Cyber Incident Victim: National Health Service

Between May 30 and June 1, 2020, attackers compromised 113 internal NHS email accounts as part of a widespread phishing campaign targeting organizations across the UK. The compromised accounts represented approximately 0.008% of the NHS's 1.4 million email accounts and were used to send malicious spam outside the health service. This incident formed part of a broader credential-harvesting campaign first highlighted by the UK's National Cyber Security Centre (NCSC) in October 2019, with activity traced back to at least July 2018. Attackers sent phishing emails from legitimate, previously compromised accounts belonging to known contacts of the recipients, increasing the emails' perceived legitimacy. Subject lines frequently mirrored recent email exchanges between the parties or incorporated details from the compromised user's address book, such as recipient names or email addresses. Clicking embedded links redirected users to counterfeit login pages displaying organizational logos and prefilled email addresses to mimic legitimate authentication portals.

NHS Digital confirmed no evidence of unauthorized access to patient records during the incident. The organization collaborated with the NCSC to investigate the attacks and implemented immediate containment measures, including isolating affected accounts and requiring password resets for all mailboxes with configurations similar to the compromised accounts. By June 16, 2020, all impacted individuals had been notified, with NHS Digital providing direct support to affected organizations to implement necessary security changes. The health service noted a 94% reduction in phishing emails sent to NHSmail accounts over the preceding year following the implementation of a new password security approach prior to this incident. This reduction suggested existing security enhancements had partially mitigated the campaign's potential impact despite the successful account compromises during the late May timeframe.