Cybersecurity Without Insanity? It’s as simple as 3 – 2 – 1…

This week: Western Digital suffers a cyber attack that takes many of its cloud services offline, a patient’s nude photos are published by cyber attackers, and even CNN’s Donie O’Sullivan is now talking about cyber security.

PS Today is Good Friday, a big day in the Christian calendar. Whether you’re religious or not, I hope today is a good Friday for you, wherever you are.


3 – Patient sues hospital after nude photos of her are published online

A cancer patient has filed a lawsuit against a US hospital group, claiming that “the organization’s failure to protect her sensitive data amounts to negligence and a breach of its basic duties to safeguard her medical records”.

According to a report by Cyber Scoop (and mentioned recently by Secure The Village), the lawsuit follows a ransomware attack on the hospital. The attackers threatened to publish the hospital’s data (including patient files and photos) unless a ransom was paid. When payment was not received, the criminals followed through on their threat. The published data included nude photos of the patient that had been stored in her medical file.

While I can’t comment on the legalities of the case, here are some clear facts:

1 – Cyber attackers don’t care about their victims.

2 – You could be a victim, even if you are not directly targeted.

It’s a stark reminder that the impact of a cyber attack can go beyond business disruption and can impact people who are already in a vulnerable state. This is why every organisation needs to take its data protection obligations seriously.

Despite the obvious real-world risks, many organisations will only act when regulations force them to do so. It’s why regulations like GDPR and DORA are valuable, even if they are a pain in the a**.


2 – Western Digital suffers a major cyber attack

According to this report on Bleeping Computer, an unnamed third party unlawfully accessed several [Western Digital] computer systems “and the company believes the unauthorized party obtained certain data from its systems and is working to understand the nature and scope of that data.”

“The nature and scope of that data” is a concerning phrase. Hopefully, it does not include the data stored by customers on the MyCloud service. In the meantime, many of the cloud services provided by the company are offline, preventing customers from accessing their files.

“The cloud” is great. When it works. When it doesn’t, it’s a reminder that we can’t rely on a single third party service. Because if we do, an issue with that service quickly becomes a serious issue for us.

Resilience is more valuable than convenience.


1 – Don’t trust any calls from your son, especially if he’s a Kerryman working for CNN

It is becoming easier for cyber criminals to “produce a voice clone that could be convincing enough to fool someone”.

According to this report on The Conversation, “ongoing advancements in deep-learning algorithms, audio editing and engineering, and synthetic voice generation have meant that it is increasingly possible to convincingly simulate a person’s voice. Even worse, chatbots like ChatGPT are starting to generate realistic scripts with adaptive real-time responses. By combining these technologies with voice generation, a deepfake goes from being a static recording to a live, lifelike avatar that can convincingly have a phone conversation.”

And to demonstrate, here’s a YouTube video of CNN’s Donie O’Sullivan using the technology to fool his parents back home in Ireland.


PS To listen to Cyber 3-2-1 and a roundup of my other articles this week, all episodes are accessible from or wherever you get your podcasts.