A hacker who cracked into an NHS website three months ago has said it took him less than an hour to get through the out-of-date security.
Speaking exclusively to Sky News on the condition of anonymity, the teenager described the defences protecting the confidential details of thousands of patients as “vulnerable to basic attacks that have been around for years”.
It comes as NHS security is being criticised for being susceptible to the widespread “ransomware” attack that is still causing problems in hospitals.
The huge hack also targeted organisations and companies worldwide, with up to 99 countries possibly affected, according to some researchers.
It is believed to be the biggest attack of its kind.
The hacker said he could have asked for a ransom when he gained access to the NHS database but, on this occasion, he got in touch with the administrator to offer his help.
“At the time, the NHS was under a lot of controversy in the media as some areas had been victim to state-sponsored hacking so I thought I would try and help them.
“It took me less than an hour to find the first vulnerability and the second one I found was extremely serious.
“I had access to anything on the server – patient records or virtually anything that was hosted on that server.”
:: Accidental hero finds virus ‘kill switch’
Sky News has seen the email chain between the hacker and NHS administrator whom he helped to fix the issue.
It took around 12 hours for the NHS administrator to respond to the initial whistleblowing email and a further three hours for the hole in the system to be patched with the guidance of the hacker.
Although NHS web systems are overseen by NHS Digital, all trusts are responsible for their own IT systems and security.
The website that was hacked months ago is an affiliate of one of the NHS trusts that was badly affected by the weekend’s cyberattack. It’s unclear if the website itself was compromised again.
Speaking about the current large-scale attack, the hacker says the timing of the launch could give us clues as to what the culprits are like.
:: Strike gives glimpse of ‘cyber-apocalypse’
The untraceable crypto-currency Bitcoin was at a near all-time high when the criminals launched their ransomware, which implies an element of planning. However, the hackers did not ask for their payment in Bitcoin, but US dollars.
“I think [it shows] a lack of understanding from them. It doesn’t make sense why they would do that because if they were after money then it would have made a lot more sense to demand the payment in actual Bitcoin.”
The hacker also said the attack has angered many in his community and could explain why so many have given up their time to fight back and try to stop the virus spreading.
“I think it’s extremely dangerous what they’ve done,” he said. “They’re putting people’s lives at risk. It’s just sad really.”