Serco, the outsourcing giant behind NHS Test and Trace, has confirmed that it was hit by a cyber attack – but told Sky News its oft-criticised scheme had not been impacted.
The company won several coronavirus-related contracts, including NHS Test and Trace, via a procurement system that came under fire from the public spending watchdog over concerns it lacked a competitive process.
Since then, the scheme – headed up by Baroness Dido Harding – has been regularly criticised over perceived failings to provide quick COVID-19 test results and trace contacts who need to self-isolate.
Sky News can reveal Serco was targeted by criminals operating the so-called Babuk ransomware, which encrypts a victim’s networks after the hackers have stolen data.
The malware informs the victim of the breach by creating a note which encourages the victim to negotiate an extortion payment to unlock their computers and prevent the stolen data from being released.
Brett Callow, a cyber security researcher at Emsisoft who specialised in tracking ransomware groups, said the ransomware had only emerged “earlier this month” and that “little is known about their operations”.
Sky News learned of the attack on Serco through a sample of the ransomware that was uploaded to VirusTotal, a platform used by anti-virus companies to compare malware.
The sample encrypts the victim’s files and leaves a note specifically addressed to Serco, which claims: “We’ve been surfing inside your network for about three weeks and copied more than 1TB of your data.”
The note continues to threaten “consequences” if Serco does not cooperate with the hackers “to resolve this situation”, warning of risks including the firm’s stock value falling, costing it “much more money than the amount we ask”.
It continues: “Your partners such as NATO, or Belgian Army or anyone else won’t be happy that their secret documents are in free access in the internet.”
Sky News did not see any evidence that such documents were stolen by the criminals, who had deleted the page inviting Serco to negotiate the extortion.
Serco spokesperson Marcus Deville confirmed to Sky News in a phone call that the company had been attacked, although he refused to comment on the impact, nor whether the firm had paid the ransom demand.
Mr Deville stressed however that the attack had only impacted the company’s mainland European operations, which were “completely isolated” from those in the UK, meaning there was “no impact on UK business” – including NHS Test and Trace.
Sky News has contacted the Department for Health and Social Care and the Information Commissioner’s Office for comment.