The London Bridge Plastic Surgery and Aesthetic Clinic has confirmed in a posted statement that it had been hit with a cyber-attack and data was stolen. The clinic did not say exactly what types of information were compromised.
“The group behind the attack are highly sophisticated and well known to international law enforcement agencies having targeted large US medical providers and corporations over the past year. “We are horrified that they have now targeted our patients,” the clinic said.
The Dark Overlord cyber-gang has at least temporarily moved away from attacking school districts and has turned back to threatening to release celebrity private information. The Daily Beast reported it was contacted by The Dark Overlord, which used one of the clinic's email accounts to show that it indeed had access, to claim responsibility. The Daily Beast was told all the patient records, including some of celebrities and the Royal Family and corresponding photos would be made public and was sent graphic images purportedly gleaned from the clinic's computer system. The sum that the attackers are seeking to extort was not revealed.
“This attack really shows that every business is a potential target to cyber-criminals. The fact they've targeted photos and patient lists is a classic extortion tactic. They've gone for potentially embarrassing information that London Bridge Plastic Surgery customers will be upset if made public, rather than obvious financial data. Organisations need to be reminded that they remain responsible for all information entrusted to them by their customers and make sure their data is fully protected. Organisations need to ensure that firstly, adequate technical defences are in place – including threat intelligence technologies, up-to-date software and operating systems and adequate employee education,” commented David Kennerley, director of Threat Research, Webroot in an emailed statement to SC Media UK.
Javvad Malik, security advocate at AlienVault, adds, “Blackmail, extortion, and even embarrassment opportunities are enough for criminals to go after any form of data. Therefore it is essential that assets are properly identified and classified and appropriate security controls are implemented, not just to protect the data, but also to monitor for threats so it can detect and alert when a breach is occurring or soon after."
For Sarah Armstrong-Smith, head continuity and resilience at Fujitsu UK & Ireland told SC Media UK, ““It's time that businesses recognise that cyber-security is more than a technology issue – it's a ‘people' issue. After all, there is a general lack of enforcement relating to IT and security related policies, with an assumption that users are actively following policies or have understood the ramifications for failure to follow the policies as prescribed. Despite the cyber-skills shortage, a lot can be done to improve user awareness and training as the first line of defence to protect companies from data leakage and attacks. Whilst companies will, of course, still need to invest in appropriate technical and security controls or work with cyber-partners to achieve this, upskilling users and making them more cyber aware is one of the most cost effective ways of reducing the probability and impact of human error.
“With cyber-attacks increasing in severity, and with the GDPR on the horizon, if we are to ensure our industries remain competitive and secure, t's critical that businesses enhance their first line of defence against cyber-attacks: their workforce.”
In a separate US breach, security researchers report 47GB worth of sensitive medical records belonging to an estimated 150,000 Americans were inadvertently left exposed in an unsecured Amazon server. Kromtech Security Researchers said the exposed documents were associated with healthcare firm Patient Home Monitoring (PHM), which provides in-home monitoring and disease management services for patients in the US. Paul Edon, director at Tripwire, commented on this breach saying, "With consumers and businesses shifting their data to the cloud, criminals are moving their scopes to follow the data. Therefore, taking responsibility of where and how that information is being stored is paramount, especially when it involves such critical information. Storing your data in the cloud does not mean it is magically protected. This is why configuring systems correctly gives your organisation the best chance to protect the data. Failure to do so shows negligence to security which in this case, has unfortunately left 150,000 patients exposed. This isn't rocket science or brain surgery, it's basic 101 information security – CONFIDENTIALITY, integrity, and availability."