NHS recruitment firm had major security bugs which could have exposed entire systems

• An NHS organisation was hit with a cyberattack
• The attack occurred in May 2024 but was never publicly disclosed
• Attack against NHS Professionals looks to have been a failed ransomware attempt

A cyberattack targeting NHS Professionals, a private company owned by the Department of Health and Social Care, resulted in the theft of its Active Directory data - however the breach was never publicly disclosed, despite the attack occurring in May 2024.

A report from the The Register, quoting a Deloitte incident report, notes attackers used a compromised Citrix account to gain initial access.

Once inside, attackers stole a “highly valuable ntds.dit file and engaged in further malicious activity”. The criminals moved laterally inside the organisation’s network using RDP and SMB share access, although it's not clear how they escalated their privileges up the domain admin level.

Save up to 68% on identity theft protection ...