This article was originally published in french on Crypto.Quebec’s website.
The computer systems are paralyzed. Unknown criminals are asking you to pay a ransom before they give you access to your data. As if that wasn’t enough, they are threatening to publish it all publicly. You think your day cannot get worse when a reporter calls. They saw news of this cyber attack posted on a dark web leak site, and they want to ask you some questions.
One of these reporters might be Dissent Doe, PhD, the pseudonym of the person behind The Office of Inadequate Security, a news website that can be found at databreaches.net.
Dissent’s background is in healthcare. She is mostly interested in breaches involving data from health and educational establishments. Not everyone appreciates her work. At the beginning of April, her website suffered a distributed denial of service attack. This means that someone was upset enough to blast the website with bogus requests to make it unavailable. The hostility she sometimes faces was clear when I first emailed her to see if she would be willing to be interviewed and she jokingly answered, “so many people already hate me. Now more will … lol.”
When asked why she does this work, she writes, “I spent many years as an advocate for children with special needs.” She learned that in order to get the resources needed to help these kids, “it was helpful to show people that what they thought was a rare occurrence wasn’t rare at all—and so they should become more aware of it and allocate more resources to addressing it.” It was through education and awareness that schools started increasing training on childhood-onset disorders and offering more support to children. She applies the same reasoning to data breaches. Letting the public know about these incidents will educate organizations about the importance of securing their infrastructure.
Dissent tells me that she always tries to contact the organization before disclosing a breach on her website. She tries to find out if they are aware of the situation and get a comment on the steps taken to notify the people impacted by the leak. She usually waits until the organization has secured their data or fixed the vulnerability before publishing an article.
There are some exceptions. Dissent names disclosing information that would be a threat to national security or put lives in danger as examples. She says she recently decided against publishing an article about a breach because it involved data from identifiable abused children. “I was so horrified by that one that I even emailed the threat actors to ask them to consider removing the data from public access. They didn’t even answer me, but morally, I felt I had to at least try to get those data down. It’s heartbreaking to think that these children’s histories and data may forever circulate on the web or dark web to haunt them throughout their lives.”
Jean-Philipe Racine, President of CyberSwat Group, a Quebec business specializing in cybersecurity, considers that the media has a role to play. We spoke over Zoom. According to him, it is important to consider the newsworthiness of an event and journalists should be able to make that call. He warns about the danger of disclosing a breach while the events are still unfolding. “It is not about hiding information from the population, but preventing other threat actors from taking advantage of the situation.”
At the beginning of March, the REvil ransomware group (aka Sodinokibi) announced that they would start calling journalists when victims refused to pay. I asked Dissent if she thought journalists helped ransom groups by exposing their attacks. Her answer was clear. No. It is an accusation that she has often heard though. “If my reporting puts pressure on victims at all, it is pressure to disclose to those affected and to be transparent.” She says that these entities should have done a risk assessment and made an incident response plan. “The issue of whether a victim will pay ransom or extortion is something that the entity should have considered—and at least provisionally decided—before a breach ever occurs and before anyone ever reports on it.”
For Mr. Racine, whose company offers incident response services, having a plan is crucial. “If there is no response plan, the company will maybe start improvising.” It is unfortunately not yet a practice in most enterprises. “What I see in the market is that there are more organizations that do not have a plan.”
Once the threat actors have sunk their teeth into a victim, they do not give them the time to reflect calmly. “The reality,” writes Dissent, “is that they have to make a quick decision anyway—threat actors often start dumping data within a couple of days of the attack and ransom note. And of course, they should have already considered their response to extortion demands when they calmly discussed a plan before the proverbial poo actually hit the fan.” “The fact that REvil will now call journalists and CL0P already started sending out emails to journalists doesn’t prove that our reporting helps them. It only proves that they are hoping it will help them. (…) But the bottom line for me is that I think our obligation is to inform the public and to make sure that individuals are alerted to these breaches so that they can take steps to protect themselves.”
Since the massive leak of personal data from Desjardins, M. Racine notices that companies are feeling the pressure and asking themselves the question about disclosing an incident publicly or not. It is currently not mandatory for an organization to disclose the fact that they were victims of a security breach. This situation will soon change with the adoption of Bill 64 by the Quebec government. “Even if it is not mandatory, an organization might be motivated by a desire for transparency. It might also be motivated to let people know, so they can take action quickly.”
For the cybersecurity entrepreneur, there is no guideline that can be applied in all situations. The decision to speak with the media or disclose publicly will depend on the context. In all instances, it is important to do a technical analysis to make sure that the threat actors did in fact exfiltrate data. Even when these actors post data, the published material must be verified. “In an incident response plan, it is important to know who your players are going to be.” You will need technical experts, but also people responsible for communications and lawyers. Mr. Racine insists on the importance of prevention and that all entities take measures to stop these incidents from happening.
Dissent describes her work as “a one-woman campaign to get entities to respond to ransomware incidents with faster notifications to warn people if data is being dumped.” “I want people warned promptly—not 60 days from now—so that people can take steps to protect themselves. And because most entities don’t notify quickly, I report on these incidents on my site—so that people can find out sooner that they need to take steps to protect themselves. To be clear: these entities aren’t breaking any laws by not notifying immediately, but I want to see them disclosing/warning people faster—and I’m reporting on my site to facilitate people finding out sooner. So do I make a difference? Yes, I think so.”