Two recent instances of data breaches have shown the dangers of what stolen data can do in the wrong hands. The first of which impacted a Finnish psychotherapy clinic. The clinic suffered a breach two years ago, with the results of the breach only making themselves known now. A threat actor is demanding a ransom for the stolen client database that contains a wealth of confidential information. It is estimated that thousands of patients may have had their information exposed and subsequently be at risk. Thanks to Bleeping Computer many have an article written in English which neatly summarises events.
Psychotherapy Center Vastaamo announced the incident a week before this article was written and according to local sources the threat actor is demanding 40 Bitcoin for the data. At the time of writing, this amounts to nearly 550,000 USD. The threat actor contacted employees of the clinic demanding that the ransom be paid with another local source reporting that at least 300 patient records were leaked via a Tor site to add veracity to the threat actor’s claims. Unfortunately, the reckless attempts to profit from confidential data did not end with demands to the clinic.
The extortionist then began to contact victims who had their data compromised over email and demand 240 USD in Bitcoin to have their records deleted. It is believed that this change in tactics may have been a result of individuals contacting the threat actor directly pleading with the extortionist to delete their records. For the pleasure, the extortionist demanded roughly 650 USD to do as asked. In an age where mental illness still has unwarranted stigmas attached to it, it is little wonder that individuals would contact the threat actor directly. Such information in the public domain can cause undue bias to those who have received treatment, or in some cases still receiving, treatment. Further, the stress caused to patients by the incident is worrying and further adds to the unethical actions of the extortionist.
Much of the extortionist’s tactics have an emphasis placed on privacy. Other than using a Tor site to release portions of data, they have relied on email privacy-oriented email services for communication with victims and the affected clinic. Initially, they used Tutanota, then switched to Protonmail and Cock.li, the latter allowing registration and usage over Tor and similar privacy services. What was believed to be potentially thousands of affected individuals was revealed to be potentially in the tens of thousands when the Finnish National Bureau of Investigation held a press conference concerning the matter on Sunday, October 25. This appears to be confirmed by subsequent actions by the extortionist who for a brief time uploaded 10 GB worth of data, the data contained individuals’ names, social security numbers, postal and email addresses, phone numbers, and therapists' notes on patient appointments.
Vastaamo has been working with several official bodies and security firms to help resolve the matter including the Finnish Cyber Security Center, Valvira, and the Data Protection Commissioner. Further, ethical hackers across Finland are working with authorities to try identifying the culprit via any digital breadcrumbs they may have left. Recent revelations regarding how Vastaamo dealt with the initial compromise may make all subsequent efforts redundant. As mentioned above the original compromise of data likely happened in 2018. This was confirmed in a statement released by Vastaamo on October 27, with the company stating,
“The investigation has revealed that Vastaamo became victim of a data system break-in in November 2018. Some of our customers' confidential information relating to the period prior to the end of November 2018 has been leaked as a result of the break-in. Our system has likely also been accessed between the end of November 2018 and March 2019. According to our knowledge, the database has not been stolen in connection with this, but it is regardless possible that some individual pieces of data have been accessed or copied until March 2019.”
In practical terms, this meant that a threat actor potentially had access to confidential information for roughly four months. What is worse is that CEO Ville Tapio knew about the breach which occurred in March 2019 but decided to keep it a secret from the private clinic’s Board of Directors, authorities, and affected individuals. He has subsequently been relieved of his position. As to helping the potential victims of the incident, Vastaamo is offering victims of the data breach support over the phone, advising on what to do if their private information has been leaked online.
The second incident that highlights the seriousness of data breach involves Ledger, a hardware cryptocurrency wallet. On October 25, 2020, a Reddit user informed informed a cryptocurrency community of a potential phishing scam. Central to the scam was a fake email being sent out to users that their Ledger assets had been compromised and the user is required to provide customer data to rectify the situation. To further scare those receiving the email, it claims that user funds are at risk. While the email looks professional and is convincing it is fake and a well-crafted attempt to steal customer data.
One of the few ways that the fake could be spotted was the addition of a small dot onto one of the characters in the URL which should not be there. This is a common tactic employed in phishing scams to either slightly misspell the URL or to add unassuming characters only the eagle-eyed would spot. While the tactics remain the same across phishing campaigns they can be difficult to spot. However, in this instance, the question is how those behind the phishing campaign managed to get user information, like email addresses. In July 2020, Ledger announced it had suffered a data breach. The company noted,
“On the 14th of July 2020, a researcher participating in our bounty program made us aware of a potential data breach on the Ledger website. We immediately fixed this breach after receiving the researcher’s report and underwent an internal investigation. A week after patching the breach, we discovered It had been further exploited on the 25th of June 2020, by an unauthorized third party who accessed our e-commerce and marketing database – used to send order confirmations and promotional emails – consisting mostly of email addresses, but with a subset including also contact and order details such as first and last name, postal address, email address and phone number. Your payment information and crypto funds are safe.”
While payment information and cryptocurrency were deemed to be safe, personal information was compromised. This included contact information, like email addresses, and order details. It was estimated that roughly a million email addresses were compromised. Further investigation revealed that 9,500 customers had their first and last name, postal address, phone number, or ordered products. Ledger did inform all those affected by the breach as to the incident and what information was compromised. The company further advised customers that,
“We recommend you exercise caution — always be mindful of phishing attempts by malicious scammers. To put it simply, Ledger will never ask you for the 24 words of your recovery phrase. If you receive an email that looks like it came from Ledger asking for your 24 words, you should definitely consider it a phishing attempt.”
As to the recent phishing incident Ledger stated,
“The investigation is ongoing and at this time we cannot give any additional information but one thing is for certain: Ledger will never ask you for your 24-word recovery phrase, which is a blatant sign of a phishing scam. Ledger encourages customers to exercise caution as phishing attacks become more sophisticated and to alert Ledger’s customer support team and consult Ledger.com for more information on the detection of scams.”
While it is difficult to say for certain that this is how those behind the recent phishing campaign got the information, the leak that occurred in July is the likely culprit. Both incidents highlight the dangers posed to those who have their data compromised via a data leak. The first incident involved victims having extortion attempts carried out by a threat actor with little scruples and concerning medical treatment which if released could cause bias and no small amount of pain for the victim. The second incident shows that with a little bit of information those falling for the scam may have suffered significant financial loss.