Data stolen during the attack includes information generated by Tusla, however there has been no indication that the material gathered has been published online or used for criminal purposes.
In a statement, Tusla said: “An Garda Siochana have an ongoing investigation including co-operation with international law enforcement agencies.”
“Material which was stolen by the attackers from HSE systems has recently been provided to the HSE by An Garda Siochana.”
“Following preliminary analysis it has now been confirmed that the stolen data also includes information generated by the Child & Family Agency. There has been no indication to date that this material has been published online or used for criminal purposes.”
“We have now commenced a more detailed review of the stolen material as the next phase of the investigation.”
Speaking about the developments, Bernard Gloster, CEO of Tusla said that the review could take up to four months, however they cannot confirm a timeline.
“The review of this stolen data will be thorough and once completed we will take all steps to communicate with and support any people affected, in addition to our regulatory engagement with the DPC.”
“In addition to this investigation we have spent the recent months making major improvements to our systems and a full plan of work is scheduled for 2022.”
The attack, which occured on May 14th led to the medical information of 520 patients to be published online.
In June it was confirmed that at least 85% of the HSE's IT servers had been decrypted and 70% of computer devices were back in use.
By September, over 95% of all servers and devices had been restored.
In an independent report commissioned by the HSE and conducted by PWC, cybersecurity for the National Health Network was deemed as “frail” and “outdated.”
The PWC investigation revealed: “The national health service is operating on a frail IT estate with an architecture that has evolved rather than be designed for resilience and security,” recommending that the HSE need to create a system that is “resilient and future-fit.”
The review found that the infrastructure in place does not have the required cybersecurity capabilities to protect the large operation that is the health service and the data they process “from the cyber attacks that all organisations face today.”
“It does not have sufficient subject matter expertise, resources or appropriate security tooling to detect, prevent or respond to a cyber attack of this scale,” it was reported.
Further to this, the review found that the HSE does not have any cybersecurity in place that can detect and prevent ransomware attacks, such as the one that occurred earlier this year.
It was also found that the computer on which the attacker “gained their initial foothold” did not have antivirus updates for over a year.
“The low level of cybersecurity maturity, combined with the frailty of the IT estate, enabled the attacker in this Incident to achieve their objectives with relative ease,” the report reads.
It also told of how easy it would have been for the attacker to infiltrate the network without detection.
“The attacker was able to use well-known and simple attack techniques to move around the National Health Network, extract data and deploy ransomware software over large parts of the estate, without detection.”
When it came to the software being used by the HSE, it was found that the HSE has over 30,000 outdated Windows 7 systems running on workstations, despite Windows 7 being deemed ‘end of-life’ by Microsoft almost two years ago in January 2020.
They were advised to upgrade computers to Windows 10 in a bid to address known vulnerabilities and support issues with their current operating system.