| 18.4°C Dublin

Cyber warfare Hackers ‘could sell off stolen HSE data for years’, warns expert 

Gang say today is D-Day for dumping data

Close

Stock image

Stock image

Stock image

Personal records stolen in a cyberattack on the HSE will be used for years to come to scam and blackmail people as they are sold on to different criminal gangs, a security expert has warned.

This comes as the Government has warned there is a “real risk” of patients’ data being abused by the criminals at the centre of the attack.

The gang responsible for the attack has indicated today is D-Day for dumping stolen information on the dark web.

However, experts in the field believe it will be a long and protracted process as the stolen information is “carved-up into buckets” and hawked on the cyber black market long after the HSE systems are restored.

Ronan Murphy, chief executive of cyber security firm SmartTech 24/7, which is working with many hospitals affected by the cyber attack, said some information was likely to be uploaded on the dark web today just to show that the gang behind it “still has teeth”, but the damage would surface over a long period of time.

“This could be a year, two years, three years. It could go on and on. This is not going to be a fireworks show tomorrow, it is going to be slow and protracted,” he told the Irish Independent yesterday.

“I do not believe it is a huge problem in the short term, insofar as people are not going to find out in the next week or two if their data has been sold or who the likely criminal enterprises who bought that data are. Where the problem comes is in the weeks and months and years ahead.

“So what you typically see is that they will take the data and they will carve up the data into different buckets and they will sell that data on to a whole ecosystem of different criminals who have expertise in different areas.

“You have guys who are interested in supply chains, or in invoices and equipment, and suppliers, and in financial information, and they have very well-honed skills on how to manipulate and exploit those types of data.

“Then you have people who specialise in healthcare data who have the ability to extort or blackmail people if the medical or psychiatric records are delicate. This is what they do for a living.”

Mr Murphy also warned that other criminals who had nothing at all to do with the HSE attack would be piggy-backing on the chaos it has created and perpetrating scams that tap into people’s fears.

“You have the opportunist scammers who will try to exploit people even though they don’t have the data. They excel when there is chaos. They do really well when people are stressed and worried and things are high-profile in the media. They exploit peoples’ fears really well.

Sunday World Newsletter

Sign up for the latest news and updates

This field is required This field is required

“The one I’d be most worried about would be the targeted attacks on individuals. That’s a nasty one. It depends on the profile of the data. It depends on who buys it, and how they operate,” he explained.

The HSE yesterday warned people receiving any suspicious calls, texts or other contacts seeking personal or banking details to report these contacts to the Garda confidential line.

“The HSE had meetings on Saturday with Google and Twitter, following on from the High Court injunctions secured last week to prevent stolen data being published across their platforms. They have promised to escalate complaints and deploy bots to identify potentially stolen data online,” it said in a statement.

HSE bosses have hired a company to scour the internet in anticipation of confidential patient records stolen by the gang being offered for sale, and the Garda National Cyber Crime Bureau is working 24-hour shifts monitoring underground websites and hacker forums for the first signs of the data emerging on the internet.

Meanwhile, the threat of personal data being compromised also leaves the HSE in potential difficulty under data protection laws.

HSE chief executive Paul Reid has said they will be talking with the data protection commissioner if the data is published.

Data protection laws state that where a serious harm could be caused to an individual as a result of a data breach, that individual is to be informed without undue delay.

The HSE is likely to face scrutiny on the data hack on two fronts. Not only will it have to answer questions if people’s personal records and details are passed on to others, but it will have to answer how the information was not secured in the first instance.

Yesterday, the Government said there was “sadly, a real risk of patients’ data being abused”.

“We appeal to anyone who may come across this data online not to share it but instead to report it using the tools provided by platforms,” a statement said.

Speaking on RTÉ’s Radio 1’s This Week, Mr Reid said the disruption to health care was likely to continue for weeks rather than days.

He said there had been good progress, particularly in some of the national systems, “like our imaging system which would support scans, MRI and X-rays”.


Privacy