Anglicare Sydney has been the subject of a ransomware attack that has resulted in the theft of a large amount of personal information relating to adoption, foster care and mental health services.
This attack is a useful reminder of the cybersecurity threats that businesses face today. Interestingly, this ransomware attack has seen the ex-filtration of data from the target machine. Traditionally, ransomware attacks simply encrypt the data on a system locally and require payment of a ransom to decrypt the data.
The attack raises two cyber security issues that businesses should be aware of. The first is the security of your ‘data supply chain’ and the second is whether or not to pay a ransom
Data Supply Chains
In this particular example, Anglicare was contacted to provide a number of services to the NSW Department of Family and Community Services. This means that any responsibility for the privacy breach may extend to the NSW Department.
If your business is engaging external service porviders, you should be considering how those service providers will handle and protect the information they hold about your business. This includes not only the personal information of your customers or clients, but also confidential information about your business processes. Service providers should be able to explain the technical and organisational measures they have in place to protect you information, taking into account the nature of the services they will be performing.
Here, the breach was complicated by the fact that the Anglicare system has a direct connection to the system operated by the Department of Family and Community Services. This means that the breach could have had a much broader effect. This kind of risk should be considered if you are contemplating allowing a third party to access your system – be it by giving them a user account and login credentials or allowing access to your API.
In addition to undertaking a review of those technical and organisational measures, your contracts should clearly allocate risk and responsibility. This should include Terms:
- specifying the geographical location that data will be stored,
- requiring the service provider to assist you in responding to requests by individuals to access or correct their personal information,
- requiring any party holding/processing data on behalf of the other party to notify that party if there is a data breach,
- outlining who is to make a report under the mandatory data breach notification laws (where applicable), and
- that detail the allocation of liability for mishandling your data. This should include specific indemnities relating a range of harms that are not necessarily recoverable through litigation, including breach remediation, regulatory compliance and provision of credit watch services to individuals affected by a breach
In many instances, these issues are covered by data processing addendums, also known as data processing agreements. To learn more about these documents, click here.
In this case the victim of the attack has decided not to pay the ransom because it “would not entertain engaging with cyber criminals.”
However, this raises the question – should you ever pay ransom? There are two aspects of this question – practical and legal.
From a practical perspective, it is often the case that paying a ransom will not get your data back. Once the criminals have received payment, they may well disappear without providing you with the key to decrypt your data. One report found that 86% of Australian businesses who paid the ransom got their files back. However, other research has found that paying ransom doubles the cost of a data breach depending on the ransom amount and the level of interruption that your business experiences you may decide that its worth the risk, and make a payment.
This leads us to the next question – is paying a ransom legal?
The main problem with paying ransoms is that you could well be funding criminal groups, terrorism, rogue states, and/or violating Anti-Money Laundering (AML) laws. If you suspect it might be part of a money laundering operation, buy paying the ransom, you may be committing a criminal offence. You may also have reporting obligations under privacy laws, corporations law or ASX listing rules. Lastly, its worth pointing out that many cyber-insurance companies have allowances in their policies for paying ransoms.
Ultimately, the best option is to undertake planning and implementing measures that will minimise your risk of being the victim of a ransom ware attack. These include the basics like regular backups of data and staff training to be aware of common attack vectors such as email malware.