The recently hacked Clinical Diagnostics laboratory in the Netherlands paid millions of euros in ransom to cybercriminals from Nova. The Rijswijk-based lab hoped to prevent more stolen medical data from appearing on the dark web. The hack affected 485,000 Dutch women who participated in the population screening for cervical cancer.
The data breach was only reported a month after it was discovered. A spokesperson for the Dutch population screening program called the late report “shocking.” The lack of appropriate action immediately is in violation of GDPR legislation, which requires companies to report incidents within 24 hours. The chance of a successful phishing attempt is also greater when it is not yet known that someone’s data has been stolen from a third party. Targeted emails can appear legitimate, but victims may have been informed when a data breach is actually reported.
For the 485,000 women affected, this incident represents a serious violation of their privacy. The stolen data includes names, addresses, social security numbers, and medical information such as Pap smear results and self-test results. In addition to the data of 485,000 women, all kinds of other data was also stolen. This includes data from skin, urine, and penis examinations.
Nova’s modus operandi
Nova is a relatively new ransomware group that has been active since the end of March. The collective has now hacked 34 companies or organizations. The most well-known victim is from Italy, where they shut down the computers of the municipality of Pisa and stole 100 gigabytes of data.
The group specifically targets Clinical Diagnostics’ parent company Eurofins, as evidenced by their dark web communications. They therefore consistently refer to the victim as Eurofins instead of Clinical Diagnostics.
Confirmation of payment
Ransomware group Nova has confirmed to Dutch news organization RTL Nieuws that a ransom has indeed been paid. The exact amount remains unknown, but according to sources, the cybercriminals demanded millions of euros. The attackers based their demand on a simple formula: 2 percent of annual turnover or assets. For Eurofins, this amounts to around 80 million euros in assets, which would bring the amount demanded to 1.6 million euros.
Of the total 300 gigabytes of data stolen, the criminals have only published 100 megabytes on the dark web. This small portion contained the data of 53,516 patients, including that of a minister and a member of parliament.
The laboratory does not want to officially confirm the payment, but hints at it on its own website: “We currently have no indications that the attacker will proceed to leak the copied data.”
Amateurish approach
Despite this partial leak, cybersecurity expert Rickey Gevers considers the chance that the data will actually be deleted after payment to be “extremely high.” “These criminals had much more data and only published a small portion to increase the pressure, and they were successful.”
This is a common tactic to demonstrate the seriousness of a full disclosure of the data. The Dutch Population Research Institute has temporarily suspended its cooperation with Clinical Diagnostics until guarantees for secure data processing are provided.