In the past decade, cybersecurity has evolved from something of a niche technical field into a crucial part of every business plan and online code of conduct.
Even so, we still see frequent evidence that many organizations are in need of more education about how to respond to a cyber attack. That was evident this April, as we saw the results of several high-profile cyber attacks that may have been worsened by a slow or poorly considered reaction. The consequences have been steep, and in one case, even criminal.
April 2023’s Biggest Cyber Attacks
Hackers Strike Smashing Pumpkins
90’s rock icon Billy Corgan revealed during a radio interview last week that he paid off hackers to prevent them from leaking unreleased Smashing Pumpkins music about six months ago. While Corgan was mum on the details, he did say in the interview that the FBI was involved — it’s important to contact the FBI or your incident response provider if a breach occurs — and admitted to paying the hackers to prevent the leak. While paying ransom is never encouraged, many organizations do so any way.
“They were all probably the most catchy, single-y type songs,” Corgan said. “So it’s like, not only is it six months too early, you’re pretty much giving away the album before you even have a chance to set your feet into the ground.”
Records exposed: None
Type of attack: Suspected Ransomware
Date of Attack: December 2022
Location: USA
Key Takeaway: Threat actors aren’t picky. They’re continually chasing down valuable data and are ready to leak the most sensitive information, or in this case the best unheard songs, to get some quick cash or wreak havoc. Whether you’re a rockstar or a CISO, cybersecurity is paramount.
Criminals Confound Criminal Records Office
No matter how many times we learn that the best response to a cyber attack usually involves being as transparent as possible, it seems to be a difficult lesson to get across.
Case in point: a data breach has been slowing down the processing of vital records at the UK’s Criminal Records Office (ACRO) since mid-March, but it took until April for ACRO representatives to publicly acknowledge the source of the problem.
When the ACRO app went down on March 21, the agency originally attributed it to “essential maintenance.” When its website went offline on March 31, “technical issues” were blamed.
The agency, which processes criminal records and background checks that are necessary to many law enforcement officials, job-seekers, and international travelers and emigres, finally acknowledged that it had suffered a “cybersecurity incident” on April 6, several weeks after the initial breach. Two weeks after that announcement, services remained disrupted and users were growing frustrated by the lack of communication. Potential culprits in the breach have not yet been identified.
Records Exposed: Unknown, processing and online services interrupted for criminal records
Type of Attack: Unconfirmed, possibly ransomware
Industry: Records storage, government
Date of Attack: March 21, 2023
Location: United Kingdom
Key takeaway: On some level, it may seem pointless for an organization to be forthcoming about a cyber attack, especially if there’s little that can be done to resolve it.
In practice, however, customers, clients, and users will almost always be more frustrated by the appearance of unconcern than they are by an organization that communicates quickly and transparently. When the functions that are being disrupted are as crucial as they are in this case, open and honest communication is all the more important.
Canadian Luxury Spa Lands in Hot Water
Paying for a spa treatment is supposed to be a ticket to a relaxing and therapeutic experience, but it proved to be anything but for some customers of Quebec’s Nordik Spa chain.
An April 7 statement from the luxury spa company acknowledged that the business’s gift certificate system was compromised from November 4, 2022 to February 27, 2023. Any customer who purchased a gift card during that period – which you’ll note includes Christmas and Valentine’s Day – may have had their credit card information stolen by unknown parties.
A number of Nordik Spa customers quickly reported hundreds of dollars worth of unauthorized purchases on their credit cards. Some of the affected consumers have also claimed that Nordik Spa has been largely unhelpful, with one shopper stating, “They didn’t offer a discount or services, or any credit monitoring or anything.”
The spa says it has begun working with third-party security sources to correct the situation and prevent further breaches. The breach disclosure brings further troubles to a company already involved in a highly publicized lawsuit over alleged public health violations.
Records Exposed: Personally identifiable data, including credit card numbers
Type of Attack: Unknown breach of transactional systems
Industry: Hospitality, wellness
Date of Attack: November 4, 2022 to February 27, 2023
Location: Ontario, Canada
Key takeaway: They say that when it rains, it pours. Nordik Spa was already mired in bad publicity before this breach became public knowledge. The extent of the theft, the duration of the breach, and the alleged lack of customer outreach all add up to some serious reputational damage.
This is another case where a quick acknowledgement of the problem followed by honest communication may have been able to mitigate at least some of the blowback.
Yellow Pages Gets a Wrong Number
On its surface, the Yellow Pages seems like one of the least likely targets for a hack. Stealing private and protected data is such a major motivator for cybercrime that targeting a business explicitly focused on sharing public information feels counterintuitive. Even so, Yellow Pages Canada found itself on the receiving end of a mid-March ransomware attack by the Black Basta ransomware gang.
Despite the public-facing nature of its business, Yellow Pages also stores a significant amount of private data. Stolen materials from employees and customers include social security numbers, scans of passports and IDs, and assorted business and tax documents.
One of the more troubling elements of this attack is its status as the latest in a rapidly escalating series of high-profile breaches perpetrated by Black Basta, following similar crimes against Canadian grocery chain Sobey’s and UK employment company Capita. A rising star in the cybercrime field is never a positive development.
Records Exposed: Personally identifiable data, including passport information
Type of Attack: Ransomware
Industry: Public information
Date of Attack: March 2023
Location: Quebec, Canada
Key takeaway: We see time and again that there is no such thing as a breach-proof industry. The irony of thieves stealing private information from a business grounded in public information aside, this incident demonstrates how many cybercrime groups are out there at any given moment.
Authorities believe that Black Basta may be an offshoot or rebranding of an older enterprise such as Conti or BlackMatter. Criminals are constantly evolving and adapting, which means cybersecurity protections should be as well.
Finnish CEO Gets Jail Sentence for Data Breach
One of the most frustrating aspects of being the victim of a data breach is the sense that there just isn’t much that can or will be done to hold someone accountable for it. Every now and then, though, an example of cybercriminal consequences hits the wire. More often than not, it’s a cautionary tale.
The 2018 and 2019 breaches of Finnish therapy clinic Vastaamo were particularly heinous. Hackers made off with a trove of deeply personal data, including psychotherapist’s notes on around 40,000 therapy patients, some of them children. That would have been more than enough cause for concern, but that concern grew into outrage after a later revelation that Vastaamo CEO Ville Tapio knew about the breach long before he acknowledged it to law enforcement, or even his fellow board members.
In April Tapio was found criminally negligent for covering up the theft and was handed a three-month suspended sentence, in an increasingly less rare instance of an individual being convicted for mishandling cybercrime.
Records Exposed: Personal medical information, including therapy notes
Type of Attack: Security exploit
Industry: Mental health
Date of Attack: 2018, 2019
Location: Helsinki, Finland
Key takeaway: Being the victim of a cyber attack can be a terrible thing, but it does not give anyone an excuse to create more victims. The Vastaamo breach is one of the most distressing instances of data theft in recent memory, and patients were only further traumatized by the lengthy concealment of the violation. Tapio’s sentencing should be a wake-up call for businesses that still fail to treat their users’ online security with the seriousness it deserves.
No one wants to end up as a cautionary tale. This month’s round-up shows us how easily that can happen, and how much worse the situation can become if not handled wisely. Making a comprehensive incident response plan should be a top item on every organization’s agenda, along with investing in preventive security measures to cut off attacks before they become a problem.
Learn about how threat actors are operating with our 2023 Arctic Wolf® Labs Threat Report.
Learn more about Arctic Wolf® Incident Response.
