A Dublin cybersecurity researcher, Aaron Costello, has found that 1.1 million NHS employee records were leaked online because of improper configuration settings in Microsoft Power Pages, a software platform used by over 250 million people a month to build websites.
Mr Costello, who works with AppOmni, previously discovered a computer glitch meant the HSE’s Covid vaccination portal left the data of one million people vulnerable.
The NHS employee information exposed was email addresses, phone numbers, and home addresses.
But this issue affects organisations in every sector across the globe, as well as government entities.
Aside from NHS, other data exposed includes internal organisation files, sensitive information for companies using the platform and outside users registered on the affected websites.
Many of these also included full names, email addresses, phone numbers, and home addresses.
Speaking to BreakingNews.ie, Mr Costello said: "There is a systemic issue with understanding the access controls of software as a service (SaaS) applications like Microsoft Power Pages.
"When you make these kinds of mistakes where you accidentally expose data, Microsoft has done a great job of putting these warning banners and signs in your admin panel on Power Pages. However, I think what has been missing is an understanding of the consequences.
"My research highlights that there are these pages that anyone can access on the internet, and they can see this data. There's your consequence, it really is public."
He said the main similarity between the NHS breach and the previous issues with HSE data, is they were both publicly accessible portals, one for a Covid portal and the other for NHS payroll information, and both were configured and deployed by contractors.
"Typically, what we see with public entities is they have identified a need for some service, a crucial service, whether that's Covid appointments or payroll information for NHS employees, and they're in a rush to get this out and functional. Security then goes to the back of mind," he explained.
While the HSE does use Power Pages, Mr Costello said he does not believe they were affected by this issue.
He said the breaches identified at the NHS and the HSE should serve as a reminder of the importance of cybersecurity funding.
"From a military perspective, people often talk about how Ireland is underfunded, but from a cyber perspective, we are also massively underfunded.
"A contributory factor to our military issue is we're a small country, we don't have numbers, but we have a tonne of tech talent in Ireland and in our universities that we should be investing in.
When it comes to the likes of the HSE cyberattack and all the ransomware, that's still echoing today, so we're not in a place to say 'oh if it happens, we'll deal with it then'.
"We need to upskill our cyber defences. We know for a fact that state-nation hacking groups are active, and it's a gold mine. An attack like this takes minutes to carry out, and who knows what a nation might do with this information? Targeting individuals in these public entities could lead to extortion, blackmail, but it definitely is a much greater threat than with private organisations.
"Prevention is much, much better. If you're a public entity, it's incomparable the amount of time that it would take to undo the damage as opposed to assessing your access controls appropriately, audit them and remedy the findings.
"When it comes to the likes of the HSE cyberattack and all the ransomware, that's still echoing today, so we're not in a place to say 'oh if it happens, we'll deal with it then'."
Mr Costello called on the next government to make cybersecurity a priority, and look at a framework for national frameworks.
"If you look at places like the US and Australia, it's a requirement to follow frameworks that require certain access controls and encryption on public worker devices. It's not optional, but here it seems more lax.
"A foundation plan for some form of national compliance and a baseline for security standards in Ireland would be a positive move.
"I've had family impacted by these things, people who wouldn't be massively tech illiterate. A national campaign to inform the public about the basics would be great.
"Things like multi-factor authentication, don't give your bank information over the phone, I think it would be a fantastic incentive."
