HMR targeted by cyber criminals
UPDATE on 29 April 2020
We were advised by the National Cyber Crime Unit to inform all volunteers on our database about the theft of our data. However, since we posted the notice below, we’ve obtained a detailed audit trail of the files copied by the criminals. The audit trail shows that our volunteer database was not accessed by the hackers. So, we can now confirm that, if you’ve never attended a screening visit for a clinical trial at HMR, your data weren’t stolen.
If you have attended a screening visit, you can contact us to find out whether your details have been stolen – we don’t have electronic copies of identity documents, health information and bank details for everyone we’ve screened.
__________________________________________________________________________________________________________________________________________________
Dear HMR Volunteers
On Saturday 14 March 2020, HMR was subjected to a targeted and sophisticated attack by cyber criminals. We took immediate action to stop the attack, but not before the attackers had stolen copies of some of our files. A criminal group called Maze has claimed responsibility. We reported the crime to both the Police and the UK Information Commissioner’s Office (ICO) and are working with them.
We’re sorry to report that, during 21–23 March 2020, the criminals published on their website records from some of our volunteers’ screening visits. The website is not visible on the public web, and those records have since been taken down. The records were from some of our volunteers with surnames beginning with D, G, I or J. The records were scanned copies of documents and results we collected at screening, including name, date of birth, identity documents (scanned passport, National Insurance card, driving licence and/or visa documents, and the photograph we took at the screening visit), plus health questionnaires, consent forms, information from GPs, and some test results (including, in a few cases only, positive tests for HIV, hepatitis, and drugs of abuse).
Even if your records weren’t among those that were published, the criminals might have stolen copies of them. There’s a risk that your identity documents could be used by criminals to commit fraud (such as taking out a loan in your name), so we recommend that you inform your bank about the attack on HMR, ask their advice, and look out for suspicious activity in your account. Many of the ID documents we have on file have expired, but if you believe you provided to HMR IDs that are still valid, report these documents as being compromised to the organisation that issued them.
Consider contacting CIFAS (the UK’s Fraud Prevention Service) to apply for protective registration. Once you’ve registered, you should be aware that CIFAS members will do extra checks to see when anyone, including you, applies for a financial service, such as a loan, using your address.
CIFAS – The UK’s Fraud Prevention Service
6th Floor
Lynton House
7 – 12 Tavistock Square
London
WC1H 9LT
www.cifas.org.uk
You can also get more advice at:
Action Fraud (England, Wales and Northern Ireland) or Police Scotland (as Action Fraud do not deal with people who live in Scotland).
Also, be aware that any suspicious calls or emails claiming to be from HMR might not be genuine, particularly emails asking you to click on a link (consider searching for it in your browser).
If you want to know more about the documents that were published, or if you have any other questions or concerns, please reply to this email (DataProtection@hmrlondon.com) or, if you are Japanese and want to write to us in Japanese, email Japanese.DataProtection@hmrlondon.com, and we’ll get back to you as soon as we can.
We’re taking this incident very seriously. We’re working closely with law enforcement agencies and continue to enhance the systems we use to protect our data.