: http://www.nhsbt.nhs.uk/bonemarrow/.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
(Who hasn't read the Beano in a very long time.)
Author David Harley, We Live Security