The Nova hacker group already received a ransom payment from its victim Clinical Diagnostics. This appears to be insufficient, as one of the agreements with the criminal gang appears to have been violated – according to the gang, that is.
Participants in the National Population Survey are facing a data breach due to a cyberattack on the Clinical Diagnostics laboratory. Some of the stolen data has already appeared online. This is often a negotiating tactic used by hacker groups to put pressure on the victim: pay up or the data breach will be even bigger.
Clinical Diagnostics seems to have been sufficiently impressed by the attack that it indeed transferred ransom money to Nova, the hacker group behind the infiltration. As a result, only 100 MB of the total 300 GB of data would end up being published. Now, the data of all 485,000 women who participated in a cervical cancer study could be published online.
The data in question consists of smear tests carried out by general practitioners and self-tests processed by Clinical Diagnostics. This includes information such as names, home addresses, social security numbers, and medical test results. A countdown clock is set to expire in ten days, by which time another large sum must be transferred.
Agreements violated?
According to Nova, the Rijswijk-based laboratory has “breached agreements.” No specific agreement has been mentioned, but it may involve the involvement of the police in the case, as Dutch news organization RTL Nieuws previously revealed.
The data breach was only reported to the parties involved a month after it was discovered. This delay led to sharp criticism from Bevolkingsonderzoek Nederland (Dutch for Population Research Netherlands), which called the course of events “shocking.”
Bevolkingsonderzoek Nederland has temporarily suspended its collaboration with Clinical Diagnostics. For the women affected, this situation means a new period of uncertainty about their highly personal medical data.
No guarantees
The incident highlights how brittle an agreement with cybercrime gangs can be. If we were to accept the Nova claim that some agreement was breached, this only goes to show that criminal tactics provide the intended fear and lead to bad decisions. It is illegal to hide a cyber incident of this type from the authorities, which means any understanding with Nova may lead to legal turmoil down the line. Although the instinctive reflex may be to protect the data at all costs, in effect, it is already lost to the outside world. Even if Clinical Diagnostics were to pay up once more, it has failed to do the number one thing it ought to have done: report the incident as soon as it was able to do so. Doing so ensures victims, authorities and external security teams can provide assistance, even if the consequences are grave anyway.
This isn’t to say a ransom payment is incomprehensible. Those entrusted with sensitive data may feel it is their duty to siphon off some of their revenue in order to protect their legitimacy, customers, and future source of income.
Also read: Ransomware group targets SharePoint zero-day