Sophos Cloud Optix
Earlier this week, presenters at an Australian radio station called the King Edward VII Hospital in London, UK.
You may recognise the name – it’s the hospital to which Catherine, Duchess of Cambridge, was admitted on Monday.
The Duchess, who is pregnant, is apparently suffering from a fairly serious bout of morning sickness.
The pranksters, Mel and MC of the show Summer Hot 30 on Sydney station 2DAY (all New South Wales radio call signs begin with 2), pretended to be Her Majesty the Queen and Prince Charles.
Two other presenters joined them in the studio to add a little Palace atmosphere, impersonating the Royal corgis.
The plan was to have a bit of a lark and see what sort of reaction they’d get from the hospital.
Mel’s impersonation of Her Majesty’s voice can charitably be described as ludicrously bad, and her impression of Her Majesty’s diction and vocabulary as bizarre.
In fact, Mel did such an execrably bad job that co-presenter MC interjected right at the start of the prank, while they were still on hold, to say so.
Clearly, after such an inauspicious start they expected not just to have their call dumped by the hospital, but to be told off in no uncertain terms.
To their astonishment, however, the call was passed swiftly through to the nurse looking after the Duchess. The nurse proceeded – with understandable and audible nervousness – to give away a small, but nevertheless improper, amount of personal information.
In the end, little harm was done, aside perhaps from the nurse’s unfortunate comment that “[the Duchess] hasn’t had any retching”, and her observation that Catherine’s husband, Prince William, had been at the hospital the previous evening, but left around 9pm.
Nevertheless, there is a huge lesson to be learned here.
Social engineering – where scammers trick you or your staff into revealing information they know they oughtn’t to give out – is surprisingly easy.
As Mel and MC showed, you don’t have to get all the details right. In fact, you can get many or most of them wrong.
You don’t even have to be terribly believable. You just have to stick to your guns.
Let the person on the other end of the call ease themselves into a position where they feel obliged and determined to help, yet on safe ground because they’ve convinced themselves that they’re not really giving out anything very serious.
Social engineers often don’t need a lot of information to succeed. They might get a name out of the HR department, but no more. Then a phone number from a helpful colleague, an address from the helpdesk, followed by information about the victim’s whereabouts from Facebook or an out-of-office email.
And that might be enough to trick another organisation or department – the victim’s bank, for example, or their IT team – into a more egregious blunder such as transferring money illegally, or resetting a password fraudulently.
What can you do to minimise the risk of social engineering?
- Teach your staff that it is OK to say “No” to information requests over the phone.
- Teach them to hang up if the caller won’t take “No” for an answer and pesters for information that has already been refused.
- Provide an internal hotline (phone or email) that staff can use to report possible scam calls.
The last point is particularly important. Phone scammers may well have an internal directory for your company. They can then simply call colleague after colleague, building up a picture piece by piece as they go. The extent of the trickery won’t be obvious to each individual who gets called.
With active reporting of phone scamming by your staff, you may be able to spot the pattern early. You can then warn your entire workforce.
When it comes to corporate or personally identifiable information, remember this:
If in doubt, don’t give it out!
R.I.P.
Jacintha Saldanha
The nurse who answered this call has been found dead. This is tragic news, and a stark reminder that pranks of this sort can have serious costs.
Computers and international networks make it easy to “set someone up”. For example, by sending email from someone else’s account; uploading a candid photo to Facebook without permission; leaving bogus messages on voicemail; or with a prank call, as here.
Our recommendation: don’t do it. Even if it’s not illegal, it can have dreadful side-effects, as in this case.
What a stupid failure of NHS protocol! It is a rule that no information at all be given to anyone, either by phone or email, about any patient without fully confirming the contact's details and that they are either bone fide relatives or approved person WITH THE PREVIOUSLY AGREED PASSWORD! Only known family can set that password up in person, face to face, with the hospital staff. I know as we had a relative with a serious stroke and we had great difficulty getting that set up as our surname is different from his!
The hospital staff involved should be seriously reprimanded – and the radio 'presenters' sacked immediately.
It's a private hospital so there's no need to blame the NHS just so quickly 😉
That is private health care not the NHS…
In this case, the same patient confidentiality rules apply irrespective of whether the hospital is run by NHS or some private organisation. Both the BMA and the Nursing and Midwifery Council require registered staff, wherever they work, to abide by the rules and preserve patient confidentiality. The two staff let their guard down and being late at night was no excuse.
I think that in a medical context, saying 'No' is a bit to inflexable, as in some cases urgent informatation might be needed in a medical emergency.
What happens if, in six months time this hospital gets a call from someone claiming to be a midwife at another hospital, who says that Kate has gone into premature labour, and she urgently needs a copy of her medical records.
Saying 'no' could have life threatening complications, giving out information could be playing into the hands of these or other pranksters. The sensible advice would be to get the name of the hospital and the medical practioner, and then hang up and phone back the hospital using the number in the the phone book.
The lack of awareness of information security and privacy issues by senior managers of companies is astounding. It may have helped the case considerably if the first language of the 'gatekeeper' had been English. I also find it astounding that the hospital didn't carry out a risk assessment that included information security risks. When will the message get through that this kind of breach AFFECTS YOUR CORPORATE REPUTATION? I think the two DJs should be thanked by the hospital management for pointing out to them how stupid they were.
A very useful post. But something else was going on here too. Cialdini's principles of persuasion talk about the power of authority. If the scammer pretends to be someone important, then they are more likely to get away with it.
This needs to be tackled from two angles: firstly training on the frontline not to fall for people pretending to be the Queen, but also senior people in the organisation must be taught not to force junior people to suspend procedures for them. Or anyone.
So often it is senior people who set a bad example.
Did anyone notice the prankster 'Queen' ( ludicrously bad attempt at that impersonation, agreed) asked to speak to ' my grand-daughter', and of course Kate is not the Queen's grand-daughter. But even if the switchboard operator thought it was Kate's maternal/paternal grandmother, the 'protocol' was risible.
Why wasn't a secure number allocated intenally as soon as Kate was admitted, as a direct line for genuine family calls, taken by a police liaison officer or hospital management trustie, with the switchboard ordered not to accept ANY such calls.
" The price of liberty is eternal vigilance" , as is the price of security, of privacy, etc.
When will they learn?
Not to excuse entirely the nurse at the pointy end of the call…but she didn't pick up the call directly. In other words, it had already passed muster with someone else. I imagine she assumed, not unreasonably, that the call had been vetted.
Getting transferred makes the social engineer's job even easier. If you get a direct call from someone you don't recognise who makes a raft of improbable claims, you're likely to be much more suspicious than if someone else inside the company hands the scammer on to you with some sort of implicit (or perhaps even explicit) endorsement.
How do you know that the recording was really the hospital and not something entirely staged by the radio station?
The hospital has confirmed it.
I remember the time I was waiting for some medical results to come through so I called the surgery up and they told me everything about the results, all they asked for was my name.
I heard similary in the US they are much stricter on obtaining medical test results back, many cases you have to confirm you D.O.B, address and I think passport number was needed (can't remember entirely).
The use of social engineering is an interesting one since it is a powerful tool for pen testers and malicious users but I think here there was a clrear breach of patient confidentiality and to be honest, if someone called you up and said they were the Queen asking for information, would you beleive them?
BBC News: Duchess of Cambridge hoax call nurse found dead http://www.bbc.co.uk/news/uk-20645838