Cyber attacks and data breaches in review: July to December 2020

It would be easy to say that 2020 was a year to forget, but I don’t think any of us will be able to do that for some time.

Besides, as much as we’d like to ignore the past, it can be instructive – particularly when it comes to cyber security, where organisations often make the same mistakes over and over again.

So, as you start your preparations for 2021, it’s worth reminding yourself of the lessons we can take with our cyber security review of the year.

We published part one at the end of last year, and you can find part two – in which we look at July to December – below.


July

The Twitter account of Russia’s Foreign Ministry’s Crisis Management Centre was hacked in July, and the perpetrators tweeted that they were selling stolen information.

The message advertised a database containing details of tourist payments to the Public Services portal of the Russian Federation. Anyone interested in the information could seemingly purchase it for 66 bitcoins (about €631,000).

The message was likely part of a wider attack on the Russian government, because the hackers clearly wouldn’t have been able to access this information simply by compromising a Twitter account.

However, the circumstances of the attack (criminal hackers rarely advertise their attack so publicly) suggest that it’s equally possible that no such database was breached.

If this was the case, the perpetrators may have been politically motivated and trying to discredit the Russian government’s cyber security practices.


August

The same month that Ireland’s Heath Services was revealed to have leaked 1,400 medical files , County Cork woman Rachel Healy revealed that she was twice emailed medical files containing other patients’ diagnoses.

The first breach occurred on 5 August, when Union Quay Medical Centre sent Healy information about another patient’s mental health diagnosis.

Nine days later, on 14 August, she received a patient’s STI results from myclinic.ie, a Dublin-based GP practice.

Healy told the Irish Mirror that she deleted the file she received from Union Quay Medical Centre, but after the second breach she felt compelled to make the incident public.”

She added: “After receiving both files within nine days I started to think, ‘has my medical information from any practice ever gone to someone it shouldn’t have?’

“Ireland is so small. If I had wanted to, I had all of that woman’s information and I could have contacted her or if the file got into the wrong hands it could have appeared on social media.

She added: “I believe it’s easy for patients to receive stuff via email but I don’t think medical results or medical information should be in any way emailed to people. If you have to send information like that, post it.”


September

The French shipping firm CMA CGM confirmed in September that it had been hit by the Ragnar Locker ransomware strain.

The organisation initially denied the attack but later admitted that it was suffering ongoing disruption after being locked out of its systems.

In a message sent on 27 September, the criminals demanded that CMA CGM respond within two days via live chat to arrange payment for the decryption key.

Following the attack, CMA CGM shut down its IT operations to prevent the malware spreading and advised staff across Europe not to use company equipment.

CMA CGM Vice President Joël Gentil said: “We are progressively resuming connectivity so in some instances bookings can be taken online, but where customers cannot get online they can call their local offices. The situation is coming back to normal. It will take a few hours.”


October

The Finnish therapy clinic Vastaamo fired its CEO Ville Tapio in October, after he covered up a data breach in which patients’ personal details and notes taken during their sessions were exposed.

The hacker is thought to have stolen session notes from as many as 40,000 patients, including many children – with a 10 GB file containing private notes related to at least 2,000 patients already published on the dark web.

After demanding that Vastaamo pay a €450,000 ransom, the attacker emailed victims in an attempt to extort €200 worth of Bitcoin.

Victims were told that if they didn’t pay up within 24 hours, the ransom would increase to €500 and that after another 48 hours the information would be published online.

An investigation revealed that the database of customer details and session notes was breached in November 2018, but there was another security incident in mid-March 2019.

Tapio was reportedly aware of this but didn’t inform the appropriate data protection authorities or other members of Vastaamo’s board.

The breach wasn’t made public until October 21, 2020, and Tapio was dismissed the following week.


November

On 19 November, the Paris–Normandie newspaper confirmed that it had been hit by a cyber attack that disrupted its systems and its website.

As a result, it could only publish a single regional edition on Thursday rather than the normal three.

The newspaper declined to comment when asked whether the incident was the result of ransomware. However, two journalists from the paper confirmed that the attackers had demanded a ransom.

It’s unclear whether the Paris–Normandie intends to pay up, although cyber security experts advise against it. This is because it marks the organisation as a soft target for future attacks, and the funds could be used to launch other criminal operations.

A few days after the attack, another French newspaper, this time the Ouest-France Group, said that it had also suffered a cyber attack.

The Ouest-France Group explained that it would be publishing fewer editions of the newspaper to ensure that its beleaguered systems could cope, and François-Xavier Lefrancthe newspaper’s editor in chief, said that it would take some time to investigate and rectify the damage.

He added that it is isn’t the first time that the group had come under attack, but this one was particularly aggressive.

There is no evidence that this attack is related to the Paris–Normandie attack, but given the timing and the similar effect they’ve had, it wouldn’t be a surprise if a single criminal hacking group was responsible for both.


December

The final few weeks of the year are often a quiet time in the cyber security sector, with businesses winding down for Christmas. 

Unfortunately, much like the rest of 2020, there was an unwelcome surprise waiting, with the cyber security giant FireEye announcing that it had been targeted by a sophisticated cyber attack.

The attackers stole an arsenal of hacking tools that FireEye uses to test the defences of its clients, which include an array of government and US national security agencies.

These tools could cause untold damage in the wrong hands, which is why this incident is being described as “among the most significant breaches in recent memory”. 

Matt Gorham, the FBI’s assistant director for the Cyber Division, said that, although the incident is still under investigation, preliminary indications show that the perpetrator’s methods were highly sophisticated and consistent with a nation state attacker. 

A former Defense Department official familiar with the case said Russia was high on the list of suspects. 

The good news is that there is no evidence so far that the tools have been used by malicious actors – but the way this year has been, perhaps there is one final blow to come. 

Presuming that’s not the case, it brings us to the end of our cyber security review of 2020. 

You can find monthly updates such as these on our blog. Make sure you subscribe to our Weekly Round-up to catch them.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.