Several charities in Ireland and the U.K. have seen their data compromised in a ransomware attack on an IT supplier. The Derry-based company Evide said that it became aware a “third party” had accessed its systems. Evide manages data for about 140 organisations across the island of Ireland and the UK.
These attacks are especially concerning for the affected organisations, some of whom hold the data of vulnerable people such as victims of sexual crimes.
It is understood, The Irish News reports, that the hackers have demanded a considerable ransom for what has been described as “highly sensitive and personal information”. As yet, no ransom has been paid.
In light of this incident, Andy Hornegold, Product Lead at vulnerability management firm, Intruder, tells Digital Journal why this particular form of attack and the types of organisations in the hacker’s sights is particularly shocking.
Hornegold is a seasoned cyber security expert with over a decade of experience in threat simulation and security consulting.
Hornegold begins by assessing the responses to the cyberattack: “Based on the information that is currently available, it sounds Evide has done what’s generally considered right in this situation. It has contacted law enforcement and already reached out to stakeholders and customers. It has also stated that it is going through its incident response process. We’ll need time and more information before we can take away any real insights into this breach.”
However, there are certain details about the attack which are yet to emerge: “At this point I don’t think we can say whether the provider was specifically targeted or just a victim of an opportunistic attack”, says Hornegold. He notes further: “Either way, we’re continuing to see that there’s little to no restraint on the part of these operators, they’ll target who they can and try to get that payout regardless of who is impacted.”
Hornegold is concerned that many of these attacks are targeting services that offer support to the more vulnerable members of society: “Previously we’ve seen national health services hit (during a global pandemic), schools’ and children’s information hit, and now charities supporting vulnerable people – I’m not sure anyone is surprised at this point, but we can all agree it’s reprehensible.”
In terms of recommendations, Hornegold offers: “When looking to protect yourself, there is a lot of help available for organisations of all sizes from the likes of NCSC and private sector. We’ve seen people mentioning the assistance provided by the Cyber Essentials scheme with regard to the charity sector. I think it’s worth highlighting that the scheme does a lot of good, but it really is just the essentials for cyber security – you need to continue to build on those essentials to ensure you can weather an attack like this.”