At a glance.
- ICMR website targeted with series of attacks.
- ICO releases list of formerly undisclosed data protection incidents.
- New Zealand attack impacts coroner data.
ICMR website targeted with series of attacks.
India.com reports that on November 30 hackers attempted to infiltrate the website of the Indian Council of Medical Research (ICMR) approximately six thousand times over the span of twenty-four hours. According to the Hindustan Times, five of the ICMR’s one hundred physical and virtual servers were corrupted by the attacks. However, Business Today explains, officials say security measures on the ICMR website prevented the hackers from infiltrating the platform. A government official stated, "The contents of the ICMR website are safe. The site is hosted at the National Informatics Centre (NIC) Data Centre, hence the firewall is from NIC which they regularly update. The attack has been prevented successfully.” For the past two days, experts from CERT-IN, the NIC, and the National Security Council Secretariat have been conducting trials to test the resilience of the system to future attacks.
The attempted attacks occurred just days after the All India Institute Of Medical Science was hit with a ransomware attack, also in late November. Headquartered in New Delhi, ICMR is considered one of the oldest and largest medical research bodies in the world. An NIC official says the series of ICMR attacks were made from a Hong Kong-based blacklisted IP address, and SingCERT, the cyber security agency of Singapore, has previously warned that China was running drills to test the resilience of Indian government systems.
ICO releases list of formerly undisclosed data protection incidents.
On Tuesday the the Information Commissioner’s Office (ICO), the United Kingdom’s data protection regulator, published the details of over two dozen data protection incidents that led the ICO to issue reprimands. Typically, the ICO only publishes incidents that result in fines, but the office has introduced a new policy in which it will also publish instances of reprimands, “unless there is a good reason not to, such as matters of national security or that it is likely to jeopardize any ongoing investigation.” As a result, many of the newly released incidents have not been previously disclosed, and as the Record by Recorded Future notes, they demonstrate the wide range of the ICO’s oversight. Some of the cases include leaks where domestic abuse victims had their locations shared with their abusers, and one incident resulted in an individual being wrongfully arrested for child sexual abuse. The ICO explained, “Ultimately, we want to be transparent with the public when we hold a business or organization to account and what they need to do to improve their practices. We also want the wider economy to learn from those reprimands. By reading about where an organization failed to comply with data protection laws, we hope that others will understand what went wrong and what they need to do if they find themselves in a similar scenario.”
New Zealand attack impacts coroner data.
New Zealand’s Ministry of Justice and Te Whatu Ora, the organization that oversees New Zealand’s health system, has disclosed it experienced a cyberattack that has impacted access to 14,500 coronial files and about four thousand post mortem reports held by external IT provider Mercury IT. RNZ notes that thousands of records concerning bereavement care services at Auckland's Middlemore Hospital and the Cardiac and Inherited Disease Registry have also been impacted. The Privacy Commissioner's office says it was informed of the attack on November 30, and an investigation has been launched. A spokesperson stated, "Urgent work is underway to understand the number of organisations affected, the nature of the information involved and the extent to which any information has been copied out of the system. The Office of the Privacy Commissioner is planning on opening a compliance investigation into this incident so that it can make full use of its information gathering powers." The spokesperson also asked that anyone who finds any of the data avoid sharing it and contact the proper authorities. While the Ministry of Justice and Te Whatu Ora have said there was no evidence of any unauthorized access to the files, the ministry's chief operating officer Carl Crafar said they could not rule out the possibility.