Data Breach: 1.1 Million NHS Employee Records Exposed Due to Microsoft Power Pages Misconfiguration

Data Breach: 1.1 Million NHS Employee Records Exposed Due to Microsoft Power Pages Misconfiguration

November 23, 2024 Catherine Williams - Chief Editor Business

A Dublin cybersecurity researcher, Aaron Costello, discovered that 1.1 million NHS employee records were leaked online. This leak happened due to incorrect settings in Microsoft Power Pages, a platform used to build websites by over 250 million people monthly.

Costello works at AppOmni and previously found that a glitch in the HSE’s Covid vaccination portal exposed data of one million people. The breached NHS records included email addresses, phone numbers, and home addresses. This issue is not limited to the NHS; it affects organizations worldwide, including government entities. The leaked data also contained sensitive information about companies and their users.

Costello noted the urgent need for better understanding and management of access controls in Software as a Service (SaaS) applications like Microsoft Power Pages. Although Microsoft provides warnings in the admin panel, a deeper understanding of the consequences is necessary. He emphasized that some data can be publicly accessed online, making the breach severe.

Costello highlighted similarities between the NHS breach and previous HSE issues, stating both were public access portals, one for Covid and the other for payroll. He explained that public entities often prioritize getting services operational quickly, which can neglect security considerations.

What are the ⁤key lessons⁤ learned from Aaron Costello’s research on NHS cybersecurity vulnerabilities?

Interview with Aaron Costello: The Cybersecurity Researcher Exposing Critical Vulnerabilities in NHS and Beyond

NewsDirectory3: ⁢Thank you for joining us,⁣ Aaron. You‍ recently discovered a significant ⁢data leak involving‍ 1.1 million NHS employee records. ⁣Can you explain what led to this finding?

Aaron Costello:​ Thank you for having me. This leak stemmed from incorrect settings in Microsoft Power Pages.‌ This ‌platform is ​widely used by over 250 million​ people⁤ each month​ to build ​websites. The oversight allowed sensitive NHS employee data—like email addresses, phone numbers, and home⁣ addresses—to be publicly accessible online.

NewsDirectory3: That sounds ⁤alarming. Your previous research also‍ identified a glitch in ​the‍ HSE’s Covid vaccination​ portal.⁣ How do these incidents ‌compare?

Aaron Costello: There⁢ are ‍several similarities.‌ Both breaches involved public access ⁢portals—one ​for Covid vaccinations and the other for ‍payroll information. These systems prioritize‌ getting services up and running quickly, ​which often⁣ comes ‍at the expense of vital security measures. This pattern⁤ is ‍concerning, especially as ‌it reflects a broader issue⁢ that affects many⁣ organizations worldwide, ⁣including ‍government entities.

NewsDirectory3: What do you believe is the root cause of‌ these repeated issues?

Aaron Costello: A significant part of the⁣ problem is a lack of understanding ‍and management‍ of ⁤access controls in​ SaaS ​applications like Microsoft Power Pages. While Microsoft does⁤ provide warnings in the ⁢admin‍ panel about potential issues, it’s crucial for organizations to⁢ fully grasp the implications and ensure appropriate access restrictions‌ to mitigate risks.

NewsDirectory3: Given this vulnerability, ⁣what‍ do you think needs to‌ change ⁤in the approach to cybersecurity?

Aaron Costello: ⁢There’s an urgent‍ need for increased funding for cybersecurity in Ireland, as we are currently underfunded in this area. Many public entities are at risk‍ from ⁢state-sponsored hacking groups, making proactive measures vital. Prevention is far better than damage control, so organizations must assess and remediate access controls effectively to avoid ‍substantial fallout from breaches.

NewsDirectory3: What specific ⁢actions⁢ would you recommend for future governments and ​organizations?

Aaron⁣ Costello: I urge future governments to prioritize ‍cybersecurity and develop a national framework for⁤ compliance similar to those in⁤ the US and Australia. This should include mandatory security standards that enforce robust access controls and⁤ encryption ‍for public worker devices.

NewsDirectory3: Beyond government standards, is there anything that individuals can do to enhance their own cybersecurity awareness?

Aaron Costello: Absolutely. I propose a public awareness campaign to ‍educate individuals about basic cybersecurity practices. This includes utilizing multi-factor authentication and being cautious about sharing sensitive information over the phone. Empowering⁤ individuals⁢ with ‍knowledge is crucial to enhance overall security⁤ in Ireland.

NewsDirectory3: Thank you,⁢ Aaron. Your insights into the urgency of ‌cybersecurity improvements are invaluable, especially in ⁢light of these ‍severe data breaches.

Aaron Costello: Thank you for shedding light on this critical issue. ‌Together, we can foster a safer‍ digital environment.

He urged for increased cybersecurity funding, pointing out that Ireland is underfunded in this area. Many public entities face risks as state-sponsored hacking groups are active. He stressed the importance of prevention over damage control. Properly assessing and remediating access controls is crucial to avoid significant damage.

Costello called for future governments to prioritize cybersecurity and develop a national framework for compliance. He advocated for mandatory security standards like those in the US and Australia, where access controls and encryption are required for public worker devices.

Additionally, he proposed a public awareness campaign to educate people about basic cybersecurity practices, such as multi-factor authentication and avoiding sharing sensitive information over the phone. He believes sharing this knowledge can empower individuals and enhance overall security in Ireland.