A data breach at Vastaamo, a Finnish nationwide psychotherapy practice, has resulted in the blackmailing of hundreds of patients. Excerpts (via Google Translator) of Vastaamo’s press release: “The Board of Directors of Psychotherapy Center has relieved the company’s CEO from office… On Wednesday, October 21, 2020, the psychotherapy center said that it had been the victim of a data breach and blackmail… it seems probable that the data breach that led to the theft of the customer database took place in November 2018. There has been a lack of protection in the customer information system of the correspondence, which criminals have gained access to at that time… the system has also been able to infiltrate until mid-March 2019. We do not know that the database was stolen after November 2018, but it is possible that individual data has been viewed or copied.”
Unfortunately, it\’s clear many attackers have no shame and there\’s no ethical boundary they\’re not willing to cross to make a profit. So far, the attacker has only leaked 300 patient records, however it\’s unclear how much more sensitive data they hold. This is when having an audit trail of all sensitive data in an organization can help identify specific data repositories that were breached, and which remain untouched and secure. While that information can\’t undo the damage done by the initial attack, it can help calculate the remaining risk of additional data leaks from the breach and also start the process of better securing breached networks and data repositories against future threats.
This attack also highlights the common issue of long dwell times, as the data breach seemingly went unnoticed for almost two years (with initial network penetration occurring as early as November 2018). While the ultimate defensive goal is still to prevent attacks from occurring in the first place, organizations need software tools in place to detect breaches after the fact. Being in the network for so long, the attacker may have done much more than just stolen data. They could have installed additional, dormant malware, opened back doors, or found ways to spread to related networks. Long dwell times drastically increase risk, by giving attackers a larger foothold to potentially return to the network to wreak additional havoc.
Ransomware and data theft attacks have become the norm for cybercriminals. Stealing patient records and blackmailing them with that information is something new. This attack, in particular, shows a level of callousness from the attacker that is hard to comprehend. While the financial damage in this attack is relatively minor, the emotional harm to the victims is incalculable.