CarePartners didn’t seem to care about a hacking group who stole their patients’ sensitive records in exchange for a ransom payment, but now a certain cybercriminal has decided to put the breached record up for sale on the underground market.
Two months ago, CarePartners, an Ontario-based home care service provider publicly disclosed that it had suffered a data breach where patient’s information was “inappropriately accessed”. There hadn’t been much information about the breach since their official breach statement but a threat actor has now taken steps to monetize the harvested data by offering it for sale on the Darkweb.
According to information obtained by Digiss LLC, over 200 Gigabytes of data is up for sale. This includes medical records of over 80,000 patients for the last 8 years, personally identifiable information, medical supply order forms, discharge medical files, clients’ cardholder data (containing expiry dates and CVV) and so forth.
The “whole package”, as can be seen in the screenshots below, is being offered to interested buyers at 2.5 Bitcoins (about $16,500) by a cybercriminal who goes by the handle: SkySore. We were unable to determine whether this individual belongs to the group that originally compromised CarePartners network or not.
It is worth noting that this was not a Ransomware attack where the victim could have simply restored from backed up data and moved on. It is what I call Datanapping – the attacker steals the data and threatens to sell it to the highest bidder if the victim organization fails to pay the demanded ransom.
Best practice is to NEVER PAY even though you will still be made to pay by suffering one or all of the following negative outcomes: reputation damage, depressed stock price, negative media attention, litigations or regulatory fines among others. There’s no guarantee that any organization breached and blackmailed in this manner would not suffer any of the aforementioned outcomes even if they paid the demanded ransom. I don’t think cybercriminals do Integrity so double dipping should come naturally to them.
Apparently aware that this breach could cost CarePartners up to $500,000 in regulatory fine if this was found to be a case of dereliction of duty (of care and diligence), the attackers claimed that the breach was “completely avoidable. According to them, a fix for the exploited vulnerability became available 2 years ago while none of the data lifted was encrypted at rest.
In 1789, Benjamin Franklin wrote that “in this world nothing can be said to be certain except death and taxes”. Well, cyber attack joined that list few years ago. That notwithstanding, if your organization is ever going to get breached, be sure to limit the impact by adhering religiously to basic cyber hygiene practices. According to a very credible study conducted by the Ponemon Institute in 2016, most (60%) cyber attackers move on to softer targets after about 40 hours of unsuccessful repeated attempts to breach an organization’s cyber defense.
This incident, like others before and after it, is a stark reminder of what could happen when stakeholders within an organization fail to pull their weights appropriately. Cyber security is everyone’s responsibility therefore when everyone pulls in the same direction, defeating the adversary becomes much easier.