Making it into our round-up of cyber security news this month is research warning of the security risks posed by companies in the NHS supply chain and a ransomware attack on a French hospital.

Report warns of vulnerabilities in NHS supply chain

Eighty-eight percent of NHS suppliers have had emails together with associated employee passwords leaked, according to new research.

Threat intelligence and cyber risk company Orpheus looked at a cross-section of companies that supply to the NHS to assess their vulnerabilities and risk they posed.

Amongst its findings were that 37% of companies had vulnerabilities that looked attractive to cyber criminals, while 17% appeared to run databases that cyber criminals could target.

The research is intended to help NHS Trusts make risk based-procurement decisions while at the same time helping suppliers understand their own specific threats and vulnerabilities.

Oliver Church, CEO of Orpheus, said: “For some time we have watched cyber attackers consistently target the supply chains of organisations they want to exploit.

“All too often this is because supplier companies are the weakest link in the chain, enabling attackers to gain a foothold with much greater ease than they otherwise would

“It is unsurprising therefore that authorities and regulators more broadly are demanding that all types of organisation now look to secure their supply chains.

Macys customers have payment info stolen by hackers

US department store giant Macys was hit by a data breach in the run-up to Black Friday, with hackers targeting the retailer’s checkout and payment pages.

A letter sent to customers on 14 November revealed that malicious users had gained unauthorised access to personal information including names, addresses and payment information.

“Based on our investigation, we believe that on October 7, 2019 an unauthorised third party added unauthorised computer code to two pages on macys.com,” the letter read.

“The unauthorised code was highly specific and only allowed the third party to capture information submitted by customers on the following two macys.com pages.”

Affected customers have been advised to change their login information while federal investigators respond to the breach.

French hospital refuses to pay up for ransomware attack

AFP reported a cyber-attack on a hospital in the northern French city of Rouen in November that led to severe delays in care.

A ransomware incident at the 1,300-bed hospital left staff locked out of computers and falling back on pen and paper.

The hospital said it would not pay the ransom to have its files restored.

No patient data is believed to have been compromised in the attack and France’s National cyber-crime agency ANSSI helped limit the impact of the ransomware, Le Monde reported.

A statement on the hospital’s Facebook page read: “On Friday 15 November around 7pm the CHU of Rouen was the subject of a large-scale computer attack, having a strong impact on the information system and therefore the activity of the establishment.

“This attack made access to most of the job applications inaccessible but also infected part of the jobs.

“The process used was the coding of some files located on computers and servers.

“Immediate actions have been carried out by the management of the information system (DSI) to stop the spread of this attack around midnight.

“No leak of medical or personal data has been found to date by the investigation.”

Optima Energy says lock up your energy data systems

An energy management software company is reminding organisations about the importance of making sure their energy data systems are secure.

Optima Energy reported that energy data is one of the areas most at risk from cyber-attacks yet often gets overlooked, particularly in the healthcare sector.

Steve Kemp, Optima Energy’s business development director, said more companies were beginning to invest in advanced software to keep this sensitive data safe.

“Far too often, the security of energy management software is overlooked when it should be an absolute priority,” said Kemp.

“The value of energy-related data is considerable and hackers are always trying to find innovative ways to infiltrate systems. And it is the fact that these cyber threats can go unnoticed until the real damage is clear that makes them so dangerous.”