IT’S over a week since the Health Service Executive (HSE) in Ireland announced the most serious and high-profile cyber-attack ever to take place against the Irish State. While the decryption key for the ransomware has been received, it is still unclear how much data has been compromised. Here I outline the possible follow-on attacks that may be triggered as a result of this breach.
The Financial Times revealed that 27 files were published to date and have subsequently been removed however this is evidence that hacking group are in possession of an unknown amount of data. We can expect that other cybercriminals will still try to take advantage of this attack and find new ways to extort money from innocent people.
Whether it is a rash here or a bump or lump there, people’s medical history is amongst the most sensitive data we generate. We can expect that attackers will leverage extortion tactics with threats such as, “if you don’t pay us €x we will inform all your friends, family and connections on social media about your recent medical condition”. This attack could come in the form of an email or phone call.
If this happens on a work email or work phone you should report it to your IT or Information Security team. If it happens on a personal email or your own mobile you should not engage in any way with the attacker. It is highly unlikely they have this data but if the attacker persists you should report it to the authorities and block the phone number or email address.
The worst-case scenario is that a significant amount of HSE data is released or sold on the dark web. If that happens there are other attacks to consider.
Medical records will often contain dates of birth, address details, names of next of kin, contact numbers and email addresses. If this is in the public domain, attackers could use this data to exploit weak passwords and attempt to access your email account or other online services. If your passwords are based on some of these personal details you should change them.
The best practice today is to use longer passphrases instead of passwords or use password managers to create unique complex passwords for all your online services. Ideally, your online services will offer multi-factor authentication, if they do you should use this for added protection.
Any data breach in the EU will be subject to a GDPR investigation. The HSE and Irish Government could be subject to fines from the EU if they are found to be in breach of regulations when it comes to protecting people’s sensitive personal data. There is also the potential for civil action to be taken by individuals. While class action lawsuits are very rare in Ireland, there is already evidence of some law firms asking the Irish public to register their interest should there be a large-scale data leak. Scammers also leverage opportunities like this to invite people to join a class action for a “fee” with the promise of a big pay-outs in the future.
Although this type of attack is less frequent, a commonsense approach should apply here. If it sounds too good to be true, then it probably is.
If people’s medical details are available, hackers could also launch targeted and personal attacks based on a person’s medical history. Offers of low-cost treatments in foreign medical clinics or snake oil cures could see scammers attempt to extract deposits or payments for future treatments based on the data that is published. There is already some anecdotal evidence of this emerging as mentioned recently by Labour Party leader Alan Kelly.
If you believe that your personal medical data has been compromised, you should report it immediately to An Garda Síochána.
The HSE CEO Paul Reid secured a high court injunction restraining the sharing, processing, selling or publishing of data stolen as a result of the cyberattack. In his affidavit, he outlined how “all data is potentially compromised” including HR and Payroll and Finance data. Employees should be wary of any unusual activity related to their banking and should operate a zero-trust approach if they receive any communication related to their bank account that does not come through a trusted channel. The HSE will be obliged to contact any employees that are impacted and provide instructions on additional steps to take to protect their finances.
It also appears that meeting minutes, equipment purchase details and other internal communications have been compromised. This information can open the door to a different type of attack known as Business Email Compromise. In this case, the cybercriminals will set up email accounts posing as a supplier and may generate fake invoices or request that bank details be changed. This could result in money being transferred to a hacker’s bank account rather than the actual supplier.
If you ever receive a request to transfer money or change bank account details over email you should always verify with a phone call using a known telephone number for that organisation or individual.
Scammers thrive in times of uncertainty; we saw evidence of this throughout the pandemic and there is no doubt that the repercussions of this HSE breach will be felt for many months to come. Everyone needs to adopt an extra vigilant attitude as there will be a proliferation in new scams. You should be extra cautious of emails or phone calls that come from unexpected sources requesting you to log in, make a payment or follow up on an urgent request. Check the sender’s or caller’s details and if you are in doubt go directly to the company website and verify the request from there.
Until a clearer picture emerges of the true extent of this data breach you should trust nothing and verify everything.
Our vision is to ensure that every employee has the knowledge to protect themselves and their organization should they be exposed to a cyber-attack. Powered by Trend Micro, a leading provider of enterprise cybersecurity solutions and with real-time knowledge of ongoing cyber threats, Phish Insight can effectively enhance information security awareness and reduce human error for your organization through simulated attacks and cyber training.
Trend Micro, a global cybersecurity leader, helps make the world safe for exchanging digital information. Fueled by decades of security expertise, global threat research, and continuous innovation, Trend Micro's cybersecurity platform protects hundreds of thousands of organizations and millions of individuals across clouds, networks, devices, and endpoints. As a leader in cloud and enterprise cybersecurity, the platform delivers a powerful range of advanced threat defense techniques optimized for environments like AWS, Microsoft, and Google, and central visibility for better, faster detection and response. With 7,000 employees across 65 countries, Trend Micro enables organizations to simplify and secure their connected world.