Cyber Incident Victim: NHS England
Date:
Mar 2021
Location:
United Kingdom
Summary
A senior NHS England executive's Twitter accounts were compromised by hackers who promoted fraudulent PlayStation 5 sales, deleting original content and altering account details. The attackers exploited the absence of activated two-factor authentication, enabling them to hijack the accounts by resetting linked contact information. Followers received direct messages offering nonexistent consoles, resulting in financial losses for victims who engaged with the scam. During recovery efforts, the executive also fell victim to a separate fraudster claiming expedited account restoration. Twitter ultimately reinstated control after two days, revealing numerous inquiries from individuals misled by the fraudulent promotions. The incident disrupted a major professional event reliant on the compromised accounts for audience engagement.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around March 18, 2021, hackers compromised two Twitter accounts belonging to NHS Horizons chief transformation officer Helen Bevan, collectively followed by nearly 140,000 users. The attackers gained control by cracking her password and altering the linked email address and phone number, bypassing security because Bevan had not activated two-factor authentication (2FA) despite believing she had done so. The compromised accounts included a professional profile with 97,000 followers discussing NHS transformation work and a personal account with 36,000 followers focused on her cat. Upon takeover, the hackers deleted all original tweets, unfollowed all accounts Bevan had followed, and renamed both profiles. They repurposed the accounts to promote fraudulent PlayStation 5 sales, targeting followers of major retailers like Walmart, Dixons, PC World, and Target by replying to their PS5-related tweets with stock alerts and directing users to send direct messages.
The attack occurred one day before Bevan was scheduled to lead a large online event relying on Twitter for audience interaction, escalating her urgency to regain control. Desperate, she paid £110 to an individual claiming to recover accounts within 25 minutes, but this proved to be a secondary scam involving fabricated screen recordings and demands for additional payments. Twitter restored both accounts after two days, revealing dozens of direct messages from users who had attempted to purchase nonexistent PS5 consoles advertised at $450 or more. The scammers had also posted Fleets (Twitter’s ephemeral posts) showing PlayStation box images to bolster credibility. Bevan confirmed no collaboration with law enforcement or internal NHS investigations, as the incident was confined to her personal social media presence. Impacts included financial losses for scam victims, reputational harm from the hijacked accounts, and Bevan’s forfeiture of the £110 paid to the fraudulent recovery service. She publicly emphasized the necessity of enabling 2FA and warned against third-party account recovery offers following the incident.