Kiwis, Australians and Americans have received fresh wake-up calls over the dangers posed by cyber-attacks.
Primary health provider Pinnacle Health, which runs dozens of GP practices in Waikato and the Bay of Plenty, confirmed on Wednesday that hackers had managed to steal personal information supplied by some of its patients.
The incident bore the hallmarks of a ransomware attack, though Pinnacle did not immediately confirm that.
Coming after the devastating ransomware attack on Waikato DHB last year that led to highly-sensitive medical records being dumped online, some experts initially feared the worst.
* Administrative account likely used in cyber attack on health provider Pinnacle, expert says
* Ransomware might not exist without cryptocurrencies, top cop tells MPs
* Growing concerns over ransomware payments puts NZ cyber insurers on the spot
* The dark web: where you can destroy a business for $300
But it appears that Pinnacle’s GP records were safely stored in separate cloud-based software systems.
Although it may “only” have been basic personal information, such as people’s contact details and their National Health Index numbers that were compromised, that could still leave them open to the risk of scams and identity fraud.
The attack came on the heels of a bigger breach of Australia’s second-largest phone company, Optus, that resulted in the theft of 2.1 million people’s personal information, including passport and driver licence details.
On Thursday, the United States’ second-largest non-profit hospital chain, CommonSpirit, announced it had been hacked, disrupting services at its 120 hospitals and 700 other medical facilities in 21 states.
Are attacks becoming more common?
Brett Callow, a Canadian-based cybersecurity expert with New Zealand security firm Emsisoft, says it is impossible to say whether cyber-crimes have become more common this year given so many go unreported.
There were fears that cyber-warfare taking place as a result of Russia’s invasion of Ukraine could spill out of the region and cause collateral damage globally.
But so far there is little evidence of that and most cyber-crime remains financially motivated, Callow says.
Ironically the war in Ukraine has disrupted some crime gangs in eastern Europe, he says, with one ransomware gang even “apologising” for the time it was taking to respond to victims that it was attempting to extort, and blaming the war for that.
The lack of reliable data is a problem in itself, Callow says.
“If policy-makers can’t tell whether we’re seeing increases or decreases in attacks, how can they tell if their policies are working?”
Cybercrime is the second least-reported crime, after sexual assault, according to the Crime and Victims Survey.
Should we blame businesses that are hacked?
Alastair Miller, a consultant at Aura Infosec, which is owned by state-owned enterprise Kordia, says that hackers might do something “brilliant” to execute an attack.
Hackers will have the advantage if they are first to spot a security flaw in a widely-used piece of software, for example.
But most attacks, including ransomware attacks, are the result of someone slipping up.
The most common vector for ransomware remains a phishing attack that tricks an employee into revealing their corporate log-on credentials, Miller says.
Technical staff can add to the risks if they leave systems inadequately secured, for example by failing to quickly apply security patches to software systems.
So what should they be doing?
Implementing multi-factor authentication is the biggest single step businesses can take to better protect themselves, as it should ensure a cyber-criminal can’t conduct a successful attack using only a stolen login and password, Callow says.
It can be helpful for businesses to run regular exercises to test whether their staff fall for faked phishing emails, he says.
But user-training is never going to be foolproof, he says.
“No matter how well they’re trained, people will be suckered once in a while, which is why you need an additional layer of security.”
“Penetration testing”, which involves hiring an IT company to check for vulnerabilities in a company’s systems, usually as part of a wider check of practices and policies, can also be worthwhile, he says.
Callow advises switching off RDP (Remote Desktop Protocol), which is a Microsoft tool that IT support staff can use to take over users’ computers and remotely fix problems, in situations where it is not needed.
Businesses handling large volumes of personal information or more sensitive information might consider investing in tools designed to detect unusual traffic on their networks, that could for example provide early warning that hackers were downloading files.
Miller says it can be safer to store information in applications in the cloud, but businesses need to make sure they have configured those properly to take advantage of security features.
Is there a ‘gold standard’ to follow?
There are cyber-security frameworks that businesses can use to make themselves a tougher target, including those developed by the International Standards Organisation and the US National Institute of Standards and Technology, Miller says.
Callow notes that national cyber-security agencies such as Cert NZ can also be a good source of advice.
Will it be enough?
“Unfortunately, if you ‘stop’ you start moving backwards in cybersecurity,” Miller says. “You can’t think ‘I’ve done it, well done’ because the environment always gets more dangerous.”
But Callow says people often credit cyber criminals as being more sophisticated than they actually are “and by extension, more unstoppable”.
“A lot of the attacks are by kids, technically-talented but kids nonetheless, and that should give us hope.
“At the same time you have got to remember that companies like Microsoft and Uber have been hacked by teenagers and it’s hard to get your security right all of the time.”
Callow has been one of a growing number of cyber-security experts calling for governments to consider making the payment of cyber-ransoms illegal.
That could be a “painful way to solve the problem, but perhaps the only way”, he says.
Kiwis are urged not to underestimate the risk of being hacked.
Detective Inspector Craig Hamilton, national manager of the Police’s financial crime group, told MPs last year that ransomware attacks might not exist without cryptocurrencies, which have helped make collecting ransoms possible.
But those sorts of solutions would require concerted government action, of which there is little sign.
Callow notes there has been some successful law enforcement action this year.
Interpol announced in June that 2000 fraudsters had been arrested and US$50 million (NZ$88m) recovered as a result of a clampdown on scammers involving authorities in 76 countries between March and May.
But Callow says cyber-crime isn’t going to go away soon.
“Personally, I think governments internationally should have taken much stronger action, much sooner. The fact that it’s been allowed to spiral into a multibillion-dollar industry has created a massive problem.”