Thousands of visitors the the NHS Choices site bombarded with malware after a coding error let a Czech hacker in by the back door

 

Thousands of patients trying to access health advice on the NHS Choices website were bombarded with adverts and malware – potentially stealing personal information from their computers – due to a coding error yesterday.

Users of the site posted links to hundreds of pages which had caused the problems over Sunday night and Monday morning - although the issue is now fixed.

One user, called Muzzers, wrote on the social website Reddit: “While attempting to access flu shot information I stumbled upon a page which redirected me to an advertisement. Digging a bit deeper I found hundreds more pages which redirect to either an advertisement or malware infested page.”

About 800 pages were thought to be affected.

The Health and Social Care Information Centre, which runs the site, was quick to downplay the damage, claiming that the site had not been compromised by a hacker.

A spokeswoman said a simple misplaced letter s in a domain name embedded in the code was responsible. A developer had typed googleaspis.com instead of googleapis.com.

The spokeswoman added that on Sunday night someone in the Czech Republic registered the misspelled domain name meaning patients were redirected to a rogue site from which the adverts and malware were sent.

In a statement the HSCIC said: “An internal coding error has caused an incorrect re-direct on some pages on NHS Choices since Sunday evening. Routine security checks alerted us to this problem on Monday morning at which point we identified the problem and corrected the code.

“We are now ‘flushing through’ this correction to ensure that the code on all affected pages is amended and expect this to be completed this afternoon.

“We can confirm that this problem has arisen due to an internal coding error and that NHS Choices has not been maliciously attacked.

The spokeswoman also stressed that no patient data was at risk and that they were carrying out a “thorough and detailed analysis to ensure that a full code review is undertaken and steps put in place to ensure no reoccurrence".

The HSCIC spokeswoman added: "NHS Choices has conducted an investigation of the adverts that some users were taken to and found nothing malicious on the initial adverts that came up. However, as an additional precaution we intend to supplement our usage information with 'cyber smart' guidelines."

Internet security expert Graham Cluley cast doubt on the official explanation however, and said that anyone who had inadvertently downloaded malware could be at risk from viruses or having the personal information stored on their hard drives accessed.

“I’m surprised by that explanation,” he said. “What often happens is that a hacker will find a weak point and inject a piece of code to exploit it, and set up a domain name. If the explanation is correct then whoever registered the domain name in the Czech Republic must have scanned the code, which few do, or registered numerous sites in the hope of getting lucky. Also, programmers tend to cut and paste domain names rather than type them out, which is laborious. Either way, there is a normally a through audit to spot these things and make sure links work before going live.

He added: “More importantly, what has been compromised is people’s computers. Anyone who used that site may have had malware injected on to their home computers that is able to access their personal information. So there should be warnings that anyone who accessed the rogue site could have problems. Today the NHS should be about computer health and that computers could be compromised.”

Mr Cluley also said that any crime committed would be an offence against the home user by the person in the Czech Republic.

Latest stories from i100
Have you tried new the Independent Digital Edition apps?
Independent Dating
and  

By clicking 'Search' you
are agreeing to our
Terms of Use.

ES Rentals

    iJobs Job Widget
    iJobs Gadgets & Tech

    Guru Careers: Software Developer / C# Developer

    £40-50K: Guru Careers: We are seeking an experienced Software / C# Developer w...

    Guru Careers: Software Developer

    £35 - 40k + Benefits: Guru Careers: We are seeking a Software Developer (JavaS...

    Ashdown Group: UI Developer - (UI, HTML, CSS, JavaScript, AngularJS)

    £25000 - £40000 per annum: Ashdown Group: UI Developer - (UI, JavaScript, HTML...

    Ashdown Group: Graduate UI Developer - HTML, CSS, Javascript

    £25000 - £30000 per annum: Ashdown Group: Graduate UI Application Developer - ...

    Day In a Page

    Sun, sex and an anthropological study: One British academic's summer of hell in Magaluf

    Sun, sex and an anthropological study

    One academic’s summer of hell in Magaluf
    From Shakespeare to Rising Damp... to Vicious

    Frances de la Tour's 50-year triumph

    'Rising Damp' brought De la Tour such recognition that she could be forgiven if she'd never been able to move on. But at 70, she continues to flourish - and to beguile
    'That Whitsun, I was late getting away...'

    Ian McMillan on the Whitsun Weddings

    This weekend is Whitsun, and while the festival may no longer resonate, Larkin's best-loved poem, lives on - along with the train journey at the heart of it
    Kathryn Williams explores the works and influences of Sylvia Plath in a new light

    Songs from the bell jar

    Kathryn Williams explores the works and influences of Sylvia Plath
    How one man's day in high heels showed him that Cannes must change its 'no flats' policy

    One man's day in high heels

    ...showed him that Cannes must change its 'flats' policy
    Is a quiet crusade to reform executive pay bearing fruit?

    Is a quiet crusade to reform executive pay bearing fruit?

    Dominic Rossi of Fidelity says his pressure on business to control rewards is working. But why aren’t other fund managers helping?
    The King David Hotel gives precious work to Palestinians - unless peace talks are on

    King David Hotel: Palestinians not included

    The King David is special to Jerusalem. Nick Kochan checked in and discovered it has some special arrangements, too
    More people moving from Australia to New Zealand than in the other direction for first time in 24 years

    End of the Aussie brain drain

    More people moving from Australia to New Zealand than in the other direction for first time in 24 years
    Meditation is touted as a cure for mental instability but can it actually be bad for you?

    Can meditation be bad for you?

    Researching a mass murder, Dr Miguel Farias discovered that, far from bringing inner peace, meditation can leave devotees in pieces
    Eurovision 2015: Australians will be cheering on their first-ever entrant this Saturday

    Australia's first-ever Eurovision entrant

    Australia, a nation of kitsch-worshippers, has always loved the Eurovision Song Contest. Maggie Alderson says it'll fit in fine
    Letterman's final Late Show: Laughter, but no tears, as David takes his bow after 33 years

    Laughter, but no tears, as Letterman takes his bow after 33 years

    Veteran talkshow host steps down to plaudits from four presidents
    Ivor Novello Awards 2015: Hozier wins with anti-Catholic song 'Take Me To Church' as John Whittingdale leads praise for Black Sabbath

    Hozier's 'blasphemous' song takes Novello award

    Singer joins Ed Sheeran and Clean Bandit in celebration of the best in British and Irish music
    Tequila gold rush: The spirit has gone from a cheap shot to a multi-billion pound product

    Join the tequila gold rush

    The spirit has gone from a cheap shot to a multi-billion pound product
    12 best statement wallpapers

    12 best statement wallpapers

    Make an impact and transform a room with a conversation-starting pattern
    Paul Scholes column: Does David De Gea really want to leave Manchester United to fight it out for the No 1 spot at Real Madrid?

    Paul Scholes column

    Does David De Gea really want to leave Manchester United to fight it out for the No 1 spot at Real Madrid?