Printable version

Secrets, Rumours and Lies

Blog posted by: Nick Wilding and Jerome Vincent, 05 June 2019.

Cyber hacker stat cross-legged on ledge wearing hoodes top and fingerless gloves whilst accessing data on laptop

We all tell stories. Stories are all around us. They are how we build business, cultures, societies, and relationships. That’s what stories are for. They instruct us, inspire us, and warn us.

That’s why storytelling can be an integral part of an effective enterprise-wide transformation strategy to deliver an effective cyber resilience awareness campaign programme.

Nick Wilding, AXELOS’ General Manager of Cyber Resilience, teamed up with author Jerome Vincent for a storyline around a cyber-attack on the NHS – inspired by a 2-part Holby City/Casualty crossover episodeearlier in March 2019 

A famous actress is in an NHS hospital. No one knows why. There’s speculation in the press, some of it salacious. The hospital management are keen to protect their patient’s privacy. The consultant of the Trust which controls this hospital, amongst others, knows who the actress is and assures the PR manager that all the Trust’s records are protected by market leading security products.

One of the senior directors, an eminent consultant, says that if the secret gets out, it will be because of a loose-tongued member of the clinical staff – they love to gossip.

young hacker working with a criminal gang which carries out ‘push payment’ fraud, targeting usually older people by claiming to be their bank or the police and calling them up to get them to move their money to ‘safe’ accounts, is intrigued by the mystery of the hospitalized celebrity. Perhaps, he can hack into the Trust’s systems and gain access to the medical records. A newspaper would pay a mint for the info.

Another gang member sees a wider opportunity – think about all the data on elderly people and their numbers and even some information about their lifestyles and incomes. That’s a whole new set of people they can con out of their money.

The Trust’s PR manager sends out a memo with basic instructions about cyber-security as well as the necessity of not talking about patients in general but this famous one in particular. The fact is that the star is having treatment for cancer and she doesn’t want the world to know yet.

The hacker decides the best way to get into the hospital system is to go ‘whaling’ – look for someone high up who can be socially engineered. He crawls the web for names, finds two – the Chairman and the consultant.

He notices that the consultant often gives talks about the role of digital in healthcare – from AI to robotics – and also talks a lot about cyber-security. After the WannaCry attack on the NHS, he was on news programmes and even did an op-ed in The Times.

His last article was in SC Media Magazine. A confident defence of the NHS’s ability to avoid any kind of repeat of the WannaCry debacle.

Bingo! The hacker pretends to be from a tabloid newspaper and sends out an email to the consultant as well as the PR Manager for comment on how certain they are that the celeb will be protected.

He gets two replies – one an out of office – and one a short statement that there is nothing to comment on.

The hacker then creates a malware program and embeds it in what looks like a PDF of a magazine article. He sends back a reply to the consultant saying ‘But what about the rumour in this Australian Gossip Magazine? It mentions your Trust!’

The consultant is at home – he’s logged on to his email using his work laptop – he is alarmed that the secret might be out... and clicks on the PDF. The computer is infected. Then he forwards the email to the PR manager with a message – ‘Oh no! Did someone talk to an Aussie relative!?’

The PR manager opens it too.

The hackers are in the system. They find out who the star is. Sell the story. They scrape names and medical records from the Trust’s database. A rich source of potential victims, many elderly, all vulnerable.

The press has a field day. The Trust suffers a lack of, well, trust. Data protection laws are broken. It’s a GDPRnightmare. The PR manager says, with uncharacteristic understatement, ‘I think this is going to hurt.’

The consultant is sacked. He made basic errors and didn’t follow the Trust’s protocols. He was whaled, which meant he turned out to be the source of the breach, not the clinical staff he said loved to gossip.

Nick and Jerome are running a webinar: “Stories form us, motivate us and change us: why storytelling needs to be a critical part of your cyber-defences” on Thursday 20 June 2019 between 1pm and 2pm (UK time). You can register here.  

Don’t become a whale! Read our CEO cyber thriller 'Whaling for Beginners’.

Find out how our GCHQ certified RESILIA® Frontline cyber security awareness training can increase your cyber resilience. Contact us via   


Channel website:

Original article link:

Share this article
Home Qualifications Training Licencing Store News


Latest News from