The cybercriminal group Lockbit finally made good on its threats and began to release, on Friday, September 23, the data that the hackers they were stolen a month earlier from the Corbeil-Essonnes hospitalduring a computer attack that had seriously disrupted the activity of the health establishment.
According to the findings of WorldThe group, some of whose members are suspected of operating from Russia, made a file of more than 11 gigabytes available on its site, claiming it contained confidential hospital documents.
What does the disclosed data contain?
In a press release published on Sunday, September 25, the Hospital Center of the South of Ile-de-France confirms that cybercriminals from the Lockbit group spread the data stolen during the cyberattack. The hospital group explains that the disseminated elements refer to users, officials and collaborators of the hospital. More specifically, the institution believes that “some of[s] administrative data including the NIR (social security number) and[s] health data such as test reports » are among the documents released by the cybercriminal group. However, the press release states that “The commercial databases of the South Ile-de-France Hospital Center, which include personalized patient files and files related to human resource management, have not been compromised”.
On the Lockbit site, a compressed file of more than 11 gigabytes has been put online and is available for download, but the data is difficult to access, the servers used by the group to host it do not offer the possibility of downloading it quickly. . Therefore, it is difficult, at the moment, to independently verify the exact content of the data spread by hackers.
What can hackers do with it?
In some cases, the stolen data may contain user passwords, which can then be used to hack into your email box or other accounts, if the same password has been used across multiple services.
In most cases, personal data leaks are primarily of interest to hackers who then want to use them in phishing campaigns (identity fraud in English) and hack into confidential accounts. The danger for the victims of these data breaches persists in the months and years to come: information such as last name, first name, Social Security number, telephone number, and email address, for example, can be found compiled into larger databases. resold or distributed on the black market.
This information is then often used to refine marketing campaigns. identity fraud and make a fake email from Medicare, for example, or a bank, more believable. the Ameli’s accounts have been particularly targeted lately for this type of campaign, not least because hackers seek to use this initial access to connect to the personal training account of targeted Internet users.
Is this leak on an unprecedented scale?
Of the 700,000 inhabitants to whom the Corbeil-Essonnes hospital offers health coverage, it is currently difficult to know the exact number of patients affected, but the establishment “is fully mobilized to inform individual patients as well as their staff members involved”assures Agence France-Presse of the entourage of the Minister of Health, François Braun.
Still, this spread of stolen data is far from the first: for several years now, attacks affecting the French healthcare sector have multiplied. In February 2021, for example, an Internet user freely disseminated, in a now closed discussion forum, a file containing the data of 500,000 French citizens having undergone examinations in various laboratories in recent months. The document collected personal data, Social Security numbers as well as sensitive health information related to the treatments or pathologies of the people identified in the file. The case led the CNIL will sanction the software publisher Dedalusfound guilty of failing to sufficiently secure the tools offered to health labs, but the person who exploited these flaws to retrieve the data has not been arrested.
In September 2021, the Assistance Publique-Hôpitaux de Paris (AP-HP) hospitals reported a data leak involving approximately 1.4 million people. This leak dates back to mid-2020 and affected people who had been tested for Covid-19 at AP-HP facilities. Hospital teams detected the problem and notified affected users, but the file containing the data was not published directly online. A few days after the announcement of the robbery, a suspect was arrested in connection with this case and charged.
What is “double extortion” used by hackers?
So-called “double extortion” – the act of exfiltrating data and threatening to publish it to put pressure on its victims – a method that has emerged in the last three years, was not immediately adopted by all ransomware groups. Many French hospitals and healthcare facilities have been affected by ransomware attacks without this leading to the dissemination of sensitive data.
The Clop group, for example, suspected of having attacked the University Hospital of Rouen in 2019, does not seem to have posted data on your site at the time. it’s the same for dax hospital center Y villefranche-sur-saone hospitalboth attacked by a group known as the Ryuk.
Data stolen from the group of hospitals in the Cœur-Grand-Est territory, on the other hand, had been on sale in april, after a ransomware attack. Vice Society, a cybercriminal group known for practicing double extortion, is also suspected of attacking a hospital in Ajaccio in March and the hospital in Arles in 2021. The various sites of the group of pirates being inaccessible, The world however, it was unable to confirm whether stolen data had been released.