Recently somebody hacked into a web site operated by the State of Virginia, deleted the records of over 8 million people and left a note on the homepage, demanding $10M to restore the data.
We're talking about 0's and 1's here.
It's not the first time hackers have used data for extortion. Typically they threaten to release potentially damaging data, whereas this time it's closer to kidnapping where they're offering to return the data for a price.
This event underscores the importance of regular backups and disaster recovery. Granted, the brutes should never have had the opportunity to get into the web site in the first place, but a secure perimeter won't solve the problem if it's an inside job. Appropriate seperation of duties and regular testing of data (and system) restoration is critical for peace of mind when it comes to making sure your data is safely guarded.
Luckily, the state of Virginia apparently had appropriate backup and restoration precedures in place.
Do you?
Restoring the data is small beans compared to the probable identity compromise of 8 million people.
ReplyDeleteThe whole field of IDS is living proof that we know that firewalls won't stop hackers and our goal is to now detect when they do.
My question is, does the benefit of having medical records online outweigh the cost of their eventual compromise?
That should have been weighed thorough, and showing that it was placed online, demonstrates that they did not give it enough thought.
Good point, Fu Manchu. Identity and privacy issues are the stickiest. If you're going to put your data online, make sure you've got it approriately protected and backed up. But think twice (or three or four or five times) about whether it needs to be online.
ReplyDeleteI'm uncertain if you were aware of this, but they did pay the ransom and the FBI is still "investigating"...meaning the person(s) still have yet to be caught/charged.
ReplyDelete