The Lulzsec group of hackers has warned the NHS that administrator passwords have been compromised.
The group, which describes itself as "a team of entertainment and security experts that specialise in the production of malicious comedic cybermaterials", said it had sent a letter to the NHS on Thursday detailing the passwords.
"Some time ago, we were traversing the internets for signs of enemy fleets," Lulzsec said in the letter. "While you aren't considered an enemy — your work is of course brilliant — we did stumble upon several of your admin passwords, which are as follows:"
The passwords were blanked out in the letter. Lulzsec said on Twitter on Thursday that it had taken the passwords "months ago", but had never planned to use them.
The Department of Health confirmed on Thursday that administrator passwords had been compromised.
"It's an issue that's affecting a local NHS website," said a Connecting for Health spokeswoman. "This is a local issue that is not affecting national systems."
The spokeswoman was unable to confirm or deny whether the passwords were still active, or had been changed.
The Department of Health said in a statement: "This is a local issue affecting a very small number of website administrators. No patient information has been compromised. No national NHS information systems have been affected. The [Department of Health] has issued guidance to the local NHS about how to protect and secure all their information assets."
Update Friday 10-6-11 On Thursday Lulzsec tweeted:
"Subdomain NHS access compromised 5 core admins and contact info of several affiliates. Luckily they stored nothing of importance on that DB."