Many of you have heard me mention the “Cyber Mafia.” Some of you chuckle, grin, and raise your eyebrows at first. The rest of you know organized crime is a prevalent and dangerous threat. To drive this point home, I want to share a security incident I read about in the Washington Post this week:
“A posting on Wikileaks.org claims that cyber attackers stole data of about eight million patients from the Virginia Department of Health Professionals' Virginia Prescription Monitoring Program website; they are demanding US $10 million in ransom for their return. The intruders claim to have encrypted the database and protected it with a password. That particular site is presently unavailable as are several others related to the Virginia Department of Health Professionals. The ransom note says that if the money is not paid within seven days, the data will be offered for sale. Federal and state authorities are investigating.”
Cyber extortion isn’t a new threat. Crime syndicates have used massive botnets to launch denial of service attacks against gambling and gaming sites before. Only when the ransom is paid does the DOS attack stop. “Protection” is then offered, for a fee of course, to prevent other criminals from launching additional attacks. But what about taking sensitive information, claiming exclusive access, and threatening to sell that data? Sure it’s also been done before, but this attack is overt and gutsy.
If it’s really that easy to steal 8 million identities from a government agency, then this is a signal to other criminals that there’s money to be made and the fields are ripe for harvest.
I predict there’s more of this to come. But please don’t be fooled -- you don’t have to be a state or federal organization to be targeted. Public, private, or non-profit, if you store, forward, or process confidential and personal information (PHI, SSNs, CCNs, etc.) for clients or employees, then you need to carefully consider the following questions:
1. What’s valuable to your organization, where is it stored, and how is it forwarded and processed within your company?
2. Who has access to it, how do they access it, and from where is it accessed?
3. What does the law say about your security practices from #1 and #2. Do you have a plan to close the gaps?
4. Do you frequently verify that security safeguards are functioning as designed?
Meet with your IT management and Executive team to find the answers. This is more than firewalls, antivirus, and a good security policy. If these answers aren’t “at your fingertips” or available within 1 business day, then we need to connect and chat.
Security focused,
Simon
Comments