NHS health board hackers unlikely to be convicted - police

Global hackers who attacked a Scottish health board are unlikely to end up in court but could face sanctions and the dismantling of their criminal network, police said.

Earlier this year, a group called INC Ransom stole 3TB (terabytes) of data from NHS Dumfries and Galloway, including confidential information on patients and staff.

The group, who are suspected to be Russian, demanded a ransom then published the data on the internet when it was not paid.

Speaking about the case for the first time, the Police Scotland detective in charge of the inquiry acknowledged that "a criminal justice outcome" was unlikely.

But Det Ch Insp Andy MacLean said the force hoped to repeat the success of other international operations, such as the one which disrupted Lockbit, thought to be the world's largest criminal ransomware group.

The attack on NHS Dumfries and Galloway in February involved the theft of millions of pieces of data, mostly small individual files such as x-rays, test results and correspondence.

The health board warned its patients they should assume that data relating to them had been copied and published.

People were advised to be vigilant against fraud and identity theft and to report any suspicious activity to police.

More than five months after the initial security breach, no-one has come forward to say their data has been misused, backing up a cyber-crime expert who said the attack was unlikely to cause "actual harm."

But it remains one of the most serious cyber attacks to date in Scotland and the group involved has been linked to other UK incidents.

Det Ch Insp MacLean said NHS Dumfries and Galloway had been able to recover "really well" since the attack.

He added: "The biggest threat is the vulnerability of that data being exploited now, and how that makes their patients feel."

Asked how the attack had been carried out, the senior detective declined to provide details but said the most common "intrusion method" was a phishing campaign.

This is where members of staff are sent emails containing links which, if clicked on, allow the hackers to access their target's IT system.

NHS Dumfries and Galloway said an external audit before the attack found its systems were "very secure".

But Det Ch Insp MacLean warned: "If you've got an ironclad guarantee one day that you've got a really secure set-up, one of your staff could click on a phishing email the very next day that mitigates all that good work.

"It is a really challenging area for security for organisations."

A multi-agency investigation is under way, involving Police Scotland, the UK's National Crime Agency (NCA) and the National Cyber Security Centre, which is part of the UK's spy agency, GCHQ.

In February, an international inquiry led by the NCA infiltrated and took control of systems belonging to a ransomware group called Lockbit.

Sanctions against the group's alleged leader were announced and the United States offered a $10m (£7.79m), external reward leading to his arrest and/or conviction.

Det Ch Insp MacLean said in recent years Police Scotland had identified individuals based in Scotland who had been responsible for ransomware attacks.

The force has also provided information which has led to action against cyber criminals in Spain, the Netherlands, Belgium and the US.

But he acknowledged that getting anyone from INC Ransom into a Scottish court would be challenging.

"In lieu of that, we will try everything to identify their infrastructure, identify them, take any measures to stop them committing these crimes and take them to task for what they've done," he said.

"Sanctions are becoming more common the more we identify these people.

"These individuals know they're targeting health boards across the globe, they know the impact it's going to have. It's absolutely horrendous. It's a heinous crime."

Police Scotland said it received between 40 to 50 reports of cyber attacks every year.

Victims have ranged from charities and small businesses to a global company headquartered in Scotland.

Det Ch Insp MacLean said the vast majority made the attacks public but some chose not to do so after taking legal advice.

One company even asked Police Scotland to sign a non-disclosure agreement.

"We know cyber-crime is under-reported within Scotland, within the UK and worldwide, because companies have got the victim perspective and they don't want to be re-victimised in the media or by their customers knowing about it," the detective said.

"If it happens in Scotland, come and speak to us, we'll investigate, we'll support you the best we can, and we'll give you advice that'll help you in the early days."

The officer said the psychological impact of a cyber attack could be devastating.

And said he had witnessed people "ageing three or four years in three or four weeks" because of the stress.

Det Ch Insp MacLean urged companies and organisations should draw up a cyber incident response plan, print it out and keep it somewhere safe.

That way they will know what to do - even if they are locked out of their IT system.

He added: "Prevention is the absolute key.

"Be prepared for these attacks. It's not if, it's when."