Threat Report 164

NHS England has issued a cyber alert regarding a serious vulnerability found in a widely deployed DICOM medical imaging viewer used across NHS trusts and private healthcare providers. The flaw could allow an attacker to send a specially crafted imaging file that, when opened by a clinician or technician, runs malicious code on their workstation. This could give the attacker access to the local network. The vendor has released an update to fix the problem.

Medical imaging systems such as PACS (Picture Archiving and Communication Systems) are a core part of NHS clinical workflows. They are used every day to view X-rays, CT scans, and MRIs. If an attacker gained access through one of these systems, they could move through the network to reach patient data, clinical systems, or administrative systems. NHS suppliers who provide or support imaging technology should check whether their products are affected. This is directly relevant to DSPT requirements around keeping software up to date and managing clinical system risks.

Recommendations

• Check whether your organisation uses the affected imaging viewer by reviewing the NHS Cyber Alert for the specific product names and versions.
• Apply the vendor update as soon as possible, following your organisation's change management process.
• Ensure that medical imaging workstations have endpoint protection (antivirus/EDR) in place and that it is up to date.
• Review network segmentation so that imaging workstations are not on the same flat network as other critical systems.
• If you are an NHS supplier providing imaging solutions, proactively communicate with your NHS customers about whether your product is affected and what steps you are taking.

Supply Chain Attack Discovered in Popular JavaScript Libraries

Security researchers have discovered that several popular JavaScript packages on the npm registry were compromised after an attacker gained access to a maintainer's account. The attacker inserted hidden malicious code into package updates that were downloaded by thousands of developers. The malicious code was designed to steal environment variables, which often contain passwords, API keys, and database connection strings. The affected packages have now been removed, but any application that downloaded the compromised versions may have been exposed.

Many UK businesses and digital health organisations build their web applications and patient-facing portals using JavaScript and npm packages. A supply chain attack like this is dangerous because the malicious code comes through a trusted channel — a routine software update. If your development team pulled in one of these compromised packages, sensitive credentials could have been stolen without anyone noticing. For healthtech companies and NHS suppliers, this could mean exposure of API keys that connect to clinical data, patient information, or backend infrastructure.

Recommendations

• Check whether your development projects use any of the affected packages (listed in the source article). Use npm audit to scan your dependencies.
• Rotate any API keys, passwords, or tokens that were stored in environment variables on affected build systems or servers.
• Enable multi-factor authentication (MFA) on all npm and code repository accounts to reduce the risk of account takeover.
• Consider using a dependency lockfile and pinning specific package versions so that unexpected updates are not pulled in automatically.
• Review your software supply chain security practices. The NCSC has guidance on supply chain security that is worth following.

Phishing Campaign Abusing Microsoft Teams to Target UK Organisations

A new phishing campaign has been observed targeting UK organisations through Microsoft Teams. Attackers are sending Teams messages from compromised external accounts, posing as IT support staff or senior managers. The messages contain links to fake login pages designed to steal Microsoft 365 credentials. Because Teams messages feel more trusted than emails, staff are more likely to click on links without questioning them. Several UK organisations, including some in the health sector, have reported incidents linked to this campaign.

Microsoft Teams is used extensively across the NHS, NHS suppliers, and UK businesses for daily communication. Staff are generally trained to spot phishing emails, but many are not yet aware that phishing can come through Teams as well. A stolen Microsoft 365 account can give attackers access to emails, SharePoint documents, and cloud-stored files, which may include sensitive patient data or business information. This is particularly concerning for organisations handling health data under the DSPT and UK GDPR.

Recommendations

• Alert staff that phishing attacks can come through Microsoft Teams, not just email. Consider sending a short internal awareness message this week.
• Review your Microsoft Teams external access settings. If your organisation does not need to receive Teams messages from external organisations, consider restricting this.
• Enable MFA on all Microsoft 365 accounts if you have not already done so.
• Check sign-in logs for any unusual login activity, such as logins from unexpected locations or devices.
• Report any suspicious Teams messages to your IT security team and to Microsoft.

UK Council Faces Data Breach After Mishandling Complaints

Cornwall Council in England has suffered a data breach after the personal details of individuals who submitted complaints were passed to the councillor they were complaining about. Four of the ten complainants had specifically requested their names be withheld, but all ten had their names, home addresses, email addresses, and phone numbers shared. The councillor said she was told the details had been redacted in the files sent to her — but they became visible when she opened them.

This incident is a clear example of how data breaches do not always involve hackers. Human error and poor internal processes can expose personal information just as effectively. For organisations handling complaints, HR processes, or sensitive personal data, this is a timely reminder that data protection obligations under UK GDPR apply to internal processes as well as external threats. Organisations subject to the DSPT are required to have appropriate information governance controls in place to prevent exactly this kind of incident.

Recommendations

• Review your complaints and HR processes to ensure personal data is only shared with those who have a legitimate need to see it.
• Audit any redaction processes to confirm they work as intended — do not assume a file is redacted until it has been verified by opening it.
• Ensure staff handling personal data have received up-to-date data protection training.
• Check your breach reporting obligations. If personal data is accidentally disclosed, you may need to report it to the ICO within 72 hours.
• Consider whether your current data handling processes would withstand scrutiny if a breach occurred and was investigated.

French Government Bank Account Database Breached, 1.2 Million Records Stolen

France's Ministry of Economics revealed that an attacker used stolen credentials to access the country's national bank account database in January 2026, making off with 1.2 million records. The stolen data included account numbers, account holder addresses, and tax identification numbers. The Ministry said access was cut off as soon as the breach was discovered, but the attacker had already exfiltrated a significant volume of data.

This incident demonstrates how stolen credentials can give attackers access to highly sensitive financial infrastructure. It also highlights the scale of damage that can result from a single compromised account with privileged access. For UK organisations handling financial or personal data, the lesson is clear: strong authentication and access controls are not optional. Organisations working towards Cyber Essentials, DSPT compliance, or DCC certification should treat credential security as a priority control.

Recommendations

• Enforce multi-factor authentication (MFA) on all accounts with access to sensitive data, particularly those with administrative or privileged access.
• Regularly review who has access to sensitive systems and remove access that is no longer needed.
• Monitor for unusual access patterns, such as logins at unusual times or from unexpected locations.
• Ensure credential management policies are in place, including requirements for strong, unique passwords and regular rotation for high-privilege accounts.
• Be aware that stolen credentials are frequently traded on criminal forums — consider using a dark web monitoring service to check for exposure of your organisation's credentials.

PayPal Data Breach Caused by Internal Coding Error

PayPal has notified around 100 customers that their personal information was exposed due to a coding error in its Working Capital loan application. The error caused sensitive business contact information — including names, Social Security numbers, dates of birth, email addresses, phone numbers, and business addresses — to be inadvertently leaked between July 2025 and December 2025. A small number of affected customers also experienced unauthorised transactions on their accounts. PayPal has since rolled back the code change and issued refunds.

This breach was not caused by an external attacker but by an internal software error that went undetected for several months. It serves as a reminder that data breaches can originate from within an organisation's own development processes. For healthtech companies and digital health organisations that build or maintain software, rigorous testing, code review, and security assurance practices are essential. Under UK GDPR, a breach of this nature that exposes personal data would need to be assessed for reportability to the ICO.

Recommendations

• Build security testing into your software development lifecycle, including checks for unintended data exposure in application outputs.
• Conduct regular reviews of what personal data your applications are processing and whether it is being handled correctly.
• Ensure you have a process in place to detect anomalous data access or unexpected data flows before they go unnoticed for months.
• Review your incident response plan so that when a breach is identified, the steps for investigation, containment, and notification are clear.
• If you use third-party financial or payment platforms, check what personal data those platforms hold on your behalf and review their breach notification commitments.

Want help staying ahead of threats like these? Contact Periculo about our Threat Intelligence services.