Naked Security Naked Security

Hacker-besieged DNA data tucked away under military care

Genomics England announced it's sequenced 100K Brits' genomes... and then had to store them in a military base after multiple hacking attacks.

On Wednesday, Genomics England – an ambitious project to map the DNA of a million Brits – proudly announced that it had completed the “100,000 Genomes Project” started in 2013, having sequenced 100,000 whole genomes in the National Health Service (NHS).
The project goal is to improve treatments for patients with rare inherited diseases and cancer, and to uncover new diagnoses. So far, it’s involved the creation of 13 NHS Genomic Medicine Centers (GMCs), a state-of-the-art sequencing center, and an automated analytics platform to return whole genome analyses to the NHS. It’s crunched through 85,000 people’s genomes (participants with cancer have three genomes sequenced: healthy and cancerous cells within their tumor and a third from their blood).
Unfortunately, the servers in those data centers are bare. The Telegraph reports that following a swarm of attacks on the machines holding the data, Genomics England had to shuffle the genomes over to servers at a military base for safekeeping.

Specifically, the data has been tucked away on servers at a Ministry of Defense facility in Corsham, Wiltshire, that’s home to the Joint Forces Command’s Information Systems and Services unit.
This sure isn’t the first data assault endured by the NHS or one of its projects. In 2017, the fast-spreading WannaCry 2.0 ransomware launched its assault against hospitals across the UK before spilling across the globe. More than a third of the NHS was disrupted for days by the WannaCry attack, which cost at least £92 million (around $117 million).
Genomics England Chair Sir John Chisholm said that attacks are a regular thing, but the data is “de-identified” so it can’t be linked to individuals:

Of course we receive attacks, some originating from overseas, and we regularly test to ensure that none succeed.
A key feature of the project is that an individual’s data will not be released. Instead, de-identified data is analyzed by research users within the secure, monitored environment.
None of the well-known viral attacks have succeeded in causing any dysfunction in Genomics England.

The Telegraph talked to Phil Booth, a spokesman for MedConfidential who said that some of the cyber attacks would “almost certainly” have originated in Russia and China and that it’s “no surprise” that people want to drain the database:

Health data is now more valuable than financial data. Criminals, states or companies could use the information to identify people, discriminate against them or even to blackmail them.

It’s no wonder that health data is so valuable. As we’ve noted, DNA collection and genealogy websites have warned that genetic data is extremely sensitive from a privacy perspective: they say that it can be used to predict future medical conditions, reveal information about someone’s family members, or have cultural significance for groups of individuals.
It’s also of great interest to law enforcement, given that investigators don’t need a search warrant to search for DNA matches. That ease of access helped lead to the arrest of a suspected serial killer in April.
From the perspective of criminal profit, the FBI has in the past warned US healthcare providers that crooks were targeting healthcare data with the intent of using it to make fake medical claims or to purchase drugs or medical equipment that can be sold.
In fact, at the time of the 2014 attack on US health insurer Anthem, during which it was drained of 80 million records, medical data was reportedly selling at about $10 per record on underground markets – about 10 times more than credit card data at the time.

Leave a Reply

Your email address will not be published. Required fields are marked *