Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.

Health warning: ransomware hits home in HSE attack

If Irish people outside the cybersecurity industry hadn’t heard of ransomware before last month, chances are they have now. On Friday 14 May, the Health Service Executive shut down its IT systems in response to a “human operated” ransomware attack. Then came news that the Department of Health was hit by a similar incident. The Conti ransomware operators demanded payment of $20 million and threatened to release some of the data, a tactic known as double extortion. Within days, in a surprising move, they released a decryption key but threatened to expose patient data anyway. The recovery is likely to cost more than €100 million and is expected to take weeks, if not longer. HSE chief executive Paul Reid spoke of the attack’s “devastating impact” that wiped out more than 2,000 systems and deprived clinical and medical teams of the tools they need to treat patients. 

Professor Ciaran Martin, former head of the UK National Cyber Security Centre, told RTE’s Prime Time: “What Ireland has suffered is pretty unique. A deliberate, targeted ransomware attack on a state-run healthcare system at national level is pretty unusual, if not unprecedented.” His subsequent Irish Times editorial urged the Government not to pay the ransom, and the State has insisted it hasn’t. The complex, fraught question of whether to pay or not has taxed the industry for some time. Insurer CNA Financial recently paid $40 million for decryption keys after it fell victim to ransomware. Meanwhile global giant Axa now refuses to reimburse French companies if they make claims to cover ransomware payments. BH Consulting’s position has consistently been to advise not paying.

A considered piece from Professor Simon Woodworth of Cork University argued that the HSE was victim of a perfect storm of attacker behaviour and historical underinvestment in security and IT. The wider context to this story is that the HSE attack happened against a backdrop of several high-profile ransomware incidents. Recent victims included the Washington DC police, fuel provider Colonial Pipeline, and JBS, the world’s largest meat supplier. As we went to press, Reuters reported that the US plans to give ransomware investigations similar priority as terrorist incidents. The always excellent commentator Zeynep Tufekci likened preparedness for a pandemic with being ready for ransomware. This problem is not going away any time soon. Our white paper has details on how to prevent ransomware and respond to possible incidents and it’s free to download. 

Sum of a breach: Verizon DBIR sheds light on the human factor

More than eight out of ten data breaches involve human interaction, according to the Verizon Data Breach Investigations Report 2021. The DBIR (for short) listed those breaches as including phishing, business email compromise, lost or stolen credentials, and misuse or human error. Dark Reading’s writeup drew the natural connection with mass working from home during Covid lockdowns, and a rise in cybercrime activity. Web application attacks, phishing, and ransomware all increased during 2020. In 2019, phishing accounted for 25 per cent of breaches; in 2020 that grew to 36 per cent. Ransomware doubled in frequency compared to the year before. Insider threat risks grew by close to 40 per cent. 

The DBIR is highly regarded for the quality of its analysis, using anonymised information from contributors around the globe. This year’s edition is based on 5,250 confirmed breaches highlighting key security trends. Organisational culture, and a focus on the people factor in security, is a big callout from this year’s edition.  Brian Honan described the report as “full of real and meaningful cybersecurity data based on real world breaches. It is also written in plain and accessible language.” As ever, the DBIR is free to download. 

Privacy and data protection roundup

There was plenty of news on the privacy front, as GDPR passed its third anniversary. The Data Protection Commission levied its largest fine to date, €90,000, against the Irish Credit Bureau. The fine related to a change in computer code in 2018 that led to 15,000 accounts having incorrect details recorded about them. Spain’s data protection authority, meanwhile, fined mobile operator Vodafone more than €8 million. 

Meanwhile uncertainty surrounds the status of EU-US data transfers after the ‘Schrems II’ CJEU ruling last year. The employers’ lobby group IBEC put the situation into context, citing data that 90 per cent of EU-based companies from all economic sectors transfer data outside Europe, mainly for business-to-business reasons. France’s data regulator, CNIL, recently produced a report into the issues involved in allowing US multinationals to store data about French citizens. Its conclusion? US companies can’t be trusted with EU personal data. In related news, the European Data Protection Board has published its opinions on the draft UK adequacy decision the EC issued in February. If adopted, data transfers from the EU to the UK could continue without needing mechanisms like Standard Contractual Clauses. But does anyone care? As it happens, a recent survey by the European Central Bank suggests they do. EU residents listed privacy as the most important feature of the planned digital currency. 

Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe. Sign up here