An Irish court has ordered VirusTotal to provide the information of subscribers who downloaded or uploaded confidential data stolen from Ireland's national health care service during a ransomware attack.
In May, Ireland's HSE, the country's publicly funded healthcare system, was the target of a Conti ransomware attack that caused massive disruption of IT systems after devices were encrypted.
As part of this attack, Conti claimed to have stolen 700GB of data that allegedly included patient and employee info, contracts, financial statements, payroll, and more.
To prove the data theft, the Conti gang posted a link to a file in their ransomware negotiation chat that they said contained samples of the stolen data.
Stolen HSE data uploaded to VirusTotal
According to FT.com, this sample of stolen data consisted of 27 stolen HSE files containing patient data, which was subsequently uploaded to the VirusTotal malware scanning site.
"The 27 files include personal records of 12 individuals. One file reviewed by the FT includes admission records and laboratory results for a man who was admitted to hospital for palliative care," reported FT.com.
"The broad details in that file matched a subsequent death notice seen by the FT."
In addition to scanning files, VirusTotal acts as a repository of uploaded files allowing subscribers to search for and download files to analyze for their own security research or improve their security software.
However, once a file is uploaded to VirusTotal, it would allow any other subscriber to download and view the confidential data.
After the Irish courts issued an injunction requiring anyone who possessed the stolen data to return it to HSE, FT returned the data but refused to share the source who provided them the samples.
On Tuesday, the High Court of Ireland has issued an order requiring Chronicle Security Ireland and Chronicle LLC, the owners of VirusTotal, to hand over the private information of subscribers who downloaded or uploaded the HSE data.
The private information includes email addresses, phone numbers, IP addresses, or physical addresses
According to TheJournal, the file containing the stolen data was downloaded 23 times from VirusTotal before the service removed it on May 25th.
Comments
Dominique1 - 2 years ago
Another example of tunnel vision from authorities. If VirusTotal and their subscribers got sensitive information, it doesn't mean that they are the only ones. What is the point from the Irish court? They can never contain any and all leaks. The only sane thing they can do is impose penalties to those found to leak the info, that is, if it's within their jurisdiction. If they've been such a disaster with their data being leaked, what would happen to the identity of security researchers if they get their hands on that? Total incompetence! :facepalm:
PS: I would be interested in a follow-up for this story.