THERE HAVE BEEN more than 200 cyber attacks on Irish companies in which private data was accessed or stolen by hackers in the last 12 months, the Data Protection Commission (DPC) has confirmed.
Graham Doyle, a Deputy Data Commissioner in the DPC said that the incidents were individual breaches and were reported to the organisation in keeping with GDPR reporting laws.
The confirmation of the incidents comes just a week after it was determined that personal data of staff and some students was exposed in the Munster Technological University (MTU) hack.
While each of these reports require an investigation by the DPC, Brian Honan, a former cyber security advisor to Europol and current CEO of BH Consulting, said that other incidents go unreported.
“There’s a lot of breaches that are happening that aren’t being reported as well.
“That is either because the organisation doesn’t realise they are legally obliged, under GDPR to report a breach, or they don’t believe the breach is reportable. They are solving the problem themselves and carrying on with business,” he said.
Mistake
Honan believes, that while some cyber criminals have become more sophisticated in their activities, most incidents are associated with people mistakenly opening email attachments or failing to update to the latest programs.
The HSE has recently begun to contact individual victims who have had their data published of the health service cyber attack in May 2021.
Following its hack earlier this month, MTU confirmed that data from its systems has appeared on the so-called Darkweb and investigations are ongoing as to what the data contains.
Sources have said the leak is believed to be of less than 10 gigabytes of data and contains mostly human resourcing files of staff.
It is understood that gardaí are working closely with the National Cyber Security Centre, and the DPC, as well as MTU’s IT department and a private cyber security firm to deal with the ongoing fallout from the hack.
It is feared that a small amount of student data may also be exposed – with some risk that financial information may be contained amid details of grant allocations. However, sources have said that while the Darkweb trawl is ongoing, they will not be able to determine the exact exposure.
Last week, the university confirmed that data had been encrypted and that the hackers had sought a ransom.
The attack is believed to have been carried out by a Russian hacker group known as BlackCat.
The cyberattack was first reported by MTU two weeks ago, with campuses in Cork remaining closed during the week.
Bombard
One cyber security source said that while MTU could have had mitigations in place to prevent an attack, hackers would repeatedly assault the institution’s systems to find a way in. This would be done in an automated manner.
The source said that part of the issue is that cyber security effectiveness is often about the cost – with calls being made on expenditure concerns rather than security fears.
Honan echoes this view and said that funding is a consideration and the least expensive solution is often chosen.
“There is a funding challenge, but I think many organisations need to look at their public duty. Many organisations do need to invest more money in robust IT infrastructure and cybersecurity should be part of that investment.
“If you have good investment and good architecture in your IT, that will also drive good cybersecurity as part of that as well,” he said.
Specialist cyber crime gardaí and technicians from National Cyber Security Centre are continuing to work on the leak of data and are monitoring activities on the Darkweb.
A spokesperson for the DPC said the organisation was waiting to receive a report on the breach from MTU.
The DPC has offered advice to anyone who believes their data was exposed and said that they should be cautious about any unsolicited approaches online – especially those with personal details.
Sources have said that the process of dealing with the hack was still ongoing but that the focus would shift later to examine what went wrong.
The DPC can, if it is determined that there was a failure to protect networks adequately, issue a maximum fine of €1 million. They can also recommend measures to ensure the protection of data in the future.
Earlier this week The Journal reported that ESXi VMWare, a virtual desktop programme and a partner of MTU in recent years – the system offers a way for people working on individual computers and laptops to log in through an online cloud as if they were in the college.
A global warning was issued around a problem associated with ESXi VMWare in recent weeks as hackers had found a way into the system.
The Irish NCSC issued a warning last Tuesday, 7 February, about the problem.
To embed this post, copy the code below on your site
have your say