When you have been hit by a cyber attack, you can take different paths to manage the event, but in most cases the victim tries to hide the facts. You do it for various reasons: potential loss of money and prestige, avoid “boring” bureaucratic procedures such as, for example, notifications to people, Government and Justice Bodies.
Over the years we have been able to observe thousands of cases where the victim has paid millions of dollars to (perhaps) get their data back and not disclose it, effectively helping to finance cybercrime, all this to avoid ending up in the spotlight. Is this the correct solution, the way to go?
Even before the legal aspect (the laws in many US states, regarding privacy, certainly don’t help… in Europe even less), we want to focus on the moral aspect. Which public or private entity can define itself as “moral” and above the parties, when it hides the reality of the facts or when it decides autonomously, without contradiction, what is the most advantageous solution for itself or for others?
We have shown these days that dealing with cybercriminals can prove counterproductive. Believing that paying a ransom is the solution to every ill can be a rude awakening and BankCard USA understands this, at least we hope so.
BankCard USA is attacked by the Black Basta ransomware group at the end of last June, negotiates with the cybercriminals on the ransom price (initially 500 thousand dollars, then agrees for 50 thousand dollars) to get back the encrypted data and the non-disclosure of its name.
Black Basta collects the ransom, but the victim’s name has already been public for over a month as well as several sensitive documents such as two passports of Canadian citizens, an American citizen and a Hong Kong citizen and several judicial documents.
Today the chat is still visible in Tor networks and the victim, after paying, still doesn’t have the decryptor
When are we going to get the decrypter?
We apologize for the expectation, but for now we are waiting for the person responsible for encryption. It has been absent for several days. As it appears, we’ll send you decryption programs immediately.
We do not know if BankCard USA has notified its employees and customers of the data loss, just as we do not know if it has notified the Attorney General of the state of California or other Attorneys General, in case there are victims residing in other US states.
However, we know for sure that neither on your website nor on the website of the Attorney General of the state of California have we found references to the loss of data, and it could not be otherwise.
Finally we want to draw attention to Allegheny County, a government entity of the state of Pennsylvania, affected by the 0day MOVEit. We were positively surprised by its conduct, which in our opinion was impeccable.
Allegheny County has decided to take the path of transparency, we want to believe mainly out of respect for its citizens.
On June 1, the County discovers that it has been a victim of the 0day MOVEit vulnerability, on July 28 it decides to send the notification to the Attorney General of the state of Maine and to the citizens involved in the data theft, over 960,000
The letters sent contain all the information useful for understanding the seriousness of the situation, but above all useful details are provided to citizens such as the date between the start and the end of the data breach, the nature of the stolen data and (in this specific case) the name of the ransomware group that committed the theft. This last detail is perhaps the most interesting part of the notification as it almost never happens that a victim provides details on the entity of the attacker.
When we refer to transparency in providing news we are referring to this, because if you want to fight cybercrime you must provide public opinion with as many details as possible.
We realize that the two cases examined in this article have little relevance to each other, but we would like to underline that in both cases sensitive data of private citizens were involved. When this happens, it should matter little whether a public or private entity is affected, whether 1 or 1 million people are involved.
The failure to protect privacy should not be measured on the basis of the number of people involved or the quantity and quality of the stolen data, the privacy of a citizen should be considered damaged when even a single sensitive data has not been protected by whoever was appointed to do so . Even of a single citizen and certainly regardless of the nature of the affected entity, be it public or private.
This is why SuspectFile.com has always followed with great respect the laws of the state of Maine and those of Indiana, as well as the work of their Attorneys General. Certainly two American states that place enormous respect on privacy and therefore on the protection of their citizens.