Cyber Incident Victim: National Health Service
Date:
Apr 2018
Location:
United Kingdom
Summary
A National Health Service website hosting patient survey data was defaced by hackers, displaying a black background with eerie music and a message claiming responsibility by "AnoaGhost." The compromised site was restored after cybersecurity experts identified the issue and media inquiries prompted action, with the organization confirming removal of the defaced content and plans to address the underlying vulnerability. The incident caused temporary disruption to public access of primary care provider information but did not involve reported data theft or extended service outages beyond the defacement period.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around April 17, 2018, the NHS website insights.london.nhs.uk—a platform hosting patient survey data for primary care providers, including GP surgeries—was defaced by hackers identifying themselves as "AnoaGhost." The attackers altered the site's appearance, replacing its normal content with a black background, eerie music, and a white text message declaring "Hacked by AnoaGhost." Cybersecurity expert Kevin Beaumont discovered the defacement on Tuesday afternoon and publicly documented it by sharing a screenshot on Twitter. The compromised state persisted for an unknown duration, though a cached screenshot suggested the site may have been defaced for at least five days prior to detection; NHS authorities did not confirm this timeline. The website's primary function involved aggregating patient feedback, but no evidence indicated unauthorized access或个人 data theft occurred beyond the visible defacement. NHS Digital, the technical advisory body for NHS organizations, was notified of the incident after the BBC contacted them for comment. Within hours of Beaumont's tweet and subsequent media inquiries, the defaced elements were removed, restoring the site to normal operation.
NHS Digital confirmed awareness of the incident and stated the site owners had taken action to remove the hacked content. They further committed to assisting the site owner, NHS England, in remediating the underlying vulnerability exploited by the attackers. NHS England, which owned and operated insights.london.nhs.uk, did not publicly comment on the incident despite BBC requests. The defacement did not disrupt broader NHS services, as the affected site served a non-critical informational role focused on survey data presentation. No additional attacker motives or technical details about the exploitation method were disclosed by authorities or corroborated in available reports. The incident concluded with the restoration of the website and NHS Digital’s pledge to address the security flaw, marking the end of the publicly documented event timeline.