Anatomy of a Breach

Anatomy of a Breach: NHS Advanced and LastPass — A UK Healthcare MSP and a Password Vault Both Compromised

> series: anatomy_of_a_breach —— part: 164 —— targets: nhs_advanced + lastpass —— nhs_111: disrupted —— lastpass: source_code_stolen<span class="cursor-blink">_</span>_

Hedgehog Security 31 August 2022 14 min read
nhs-advanced lastpass ransomware uk-breach nhs-111 password-vault supply-chain series
Breach #164

NHS 111 disrupted through a vendor. LastPass source code stolen. The trust infrastructure under attack.

On 4 August 2022, Advanced — a managed service provider whose Adastra platform supports NHS 111, ambulance dispatch, patient referral systems, and out-of-hours GP services — was hit by ransomware. The attack forced Advanced to take its systems offline, disrupting NHS 111 services across England. Callers to 111 experienced delays, and some NHS trusts reverted to paper-based processes for patient referrals and ambulance dispatch. The disruption lasted weeks, and the ICO subsequently investigated.

In the same month, LastPass disclosed that an attacker had compromised a developer's account and accessed portions of the LastPass development environment, stealing source code and proprietary technical information. LastPass stated at the time that no customer vault data had been accessed. But the August intrusion was the precursor to a far more serious breach: in December 2022, LastPass would disclose that the attacker had used information from the August breach to access a cloud storage service containing encrypted customer vault backups — meaning the password vaults of LastPass's millions of users were now in the attacker's possession, protected only by their master passwords.

NHS Under Attack — Again
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

NHS 111. Patient referrals. Ambulance dispatch. All disrupted through one vendor.

The Advanced ransomware attack was the latest in a pattern of NHS disruption through cyber incidents: WannaCry (2017, 80 trusts), Irish HSE (2021, Conti), and now Advanced (2022, ransomware via MSP). Each incident confirmed that NHS services are critically dependent on technology — and that technology dependencies create supply chain vulnerabilities.

NHS 111 Disrupted
The 111 non-emergency health line — used by millions of UK residents — was disrupted because its underlying platform (Adastra, provided by Advanced) was taken offline. When your MSP is hit by ransomware, your services go down even though your own systems are not compromised. <a href="https://www.socinabox.co.uk/sectors/gp-surgeries">SOC in a Box for Healthcare</a> monitors vendor-dependent services for disruption.
LastPass: The Vault Heist Begins
The August 2022 LastPass breach — stealing source code — was the first step in what would become the most significant password manager breach in history. The stolen source code and technical knowledge enabled the attacker to identify and access cloud storage containing encrypted vault backups in a subsequent attack. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> assesses developer environment security and separation from production systems.
MSP as Single Point of Failure
Advanced's ransomware attack disrupted NHS services across England — because the MSP was a single point of failure for multiple critical health services. This is the same pattern as <a href="/blog/anatomy-of-a-breach-kaseya-vsa">Kaseya</a> (2021) and <a href="/blog/anatomy-of-a-breach-blackbaud">Blackbaud</a> (2020). <a href="/cyber-essentials">Cyber Essentials</a> addresses MSP dependency risk.
Trust Infrastructure Targeted
Both Advanced (trusted MSP) and LastPass (trusted password manager) were compromised — targeting the infrastructure organisations trust most. When the tools designed to keep you secure are themselves compromised, the security model inverts. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> provides incident response when trusted infrastructure is compromised.
Lessons

Your MSP and your password manager are your highest-risk dependencies.

The simultaneous compromise of an NHS MSP and a password manager in the same month underscored that the tools and services organisations depend on most create the greatest supply chain risk when compromised. For UK organisations, Cyber Essentials addresses vendor and supply chain security. Our penetration testing assesses MSP access controls and developer environment security. SOC in a Box provides monitoring independent of any single MSP. And UK Cyber Defence provides incident response when supply chain breaches affect your organisation.

Supply Chain Trust

NHS 111 went down because its MSP was ransomwared. LastPass vaults were stolen. Are your critical dependencies tested?

<a href="/penetration-testing">Penetration testing</a> assesses MSP and vendor security. <a href="/cyber-essentials">Cyber Essentials</a> addresses supply chain risk. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors independently.

Commission a Supply Chain Assessment Next: Uber Breached Again
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 November 2024

Anatomy of a Breach: Blue Yonder — Supply Chain Ransomware Hits UK Supermarkets and Global Retailers

Breach #191. In November 2024, Blue Yonder — a major supply chain management software provider owned by Panasonic — was hit by ransomware that disrupted services for its global customer base. The attack affected warehouse management and logistics systems used by major retailers including Morrisons and Sainsbury's in the UK, and Starbucks in the US. Morrisons reported disruption to its warehouse management systems affecting the flow of goods to stores. The breach was the latest in a pattern of supply chain vendor attacks affecting UK retailers — from Blackbaud (2020) through Kaseya (2021) to MOVEit/Zellis (2023).

ransomware blue-yonder
13 min read
Anatomy of a Breach 30 June 2020

Anatomy of a Breach: Blackbaud — The Charity Software Vendor That Exposed UK Universities, NHS Trusts, and Charities

Breach #138. In July 2020, Blackbaud — a cloud computing provider serving nonprofits, charities, and educational institutions — disclosed that ransomware attackers had accessed and exfiltrated customer data before the company detected and stopped the attack. Blackbaud controversially paid the ransom and stated it had received 'confirmation' the data had been destroyed. The breach affected hundreds of organisations worldwide — including UK institutions such as the National Trust, the University of Birmingham, De Montfort University, Young Minds charity, and multiple NHS trusts. Blackbaud later admitted that the breach was more extensive than initially disclosed.

data-breach blackbaud
13 min read
Anatomy of a Breach 30 September 2025

Anatomy of a Breach: Jaguar Land Rover — Manufacturing Halted, Staff Sent Home, and Revenue Hit by Ransomware

Breach #201. In September 2025, UK car manufacturer Jaguar Land Rover (JLR) was hit by a cyber attack that severely disrupted production at its Halewood plant in Merseyside, forcing staff to stay home while the company responded. The incident, reportedly claimed by a group calling itself Scattered Lapsus$ Hunters, prevented car dealers from registering new JLR vehicles — during one of the busiest periods for new car registrations in the UK. JLR subsequently revealed that the attack had a significant financial impact on its revenue. The M&S and JLR attacks together constituted the most damaging year for UK corporate cybersecurity on record.

jaguar-land-rover jlr
13 min read
All Posts Get in Touch