DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Will victims increasingly turn to courts to suppress publication of stolen data? (1)

Posted on September 27, 2024September 27, 2024 by Dissent

What do you do when you have suffered an embarrassing data breach, your attacker(s) are taunting and criticizing you publicly, and some of your data has already been leaked?

This month, DataBreaches notes that two victims in different countries are both seeking court injunctions in the hope that they can get stolen data removed from public areas of the internet and prohibit others from publishing or republishing it.  DataBreaches believes it’s an approach that will be of limited value.

Star Health (India)

As previously reported on DataBreaches, stolen customer data including medical reports from India’s biggest health insurer, Star Health, was made publicly accessible via chatbots on Telegram. Star Health subsequently sued Telegram and the hacker known as “xenZen,” and obtained a temporary injunction from a court in Tamil Nadu ordering Telegram and the hacker to block any chatbots or websites in India that make the data available online.

Commenting on the court order and approach, DataBreaches suggested that an injunction would not be sufficient because the threat actor known as xenZen had already listed the data for sale on BreachForums, a popular hacking forum that has both clear net and dark web sites. Their listing included some sample data and gave potential buyers a way to contact them.

What often happens on this particular forum is that if the data doesn’t sell, it may eventually get leaked for free on the forum. And if it is sold, a buyer may decide that they will leak it all freely to others.

BreachForums does not honor court orders or injunctions of this kind at all, and it has a lot of forum members from India. So what will Star Health do when the injunction is not sufficient? Will they say, “Well, we tried,” and give up on trying to get the data removed?

Compass Group (Australia)

Compass Group Australia provides contract food and support services across various industries and sectors in Australia and part of New Zealand. They recently fell prey to a ransomware attack by the Medusa group. Over at SuspectFile, Marco A. De Felice reports that Medusa attacked Compass Group twice, each time locking some files and exfiltrating some data:

During the initial attack, an affiliate of the group had already managed to exfiltrate most of the total data. While the first attack resulted in a complete encryption of the data, the second attack led to only partial data encryption.

As Medusa generally does, it created a listing on its dark website. The first listing for Compass claimed that Medusa had acquired 785 GB of files.  Dozens of screencaps were posted as proof of claims. But Medusa wasn’t done attacking Compass. As SuspectFile reported, there was a second announcement the next day, this one accompanied by two screencaps of “Directory Users and Computers.” The threat actors’ post mocked the firm’s initial incident response:

Our affiliate entered this poor network this morning and messed the computers again! Company kiddy network administrators installed Crowdstrike Falcon EDR everywhere and thought they removed all our connections. Affiliate took the screenshots of DC. Company doesn’t care the customer’s privacy and also their network security too. One of the poorest company with poor network admins in Australia.

Although Compass did not respond to multiple inquiries from SuspectFile, Medusa did provide the security blog with additional details. The following is part of the exchange:

Suspectfile.com: Were there any negotiations with Compass Group? If so, through chat, email, or other means?

Medusa Team: They came to our tor chat, begged long time, but couldn’t pay our amount.

Suspectfile.com: In your second announcement on your blog, you claim that despite the network administrator installing Crowdstrike Falcon EDR, it was unable to protect the systems. You described the network admins as “One of the poorest companies with poor network admins in Australia.” Can you explain in detail what mistakes were made by Compass Group’s IT department?

Medusa Team: After the first lock, they couldn’t remove all our payloads. most companies don’t do such that mistake.

Suspectfile.com: At this point, do you believe their network is still vulnerable to external attacks?

Medusa Team: Not sure but maybe.

Read more at SuspectFile. De Felice summarizes the types of data he observed in what was shared with him, and also provides redacted screencaps that will give readers and employees some sense of what data Medusa has acquired and is now seemingly available for download because Medusa has changed both listings’ status to “PUBLISHED.”

For its part, Compass Group set up a webpage on its site on September 18 to update people about the breach and its incident response. Compass’s most recent update to that page was on September 27.  That update stated, in part:

In anticipation that the accessed data may be illegally published online in the coming days or weeks, we are taking a number of legal steps to prevent this activity and limit its impact. This includes working with the Australian Federal Police to remove any material that is posted and taking court action to prevent any party from re-publishing that data.

From the wording, Compass had not yet obtained any injunction from a court.

Assuming that Telegram will now comply with a law enforcement request to remove data if Medusa tries to leak it there, does Compass think the Australian Federal Police will be able to get Medusa to remove the data from its servers and sites?  Will Compass’s court action have any impact in countries that do not have any cybercrime agreement or cooperation with Australia?  Or as we have already seen with Star Health, will Medusa just use a platform that is not subject to Australian law or advertise a data leak on BreachForums?


Update: It appears that CloudFlare was also prohibited from hosting any sites that display the stolen Star Health data. This may actually be one of the most effective parts of the injunction as some sites and forums do use CloudFlare to protect themselves from attacks and to protect their true IP address. The court scheduled its next hearing on the injunction for October 25.

 

Category: Breach IncidentsBusiness SectorCommentaries and AnalysesHealth Data

Post navigation

← Senate bill pushes cyber mandates for medical industry in wake of Change Healthcare debacle
Meta fined $101.5M for 2019 breach that exposed hundreds of millions of Facebook passwords →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • FTC Finalizes Order with GoDaddy over Data Security Failures
  • Hacker steals $223 million in Cetus Protocol cryptocurrency heist
  • Operation ENDGAME strikes again: the ransomware kill chain broken at its source
  • Mysterious Database of 184 Million Records Exposes Vast Array of Login Credentials
  • Mysterious hacking group Careto was run by the Spanish government, sources say
  • 16 Defendants Federally Charged in Connection with DanaBot Malware Scheme That Infected Computers Worldwide
  • Russian national and leader of Qakbot malware conspiracy indicted in long-running global ransomware scheme
  • Texas Doctor Who Falsely Diagnosed Patients as Part of Insurance Fraud Scheme Sentenced to 10 Years’ Imprisonment
  • VanHelsing ransomware builder leaked on hacking forum
  • Hack of Opexus Was at Root of Massive Federal Data Breach

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Meta may continue to train AI with user data, German court says
  • Widow of slain Saudi journalist can’t pursue surveillance claims against Israeli spyware firm
  • Researchers Scrape 2 Billion Discord Messages and Publish Them Online
  • GDPR is cracking: Brussels rewrites its prized privacy law
  • Telegram Gave Authorities Data on More than 20,000 Users
  • Police secretly monitored New Orleans with facial recognition cameras
  • Cocospy stalkerware apps go offline after data breach

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.