At a glance.
- Wizard Spider's ransomware attack on Ireland's HSE.
- Air India's third-party exposure.
Updates on Ireland’s HSE data breach.
As the CyberWire noted last week, Ireland’s Health Services Executive (HSE) is dealing with the aftermath of a Conti ransomware attack that is being called the largest breach in the country’s history. The Independent offers a thorough overview of the incident so far. Today marks the deadline for the Irish government to meet the threat actors’ $20 million ransom demand, but Minister for Public Expenditure Michael McGrath confirmed to the Irish Times that the government will not comply: “The State will not be paying a ransom and we have been unequivocal about that since the very beginning.” Minister for Further and Higher Education Simon Harris told the Irish Examiner there’s a strong chance the cybercriminals will begin leaking the 700GB of exfiltrated data. "There's some evidence that it may already have happened in some instances and that's been verified by the gardaí," he stated. The gardai are bracing themselves for the resultant fraud that will likely follow the publication of the sensitive data, the Irish Times reports. Citizens have been advised that no health officials would request payment or sensitive data via email or phone. The BBC reports that the HSE has secured a High Court injunction preventing anyone -- including businesses and social media platforms -- from sharing or selling the stolen information, which limits the threat group’s abilities to distribute the data.
Meanwhile, health officials are struggling to decrypt the HSE’s systems in order to restore services to patients nationwide. RTE.ie explains that officials had developed a decryption tool based on the one Conti offered, but Stuff reports that New Zealand cybersecurity company Emsisoft has supplied the HSE with a stronger, safer alternative free of charge. Emsisoft chief technology officer Fabian Wosar stated, “So far, the feedback has been quite positive and, obviously, we are delighted that we can help them and ultimately the Irish people, especially given the continued global pandemic.”
Air India suffers third-party data breach.
Bleeping Computer reports that the data of approximately 4.5 million Air India customers were exposed as the result of a breach the airline’s Passenger Service System provider SITA suffered two months ago. In March, Air India notified passengers that third party vendor SITA had been attacked, but TechCrunch explains that at the time, SITA did not divulge exactly what data had been compromised. This weekend the airline reached out to customers confirming their data was potentially exposed and urging them to reset their account credentials. “The protection of our customers’ personal data is of highest importance to us and we deeply regret the inconvenience caused and appreciate the continued support and trust of our passengers,” Air India’s official statement reads. The data exposed, which was collected from August 2011 to February 2021, includes names, dates of birth, passport information, frequent flyer details, and credit card numbers, though no passwords or CVV/CVC numbers were accessed.
ZDNet adds that SITA serves around 90% of the world's airlines, and nearly a dozen other air carriers were also impacted, including Lufthansa, Air New Zealand, and Singapore Airlines. Inc42 Media explains that the breach is the second recent airline breach impacting the country, as Indigo Airlines was attacked in December, and according to the Indian Computer Emergency Response Team, over 26,000 Indian websites were hacked in 2020. Bloomberg explains that Indian government officials stated in January 2020 they planned to launch a new cybersecurity policy to combat the increase in cybercrime, but there has been no update since then.
We received some comment from Tim Erlin, VP, product management and strategy at Tripwire, who had some observations about recovery:
“When responding to a breach, it’s imperative, but difficult, to return your environment to a trusted state. Knowing what that trusted state looks like is a key step, and one that is best completed before the incident occurs.
"While ransomware might be grabbing the headlines lately, it’s important to remember that there’re plenty of plain old sensitive data theft still out there. Unfortunately, adding new attacks into your threat model doesn’t always mean you can remove the old ones.
"One of the consequences of a more interconnected world is the increasing aggregation of sensitive data, which provides significant benefits in customer experience, but also more attractive targets for attackers. Repositories of customer data that span multiple commercial entities, housing data on literally millions of people are juicy targets for data thieves.”
We also heard from Trevor Morgan, product manager with comforte AG, who discussed why airline management systems are attractive targets:
“Attackers often target central airline management systems. They present attractive targets because passenger data persists for booking management purposes over long periods of time. Passenger data is quite sensitive, too, including financial data, identity information, reservations, passports, and travel history data. Penetrating one of these systems presents a gold mine of information for attackers to hold hostage or sell.
"By its very nature, travel data is global and therefore falls under a myriad of privacy and data security regulations from GDPR to CCPA and beyond. Airline and travel companies need to get the message that they have an ethical responsibility and a legal mandate to do everything they can to protect passenger information. Bare minimum data protection just won’t do. This data, especially, should always be protected with data-centric methods such as modern data tokenization or format-preserving encryption technology. These data security methods protect the data itself rather than the perimeters around or access to it. By obfuscating the sensitive parts of data with benign tokens, data-centric security deters attackers from leveraging any data they steal. As we can see with the SITA incident and its effect on Air India, passenger data is vulnerable to compromise and should be tokenized at first touch to head off any detrimental effects if it falling into the wrong hands. That way, no matter where the passenger—or the data—travels, the data remains secure.”