Nearly a week on from Sky News breaking the story that Serco had been the victim of a ransomware attack, details of the incident are still very sketchy. From a UK perspective, we are being reassured that the attack has only affected systems on mainland Europe; so that the NHS Test and Trace programme is not impacted. That may be so, but the fact that the attack succeeded in one part of Serco does suggest that other areas could be vulnerable. More broadly, it prompts further questions about the robustness of the controversial procurement process under which Serco was awarded the Test and Trace contract: what assurances on information security were required?
The restriction to mainland Europe is presumably less reassuring to some other major Serco customers such as NATO, the Belgian Military and the European Space Agency. Serco appears to have assured these key customers that their data has not been compromised, but it is unclear what this assurance is based on. Meanwhile, Serco has remained tight-lipped publicly, declining to comment on the impact of the attack or whether they have paid any ransom.
Serco’s strategy of trying to minimise the impact is reminiscent of the UK Government’s response to the news of a massive data loss from the Police National Computer only three weeks ago. The Home Office’s initial claim that only 150 000 records had been deleted had to be revised upwards shortly afterwards (and may yet rise further). Only time will tell if Serco’s claims of “nothing to see here” hold up to scrutiny.