zephyr_p - stock.adobe.com

St John Ambulance praised for response to ransomware attack

Charity’s response to ransomware attack demonstrates that it is possible to ensure minimal disruption if properly prepared

St John Ambulance has reported that it was hit by a ransomware attack this week, but was able to isolate the attack and resolve it within half an hour.

Fortunately, the ransomware did not affect operational systems, but blocked access to the charity’s booking system for training courses and encrypted customer data.

The charity has been praised for its swift, effective and transparent response to the ransomware attack, which is currently the most common cyber criminal activity affecting individuals and businesses in the UK, according to the police.

Although the data included personal information such as the names of course attendees, contact details and even driving licence data, St John Ambulance said it is “confident” that data has not been shared outside the charity.

However, the organisation said it has informed the UK’s data protection authority, the Information Commissioner’s Office (ICO) and the Charity Commission.

“We have received a report from St John Ambulance and we will assess the information provided,” an ICO spokesperson in a statement.

The charity reportedly did not pay any ransom for the release of the data, in line with police guidelines, and also recognised the ransomware attack as a crime and reported it to the police.

Police are encouraging all UK individuals and organisations to report cyber crime to ensure that UK policing has as much data as possible to help ensure an appropriate response, and has revealed plans to improve the cyber crime reporting process for business in early 2020.  

“It is crucial that businesses report cyber crime to us because every incident is an investigative opportunity,” Rob Jones, director of threat leadership at the UK National Crime Agency (NCA), told Computer Weekly in a recent interview.

UK police are also encouraging individuals and organisations to do all they can to reduce the likelihood of becoming victims of cyber crime.  

“The best way to prevent ransomware attacks is for companies to ensure they are not vulnerable by following best practices on cyber security basics to ensure good cyber hygiene,” said Jones.

“Having good, functional data backups, treating your data as an asset, having appropriate policies around your data, and having incident response available to you are all simple ways of mitigating the harm from ransomware, which is the most prevalent form of attack we see.”

As well as containing and reporting the incident to the relevant authorities, St John Ambulance contacted those affected, published support information on its website, and set up a dedicated email address for questions relating to the incident: [email protected].

Read more about cyber crime

St John Ambulance said no banking information provided during the booking process is stored by the charity and no passwords were stored in the database affected by the ransomware attack.

“The only data that has been affected relates to our training course delivery,” it said. “It does not cover supplies, events, ambulance operations, volunteering, volunteer data, employee data, clinical data or patient data.”

Addressing the issue of trust, St John Ambulance said: “We work as hard as we can to protect our data systems from these types of attack and employ a range of third-party partners and cyber-crime solutions to continually update our protection.”

Although there is no need for any customers to take any immediate action, the charity has advised anyone working for its corporate customers to pass on information about the incident to the person in their organisation who is responsible for data protection.

Javvad Malik, security awareness advocate at KnowBe4, said the attack appears to be limited to a segregated training [booking] system and contains limited data.

“It is worth noting that St John Ambulance has demonstrated strong incident response procedures here with a transparent and timely response notifying the public, police and the ICO,” said Malik.

“Beyond that, it is unclear how the ransomware infected the systems, but it wouldn’t be surprising to hear that the infection arose from a phishing attack.

“This serves as a reminder that organisers should train their staff on being able to identify a phishing email and not click on malicious links.”

Independent security consultant Graham Cluley said St John Ambulance appears to have had emergency recovery plans in place to restore data from unaffected backup systems.

“The news that St John Ambulance had calmly resolved the incident within half an hour seems pretty impressive to me, and, together with the transparency they show in their disclosure, will hopefully reassure those who deal with the charity,” he wrote in a blog post.

“If only all organisations and companies could put themselves in a recovery position so confidently.”

Read more on Data breach incident management and recovery

Data Center
Data Management