VirusTotal Required to Divulge Details of those Who Downloaded HSE Cyberattack Data
The Data Was Downloaded 23 Times by VirusTotal Users Before it Was Taken Off.
On Tuesday, the High Court of Ireland has issued an order asking Chronicle Security Ireland and Chronicle LLC, both owned by Google, to reveal the private details of subscribers who downloaded or uploaded confidential data stolen from Ireland Health Service Executive (HSE) during a cyberattack.
On May 14th, Ireland’s Health Service Executive (HSE), the country’s publicly funded healthcare system, had to shut down all of its IT systems following a ransomware attack.
The Conti ransomware gang, who was responsible for the incident, threatened to use all the data stolen from HSE during the attack if a ransom of $20 million won’t be paid.
Conti threat actor declared to have stolen 700GB of sensitive patient and employee information such as contracts, correspondence, and corporate documents.
In order to show that they are responsible for the ransomware attack, the threat actors posted a link to a file in their ransomware negotiation chat that they stated included samples of the stolen data.
Stolen Ireland Health Service Executive HSE Information Uploaded to VirusTotal
This sample contained 27 files stolen from the Ireland Health Service Executive HSE including patient data, which was later uploaded to the VirusTotal, a service created to check for viruses that the user’s own antivirus may have missed or to verify against any false positives.
The data was downloaded 23 times by VirusTotal users before it was taken off by Chronicle on May 25th last.
The 27 files include the personal records of 12 individuals. One file reviewed by the FT includes admission records and laboratory results for a man who was admitted to the hospital for palliative care.
The broad details in that file matched a subsequent death notice seen by the FT.
In addition to scanning files, VirusTotal behaves as a container of uploaded files enabling subscribers to search for and download files to analyze for their own security research or upgrade their security software.
Nevertheless, when a file is uploaded to VirusTotal, it would permit any other subscriber to download and see the private information.
Following the Conti ransomware attack, the Irish High Court immediately reacted to the situation and had issued an order to prevent the cybercriminals from selling, sharing, or publishing the stolen data with anyone by requiring those who possessed any to return it to the Ireland Health Service Executive HSE.
The private information includes email addresses, phone numbers, IP addresses, or physical addresses.