Cyber attacks and data breaches in review: October 2020

We recorded 117 publicly disclosed cyber attacks and data breaches in October 2020, making it the leakiest month of the year so far.

It surpasses September’s total of 102 incidents, and marks the third month in a row in which the total has increased.

As always, we look at some of the more notable incidents affecting European organisations in this blog.

Therapy clinic’s CEO fired amid disastrous breach handling

The Finnish therapy clinic Vastaamo fired its CEO Ville Tapio last month, after he covered up a data breach in which patients’ personal details and notes taken during their sessions were exposed.

The hacker is believed to have stolen session notes from as many as 40,000 patients, including many children – with a 10 GB file containing private notes related to at least 2,000 patients already published on the dark web.

After demanding that Vastaamo pay a €450,000 ransom, the attacker emailed victims in an attempt to extort €200 worth of Bitcoin.

Victims were told that if they didn’t pay up within 24 hours, the ransom would increase to €500 and that after another 48 hours the information would be published online.

An investigation revealed that the database of customer details and session notes was breached in November 2018, but there was another security incident in mid-March 2019.

Tapio was reportedly aware of this but didn’t inform the appropriate data protection authorities or other members of Vastaamo’s board.

The breach wasn’t made public until October 21, 2020, and Tapio was dismissed the following week.

Former Finnish MP Kirsi Piha was one of those affected by the leak. She posted a screenshot of the ransom message and a defiant response that there is nothing shameful about seeking help through therapy.

Victim Support Finland has published advice for those affected by the incident.

University Hospital Limerick posted patient data on Twitter

University Limerick Hospital is writing to 630 patients whose personal details were posted on Twitter last month.

The information, which includes patients’ names, dates of birth and medication that they received, was stolen from one of the university’s computer systems.

The incident affects those who attended the hospital’s Emergency Department last April.

In a statement, the University Limerick Hospital wrote:

The data in question was extracted from an automated system used in the ED to dispense medication safely. It was extracted, without HSE knowledge or approval, by an employee of a company which was then supporting this system; and not by any employee of the HSE.

The hospital became aware of breach on 29 May, and notified Gardaí and the Data Protection Commission.

However, it is “only now writing to patients as it has taken some time for UL Hospitals Group and the HSE to understand the nature and extent of the breach”.

German infectious disease agency hit by criminal hackers

The Robert Koch Institute for infectious disease control was a hot target for criminals last month. Der Spiegel reported that the organisation suffered a cyber attack days before its headquarters was struck by arsonists.

The institute, which is based in Berlin, coordinates public health measures to address the coronavirus pandemic, suggesting that the attacks may be politically motivated.

Chancellor Angela Merkel and regional leaders were at the time considering another national lockdown. This was a decision most people supported, but conspiracy theorists and the far right have staged protests throughout the pandemic.

Neither incident resulted in the loss of data, with the cyber incident merely knocking the organisation’s website offline for two hours in a DDoS (distributed denial-of-service) attack.

The Robert Koch Institute declined to comment on the incident.

Stay up to date with cyber security news

Are you looking for regular updates on the latest cyber attacks and data breaches?

Subscribe to our Weekly Round-up to learn what’s happening in the cyber security industry and receive tips on the steps you should take to protect your organisation.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.