MoD Data Breach: IT Firm Delays Reporting Hack Affecting 270,000 Personnel
The IT company targeted in a Chinese hack that accessed the data of Ministry of Defence staff failed to report the breach for months.
UK defence secretary, Grant Shapps, told MPs on Tuesday that Shared Services Connected Ltd (SSCL) had been breached by a malign actor and “state involvement” could not be ruled out. Shapps said the payroll records of about 270,000 current and former military personnel, including their home addresses, had been accessed. China has not been openly named by the government as the culprit.
Sources said SSCL, an arm of the French tech company Sopra Steria, became aware of the breach in February, but the MoD was informed only recently.
SSCL was awarded a cybersecurity contract worth over £500,000 in April, weeks after the hack. The National Cyber Security Centre has warned of growing threats to the UK's businesses and critical infrastructure from hostile states. SSCL and its parent company hold £1.6bn in government contracts, including sensitive functions like Home Office recruitment.
Ascension's EHR System Down After Ransomware Attack, Hospitals Resort to Manual Processes
Ascension, a US non-profit health system, confirmed its electronic health records (EHR) system was down following a ransomware incident on 8 May 2024. In a cybersecurity update on 13 May, Ascension stated its hospitals and facilities remained open, but its EHR and systems for ordering tests, procedures, and medications were not operational.
Clinical teams are using manual processes and paper records for medication dispensing, medical records, and diagnostic tests. Several of its 140 hospitals are on diversion for emergency services to triage cases immediately. Ascension is working with cybersecurity experts to restore systems safely, acknowledging that full restoration will take time.
The cyber attack, first announced on 9 May, involved unusual activity on network systems. Information security firm Mandiant is assisting with the investigation. Ascension has notified law enforcement and government bodies, including the FBI and CISA. The attack follows similar incidents, highlighting the vulnerability of healthcare data to cyberattacks.
Cybercriminals Exploit Windows Quick Assist to Deploy Black Basta Ransomware
Financially motivated cybercriminals are exploiting the Windows Quick Assist feature in social engineering attacks to deploy Black Basta ransomware. Microsoft has been investigating this campaign, tracked as Storm-1811, since mid-April 2024. The attackers start by email bombing the target with spam, then call the victims pretending to be Microsoft or company IT support. They trick victims into granting access via the Quick Assist tool.
Once access is granted, the attackers download malicious payloads. Microsoft identified downloads of Qakbot, remote management tools, and Cobalt Strike. After installing these tools, Storm-1811 moves laterally through the network and deploys Black Basta ransomware using PsExec. They also harvest credentials using PowerShell and exfiltrate them via Secure Copy (SCP).
Microsoft advises blocking or uninstalling Quick Assist if not used and training employees to recognize tech support scams. Black Basta, a Ransomware-as-a-Service (RaaS) operation, has breached over 500 organizations, collecting at least $100 million in ransom payments.
Santander Customer Data Stolen in Supply-Chain Attack on Third-Party Provider
Some customers of Santander may have had their data stolen following a supply-chain attack targeting one of the bank’s third-party providers. The company confirmed the breach in a notification letter, stating, "We recently became aware of unauthorised access to a Santander database hosted by a third-party provider."
Santander implemented measures to contain the incident, blocking compromised access and establishing fraud prevention controls. The breach affected customers in Chile, Spain, and Uruguay, although localised Twitter accounts in Spain and Chile had no warnings. However, the Chile website displayed a warning.
The stolen data includes information on some current and former employees. Santander confirmed that customers in other markets are unaffected. The company assured that transactional data and user credentials were secure, and operations were not impacted.
Santander apologised for the inconvenience and confirmed that affected individuals would be notified. They also reported the incident to regulators and law enforcement and are working closely with them.
Ransomware Attack on Swedish Logistics Firm Threatens Liquor Supply at Systembolaget Stores
A ransomware attack on Swedish logistics company Skanlog has prompted warnings from Systembolaget, the country’s sole liquor retailer, that store shelves may be empty by the week's end. Skanlog, a critical distributor for Systembolaget, was attacked by a group allegedly based in North Korea, according to CEO Mona Zuko, though the basis for this attribution is unclear.
Systembolaget's press officer, Teodor Almqvist, cautioned that various beers, wines, spirits, and even paper bags could sell out within days. While there’s no risk of a "total drying out," certain brands may disappear until deliveries resume.
Skanlog has not indicated when operations might return to normal. Systembolaget has a backup plan if deliveries remain disrupted. This incident coincides with Sweden’s reform of its National Cyber Security Centre, integrating it into the cyber and signals intelligence agency following performance concerns. Earlier this year, a ransomware attack on Tietoevry affected numerous Swedish customers, forcing store closures nationwide.
