Cyber attack on health service brought Tusla ‘to its knees’, PAC hears

Chief executive of Child and Family Agency says impact was more severe than pandemic

Tusla has said that the impact of the cyber attack which took place in May was a more severe shock than Covid-19.

Tusla has said that the impact of the cyber attack which took place in May was a more severe shock than Covid-19.

 

The cyber attack on the health service earlier this year brought the Child and Family Agency (Tusla) “to its knees” and rendered its most sensitive database unusable, an Oireachtas committee has heard.

The chief executive of Tusla Bernard Gloster told the Public Accounts Committee (PAC) that although there is no evidence yet that data has been removed or “exfiltrated” from those servers, investigations continue.

He also said that the impact of the cyber attack which took place in May was a more severe shock than Covid-19.

“Covid-19 was a very extreme event for all of society and across the world. But the impact on direct service provision of the cyber attack was much more sharp and much more severe,” he said.

“I have not hidden the fact that it brought us to our knees. That is the reality of the situation we found ourselves in. In as much as we have certainty of recovery and continued recovery of systems, we still have some levels of disruption. But we have most of the systems back.

“We have to remain open to the possibility that there was a risk of data exfiltration that could yet emerge. So far, the assessments have not indicated that that was the case. But I would have to say that we’re a long way off being able to be definitive about that. The HSE have an extensive analysis going on and we are fully party to that in relation to assessing the damage to servers and then whether or not there’s indicators of exfiltration on those.”

Database damage

Mr Gloster said that Tusla’s national childcare information system, which is its biggest database, is still hosted on the HSE system but work is ongoing to change that.

“That database is very, very significant in terms of its sensitivity and what it holds. We have no evidence of exfiltration from that. But it was severely damaged. It was severely damaged by the encryption of the attackers, the immediate shutdown that would have had to be done by the HSE on the morning of the 14th of May, and then by the attempt to rebuild.”

“So we actually had to go to the backups of that childcare information system and rebuild the database from the backup, because the one we were operating on up to the 14th of May was so badly damaged it rendered it unusable.”

The estimated costs of moving to new IT systems has been calculated at around €8million, and around €0.5million was spent recovering systems in the wake of the cyber attack.

Tusla also told the committee that it concluded the year 2020 “in a stable position” financially but that this was done through a “one off adjustment”.

“The target of the Agency was to achieve a stable position coming into and throughout 2021 and thanks to the intervention of the Minister and the Department this was achieved,” Mr Gloster said.

He said he was “concerned regarding the long-term challenges for some of our funded organisations in the community and voluntary sector.”

“Efforts are continuing to mitigate those challenges to the greatest extent possible. These organisations, many of them service providers, are critical to the effectiveness of the agency. We did make some progress in 2020 and 2021 for this sector on a once off basis however the long-term solution to their challenge is beyond the scope of Tusla.”

The agency received just under 70,000 referrals to its child protection and welfare service in 2020.

In the early stages of pandemic there was a “concerning decrease” but the chief executive said he is “satisfied that this concern was proactively addressed, and referral rates recovered.”