While the media is still coming to terms with the Newfoundland hack, the real conversation should be around privacy reform.
For the last week, Canadian media has been dominated by news of a major hack in the Newfoundland healthcare hack. Of course, the media being the media, they naturally dress up the story by calling it a “cyberattack” – a term that sounds rather menacing, but ultimately holds little meaning. Still, what is known is that the system was hit with a ransomware attack. From the CBC:
One cybersecurity expert says the cyberattack on the Newfoundland and Labrador health-care system may be the worst in Canadian history, and has implications for national security.
David Shipley, the CEO of a cybersecurity firm in Fredericton, said he’s seen similar breaches before, but usually on a smaller scale.
“We’ve never seen a health-network takedown this large, ever,” Shipley said in an interview with CBC News. “The severity of this is what really sets it apart.”
Discovered on Saturday morning, the cyberattack has delayed thousands of appointments and procedures this week, including almost all non-emergency appointments in the Eastern Health region.
After refusing to confirm the cause of the disruption for days, Health Minister John Haggie said Wednesday the system has been victim of a cyberattack.
Sources have told CBC News the security breach is a ransomware attack, a type of crime in which hackers gain control of a system and hand back the reins only when a ransom has been paid.
Shipley said more than 400 hospitals in Canada and the United States have been subject to ransomware attacks since the beginning of the pandemic. He said hackers target hospitals and health-care systems because of the urgent, tangible impact on everyday people.
There’s a number of takeaways you can get out of that. First is the fact that this was the result of ransomeware. While there are plenty of ways to deploy ransomeware, we can name a few ways ransomware can make their way onto a computer system that is entirely preventable.
The first thing that comes to mind for us is spearphising. This comes in the form of an e-mail. Typically, the malicious e-mail suggests that their information is compromised and that their account has been locked. A malicious link is added and the person needs to click on that link. Upon clicking on that link, that person would get hit with a drive-by download which silently installs the malware. As an added bonus, the site will look like an official page where the user is prompted to type in their username and password – thereby giving the hackers access to whatever the victim has access to.
An important distinction is that spearphishing is targeted. This means that the attacker did some research on their victim (be it the organization or the individual) to tailor the attack accordingly. This is different than standard phishing where the victim is more or less targeted randomly with no research involved.
A second possibility here is that an e-mail with a malicious attachment was sent. It really could be anything like, “important document, see attached” or whatever. Once clicked, the user downloads the malicious software makes its way into the system.
A third possibility is that someone left a malicious USB stick sitting around near the targeted organization. An employee would then be curious and pick it up. That person would then be curious about the contents of the USB stick and plug the stick into a computer. The moment that USB stick is plugged in, game over. That malicious code is already infecting the system. This requires the attacker to, at least at some point, be in the vicinity of the building, so a bit more work is required on the attackers part.
All of this is entirely preventable, of course. The first two possibilities is basically trying to teach basic common sense: don’t click on anything you don’t know anything about. The latter is to ensure every device is clean and secure before entering the building. One possibility is to have a designated PC specifically devoted to cleaning out devices which is not connected to the Internet. Alternatively, ban unauthorized devices altogether which is definitely a much less fun thing to have.
As of now, the investigation is still ongoing, but the reports do suggest that people’s personal information has been compromised. The talking point is that there is no evidence that the data was misused which is basically like putting a fig leaf up onto a massive oil spill and saying, “Everything is fine. Nothing to see here”. The data has been accessed, game over. For all we know, that data has been packaged up and put on the dark web for thousands of dollars.
Of course, missing in all of this is the idea of privacy reform. While Canadian privacy reform received broad party support back in 2019, lobbyists came knocking and the government basically stalled the legislation until an election was called, causing Bill C-11 to die on the orderpaper. To this day, there has been little to no motivation to revive it.
As we’ve said so many times before, the killing of Bill C-11 was probably the best news identity thieves and hackers have ever heard of coming from Canada. This is because actual laws with teeth might compel businesses to actually lift a finger and do something to protect people’s personal information. Without that incentive, companies are free to simply do little to nothing to secure people’s data. When the data is inevitably compromised, corporations can simply say, “Oops. Sorry, it won’t happen again.” and proceed to do nothing about it. This is because, apart from possible litigation from private citizens, there are no consequences for leaving personal information in an unsecured manner.
The reality is that hacks, leaks, and breaches happen on a near regular, often daily basis. The only thing that is accomplished making actual privacy reform bills disappear is sweeping the problem under the rug. The problem doesn’t go away. In fact, it only makes things worse. People’s lives quite often get ruined because of this. It also sends a message to hackers that Canadian’s are an easy target. These days, major hacks and security incidences are often just left up on smaller sites and specialized sources. It just so happens that, this time, someone managed to break into a government and the media picked up on it and it made it a particularly high profile story in Canada.
Because of that, the conversation really needs to be about why Canada still hasn’t reformed its privacy laws even though the evidence is all around and piling on on such a regular basis. Organizations get hacked at a frightening pace and we, as a society, simply chose to ignore the problem.
In 2018, Europe, much to the fury of business, chose to actually do something about this problem. In 2018, they enacted the GDPR (General Data Protection Regulation). While some called it unnecessary, it basically proved that not only was privacy reform like this needed, but the problem of sensitive information being leaked or stolen is a much bigger problem than anyone anticipated. By 2019, GDPR regulators found themselves dealing with a staggering 59,000 breaches on record. By 2020, the incidences they were tracking topped 160,000.
The debate surrounding GDPR quickly went from whether or not such a law is necessary to whether regulators can even come close to keeping up with such a massive problem of keeping people’s personal information secure. Delays in laying fines against companies due to volume issues became part of the major problems with GDPR. Can Europe even muster up the manpower just to keep up with it all? Suffice to say, lawmakers in Europe knew there was a problem, but the severity was very easily underestimated.
In fact, there are websites have even started setting up tracking features just to showcase the fines finally handed down. Just browsing the cases shows just how breathtakingly huge the problem of properly securing personal information has been.
Another point of controversy with the GDPR is that maybe the penalties aren’t even enough. Just last month, one report went so far as to mock a draft fine being filed against Facebook. In that case, Facebook faced a fine of $38 million – a fine which report suggests would take Facebook two and a half hours to cover with their ad revenue. So, for some, the GDPR didn’t even go far enough.
If all this is happening in Europe, it really makes you wonder just how bad things are in Canada – only we don’t know how bad the problem is because the Canadian government continues to sweep everything under the rug. If we are going to talk about the Newfoundland data breach, we should also be having a conversation on why the Federal government continues to not get off their lazy rear ends and do something about this problem. European’s, at least, partly got their act together, so what is Canada’s problem anyway?
So, while some might just look at the breach and say, “wow, that sounds problematic”, the conversation really should be more along the lines of, “wow, that breach is bad, why doesn’t the government reform privacy laws so we can start fixing these problems?” After all, that really is the elephant in the room throughout this story here.
Drew Wilson on Twitter: @icecube85 and Facebook.