Cyber Attack on Healthdaq Recruitment Platform
An Irish company operating the Healthdaq healthcare recruitment platform, utilized by health trusts in Northern Ireland, has been targeted by cyber-criminals. Hackers claim to have stolen hundreds of thousands of sensitive files containing personal data from the platform.
All affected trusts have acknowledged awareness of a "potential" cyber incident involving a third-party Health and Social Care supplier and have advised their staff to exercise "extra vigilance".
An email from Healthdaq's data protection officer, reviewed by NI, stated that the issue has been contained and measures have been implemented to secure the platform. Healthdaq has been contacted for comment.
'Unauthorised Access and Extraction'
Healthdaq is employed by healthcare services to manage recruitment processes, holding detailed personal, identity, and background-check information on staff members.
According to the email, Healthdaq became aware of unauthorised access to certain data within its platform on 30 March.
"The incident has been identified as a confidentiality breach involving unauthorised access and extraction of data," the email stated.
The company indicated that the compromised data may include names, contact details, CVs, qualifications, copies of passports and other government-issued identification, and in some instances, health information.
"Given the nature of the data involved, there is a risk of impacts including identity theft, fraud, or misuse of personal information," the email added.
An Information Commissioner's Office (ICO) spokesperson confirmed: "We have received a report from Healthdaq Limited and are assessing the information provided."
Healthdaq's website notes that it collaborates with various government and public health organizations internationally, including entities in Canada, Australia, and the Middle East, as well as NHS organizations in England.
The company is headquartered in Dublin, with additional offices registered in Belfast, Melbourne, and Toronto.
The hacking group XP95 claims responsibility for the attack and is demanding a ransom. The group asserts it has stolen nearly half a million files, including driving licenses, criminal background checks, and vaccine records.
'Honour Among Thieves'
Kevin Curran, Professor of Cyber Security at Ulster University, explained that hackers may lie or exaggerate the volume of stolen data for financial gain, but established groups depend on their reputation, which incentivizes honesty.
"It's not that they won't fake data, they would do anything for money," he said.
"But there is a kind of a sense of reputability, people wouldn't waste their time if they didn't believe the groups leaks were real.
So, there is, to some degree, honour among thieves."
He advised those affected to remain vigilant, use strong passwords and two-factor authentication, and be cautious of suspicious emails or unusual activity.
