Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action.
This week: A major fire at one of Europe’s largest cloud providers reminds us of the value of a Plan B, a decision by AXA in France to no longer cover ransomware payments, the ongoing cost and impact of the HSE attack, and a spyware attack on Android phones currently circulating in Ireland..
This week’s action: Get rid of data you no longer need
- A reminder that “Cloud = Someone else’s computer”
One of Europe’s largest cloud providers, OVHCloud, suffered a fire in March that destroyed one 5-storey data center and damaged another. Other data centres on the site were undamaged but were still taken offline while the fire was brought under control.
As the video embedded in the article below shows, I doubt any of the kit inside has survived the damage and/or the flood of water that it took to bring it under control. This serves as a reminder that you always need a Plan B for your systems and data.
Read more: https://www.datacenterdynamics.com/en/news/fire-destroys-ovhclouds-sbg2-data-center-strasbourg/ via https://www.itgovernance.eu/blog/en/cloud-storage-disaster-highlights-the-importance-of-business-continuity
- Android spyware attack circulating in Ireland at the moment
“The NCSC has received reports of a spyware software labeled FluBot affecting Android users in Ireland. FluBot is used by malicious parties to steal passwords and sensitive data from the victims’ mobile device. It will access victims’ contacts and spread the malicious application through further text messages. [..] Apple devices are not currently affected by this malware.”
I won’t discuss the ecumenical matter of Apple vs Android, apart from pointing out that security attacks that compromise Android phones are far more common.
As an aside, you may not have heard of Ireland’s National Cyber Security Centre (NCSC) prior to the recent HSE attack. However, despite their limited budget and apparent lack of a director, they have been publishing valuable weekly updates and regular security alerts on their news page (https://www.ncsc.gov.ie/news/) for quite some time. Unfortunately, they don’t seem to allow you to subscribe to receive their alerts and updates by email. To remain informed, you need to visit their news page on a frequent basis. Alternatively, follow my approach and use a service like FollowThatPage.com to monitor their news page for changes. This is a useful service for any webpage that you want to keep your eye on.
Read more about FluBot: https://www.ncsc.gov.ie/pdfs/Flubot_010621.pdf
- Cyber insurance provider will no longer cover ransom payments
AXA has announced that their cyber insurance policies in France will no longer “reimburse customers for extortion payments made to ransomware criminals.” In completely unrelated news, AXA’s Asia Assistance division suffered a ransomware attack three days after this announcement.
The decision to longer cover ransom payments may have been driven by a number of concerns within AXA. In the US, there have been suggestions that paying a ransom could be regarded as a criminal act because it may be funding terrorism. Insurers are also aware that many firms are targeted because the criminals know they are insured and can pay the ransom. The increasing scale of ransom demands must also be a factor – Pricing the risk of a €5k ransom demand is very different to pricing the risk of a €5m demand. Some in the industry have pointed out that this may be an overreaction by AXA. They believe that underwriting ransom risk is “perfectly reasonable”, by doing more to assess each client’s defences so they can price each policy accordingly. Over time, insurance providers will require detailed evidence of your security measures before they will quote for your business. When you are renewing your home insurance, they ask you about the locks on the doors and the alarms outside and inside the property. It is inevitable that they will start delving into the detail of the locks and alarms on your IT ‘property’ too.
Read more: https://portswigger.net/daily-swig/axa-ransomware-attack-comes-just-days-after-insurer-pulled-coverage-for-cyber-attack-class-in-france
- €100m: The estimated cost of the recent cyber-attack on the HSE will be at least €100m, according to its Chief Executive. Two weeks after the attack, it continued to have significant impact on health service delivery, including the cancellation of 7,000 outpatient appointments per day. As of June 2nd, almost three weeks after the attack, 50,000 of the HSE’s 80,000 IT devices remain offline.
In other words, the HSE has been able to check, clean and return to service 10,000 devices per week. In the meantime, almost 50,000 outpatients per week are prevented from meeting with a healthcare professional because of the attack.
(https://www.independent.ie/breaking-news/irish-news/100-million-euro-would-be-small-figure-in-cost-of-hse-cyber-attack-reid-40476895.html and https://www.irishtimes.com/news/health/hse-still-in-state-of-very-high-risk-amid-slow-recovery-from-cyberattack-1.4582376)
- 3TB: The criminals behind the ransomware attack on AXA’s Asia Assistance claim to have stolen three terrabytes of data from the insurer, including personal data and medical information.
If it’s true, that’s a lot of data that just walked out the door without anyone noticing. Once the criminals have a copy of your data, paying a ransom so they don’t publish it seems pointless. Neither you nor they can prove that they really have deleted the data. And if the data includes personal data about living individuals in the EU, it’s already a personal data breach that needs to be notified to your friendly data protection regulator, regardless of what the criminals do or don’t do with the data.
ONE ACTION – If you do only one ‘cybersecurity’ thing this week, do this.
- Data purge: If your organisation suffers a cyberattack, one of the major drivers of cost and risk will be the amount of data that was exposed / disclosed to the criminals.
The more data they can access, the more damage they can cause, and the more time and cost will be involved to assess and explain the damage. If some of this data includes information that you should not have (e.g. personal data that you no longer have a legal basis for retaining), you will also now be forced to explain why you had the data in the first place.
Review the repositories of data within your organisation (including all those email mailboxes) and delete any data you no longer need or have a legal basis to retain. Data minimisation and restricted data retention are important elements of your data protection obligations, and they are also key measures to reduce the impact of an attack.
Side note: There was no Cyber 3-2-1 last week as we were mourning the loss of my father-in-law, Fintan Laurence Doyle. Fintan had no need to understand IT and cybersecurity – He didn’t want anyone’s “email number”. Described at his funeral mass as ‘The St. Anthony of Ballivor’, he was the man to go to when you were in need of anything – especially if it was something that he could source on one of his frequent trips to England on Stena Line. Fintan was one of the good guys and he will be missed around here. Fintan Doyle RIP.