What is it about?
On September 9, the French National Cybersecurity Agency (ANSSI) reported a leak of French data concerning millions of COVID-19 test results on a New Zealand hosting provider.
Indeed, Assistance Publique-Hôpitaux de Paris (AP-HP) was the victim of a cyberattack caused by a vulnerability in its software.
In this context, personal and medical data were made available, including the type of test and its result. In addition, the identity and contact details of the healthcare professional who performed the test were also provided.
The individuals concerned were contacted to inform them of the situation and advise them on the recommended course of action.
One week after the incident, new information confirms that this was not a human error or a mistake on the part of the establishment, but rather a software flaw exploited for malicious purposes.
This breach was confirmed by the American company Hitachi Vantara, which designs the HCP Anywhere software used by AP-HP teams.
In a statement, Hitachi Vantara said it received information on September 13 about a suspected breach. After analysis, this revealed " a series of complex and discrete events that could potentially lead to a vulnerability if exploited by a malicious attacker " (source: Numerama).
The very next day, the organization was able to provide an initial script to limit the impact of this attack and the effects of this vulnerability. Two days later, a complete update for this software was sent to all customers.
Could it happen again?
The vulnerability in question is known as a zero-day vulnerability. These vulnerabilities are greatly feared in IT security because they concern weaknesses that already existed before the software, application, or product was released. They are dangerous because they have not yet been documented. They may or may not be known to the product designer. Some designers, despite their knowledge of the existing vulnerabilities, decide to release the product anyway, for economic or technical reasons.
Can this flaw be considered negligence on the part of the designer? The link to access the results should have been self-destructed a few days after the patient's consultation. Questions may also be raised about data encryption.
In order to obtain further information, several investigations are being conducted: internally by the AP-HP; another by the French Data Protection Authority (CNIL); and a final one launched by the Paris Public Prosecutor's Office.
Do we know who the culprit is?
It would appear that the culprit is a computer science student from the Var region who opposes the health pass and justified his actions as a militant operation. His aim was not to demand a ransom or steal the data, but simply to " demonstrate the weakness and fallibility of the AP-HP's computer system ," according to AFP (source: Le Monde).
How can you protect yourself?
As individuals, we cannot fight against attacks on well-known websites. However, we can remain alert to potential threats such as:
- Psychological manipulation: these alerts are sent to you to make you believe that you are already a customer of the organization mentioned, or to play on your curiosity and encourage you to click.
- Smishing smishing : targeting your cell phones via text messages or phone calls
- The designs used are reproduced from certain major brands, but rarely identically and/or with similar quality. Please pay attention to the details.
- The content of the email: if the statements seem unrealistic, an offer that is out of proportion, an unjustified gain, etc.
- Do not click: if a link, email, or comment seems strange, it is best not to click on it.
- However, if you find that your data has been hacked, do not hesitate to report it to ANSSI and/or file a complaint with CNIL or Cybermalveillance.gouv.
Avant de Cliquer also offers to raise awareness within your organization through our solution.
Expertise at your fingertips
