What do you do when you have suffered an embarrassing data breach, your attacker(s) are taunting and criticizing you publicly, and some of your data has already been leaked?
This month, DataBreaches notes that two victims in different countries are both seeking court injunctions in the hope that they can get stolen data removed from public areas of the internet and prohibit others from publishing or republishing it. DataBreaches believes it’s an approach that will be of limited value.
Star Health (India)
As previously reported on DataBreaches, stolen customer data including medical reports from India’s biggest health insurer, Star Health, was made publicly accessible via chatbots on Telegram. Star Health subsequently sued Telegram and the hacker known as “xenZen,” and obtained a temporary injunction from a court in Tamil Nadu ordering Telegram and the hacker to block any chatbots or websites in India that make the data available online.
Commenting on the court order and approach, DataBreaches suggested that an injunction would not be sufficient because the threat actor known as xenZen had already listed the data for sale on BreachForums, a popular hacking forum that has both clear net and dark web sites. Their listing included some sample data and gave potential buyers a way to contact them.
What often happens on this particular forum is that if the data doesn’t sell, it may eventually get leaked for free on the forum. And if it is sold, a buyer may decide that they will leak it all freely to others.
BreachForums does not honor court orders or injunctions of this kind at all, and it has a lot of forum members from India. So what will Star Health do when the injunction is not sufficient? Will they say, “Well, we tried,” and give up on trying to get the data removed?
Compass Group (Australia)
Compass Group Australia provides contract food and support services across various industries and sectors in Australia and part of New Zealand. They recently fell prey to a ransomware attack by the Medusa group. Over at SuspectFile, Marco A. De Felice reports that Medusa attacked Compass Group twice, each time locking some files and exfiltrating some data:
During the initial attack, an affiliate of the group had already managed to exfiltrate most of the total data. While the first attack resulted in a complete encryption of the data, the second attack led to only partial data encryption.
As Medusa generally does, it created a listing on its dark website. The first listing for Compass claimed that Medusa had acquired 785 GB of files. Dozens of screencaps were posted as proof of claims. But Medusa wasn’t done attacking Compass. As SuspectFile reported, there was a second announcement the next day, this one accompanied by two screencaps of “Directory Users and Computers.” The threat actors’ post mocked the firm’s initial incident response:
Our affiliate entered this poor network this morning and messed the computers again! Company kiddy network administrators installed Crowdstrike Falcon EDR everywhere and thought they removed all our connections. Affiliate took the screenshots of DC. Company doesn’t care the customer’s privacy and also their network security too. One of the poorest company with poor network admins in Australia.
Although Compass did not respond to multiple inquiries from SuspectFile, Medusa did provide the security blog with additional details. The following is part of the exchange:
Suspectfile.com: Were there any negotiations with Compass Group? If so, through chat, email, or other means?
Medusa Team: They came to our tor chat, begged long time, but couldn’t pay our amount.
Suspectfile.com: In your second announcement on your blog, you claim that despite the network administrator installing Crowdstrike Falcon EDR, it was unable to protect the systems. You described the network admins as “One of the poorest companies with poor network admins in Australia.” Can you explain in detail what mistakes were made by Compass Group’s IT department?
Medusa Team: After the first lock, they couldn’t remove all our payloads. most companies don’t do such that mistake.
Suspectfile.com: At this point, do you believe their network is still vulnerable to external attacks?
Medusa Team: Not sure but maybe.
Read more at SuspectFile. De Felice summarizes the types of data he observed in what was shared with him, and also provides redacted screencaps that will give readers and employees some sense of what data Medusa has acquired and is now seemingly available for download because Medusa has changed both listings’ status to “PUBLISHED.”
For its part, Compass Group set up a webpage on its site on September 18 to update people about the breach and its incident response. Compass’s most recent update to that page was on September 27. That update stated, in part:
In anticipation that the accessed data may be illegally published online in the coming days or weeks, we are taking a number of legal steps to prevent this activity and limit its impact. This includes working with the Australian Federal Police to remove any material that is posted and taking court action to prevent any party from re-publishing that data.
From the wording, Compass had not yet obtained any injunction from a court.
Assuming that Telegram will now comply with a law enforcement request to remove data if Medusa tries to leak it there, does Compass think the Australian Federal Police will be able to get Medusa to remove the data from its servers and sites? Will Compass’s court action have any impact in countries that do not have any cybercrime agreement or cooperation with Australia? Or as we have already seen with Star Health, will Medusa just use a platform that is not subject to Australian law or advertise a data leak on BreachForums?
Update: It appears that CloudFlare was also prohibited from hosting any sites that display the stolen Star Health data. This may actually be one of the most effective parts of the injunction as some sites and forums do use CloudFlare to protect themselves from attacks and to protect their true IP address. The court scheduled its next hearing on the injunction for October 25.