Dentists have become the latest group to lose data to cybercriminals. The British Dental Association (BDA) has taken its website down as a result of a cyberattack. It has also told its members that data was extracted from its website. The attack seems to have affected all of its online systems, although some email addresses are still working.
Commenting on the breach, Jake Moore, Cybersecurity Specialist at ESET said: “It doesn’t seem a week goes by without it being necessary to remind people to be vigilant against this recent influx of hacks. However, it remains more important than ever to be cautious.
“It appears a large spread of personal data has been taken, so it is essential to remain on the lookout for any communication requesting further details which may add pieces to the identity theft jigsaw.
“Although the BDA have been magnanimous in making those affected aware of the breach quickly and reporting themselves to the ICO, the problems are far from over.”
What data was stolen?
Emails from various security commentators and a report on the BBC give different accounts of what data was stolen. It ranges from personal details of dentists, payment data, practice data and even some patient data. Enterprise Times contacted the BDA to ask what was taken.
A spokesperson for the British Dental Association replied:
“On 30 July the British Dental Association was targeted by a sophisticated cyber‐attack. We immediately notified the relevant authorities including the Information Commissioner’s Office (ICO), the UK’s data protection authority, and the police.
“We have been working hard, alongside a number of third‐party experts including forensic IT specialists, to determine the nature of the criminal activity. At present, we don’t know what information may have been compromised, but we are working to conclude the investigations as soon as possible. However, the evidence now available suggests that the data extracted relates to a very small snapshot of the total data stored on our servers.
“As a precaution, we informed people about this incident, and we will be sending further communications to anyone whose information may have been impacted.
“We take our cyber security and privacy obligations extremely seriously and honour our commitment to look after our members and their information.“
Enterprise Times: What does this mean?
It doesn’t matter how small or how large an organisation is, cybercriminals are looking for a way in. When it comes to healthcare, such attacks are often followed by spear-phishing emails. The data stolen is used to make the email look authentic, which increases the chances of success. At present, there is no evidence any specific practice, dentist or patient has been targeted. It could be that the data will, therefore, be used to reinforce other malware campaigns.
What is equally important to know is what type of attack this was and how it happened. At present, the BDA is not disclosing whether this was ransomware or some other breach. It may be that it won’t know the cause until the forensic examination is over. What is important is that it is saying that far less data has been taken than expected. That is good news for the BDA as it suggests the attack was spotted quickly. However, uncertainty over who is affected and precisely what data has been taken will be of concern to dentists.