In this, the last of Ransomware blog series, we consider the difficulty in understanding the nature and extent of the Personally Identifiable Information (PII) held on business’ IT systems and where that PII is. In an already tense and stressful scenario, we can now add the willingness for individuals to litigate against the custodian of the data.
Since both the Medibank and Optus data breaches, multiple streams of litigation involving tens of thousands of individuals has been launched by numerous law firms alleging various failings including a lack of duty of care, a lack of safeguards and a general failure of duty to customers and policy holders.
If we were to walk our way through the steps of responding to a compromise we would have already dealt with the issue of how access was gained, what can be done about recovering data, tried to work out what data (if any) had been stolen and whether to commence a discussion with the threat actors about payment and the amount. The next steps are understanding what PII exists on the business systems which can sound like a simple challenge but, in our experience, simply isn’t.
While there may be a ordered structure to data in a business, for years, employees have created ‘workarounds’ enabling them to access data and eliminate any technology blocks they were having (working from home as an example) which can result in PII being copied into individual user file shares, mail accounts and computers/phones. Instead of PII living in a handful of known locations on a network, the reality is it can exist in many different places that are difficult to locate during the stress of an event.
Imagine being told by a threat actor that a certain volume of data had been taken and not understanding whether that was actually true because your data has now been encrypted and the PII content had never been investigated before.
Knowing what PII exists, understanding the sensitivity of that data and the risk of injury or harm to the individuals concerned, is key to the decision-making process aimed at resolving the issue and getting back to normal business. I personally would hate to be the person(s) charged with deciding to pay or not pay a ransom (think Optus or Medibank) without fully understanding what PII had been accessed or taken.
The outcome could be to be criticised by business stakeholders for paying the ransom or sued by thousands of individuals for preventing their data being released.
Forensic IT offers a range of services to help businesses safeguard against, and mitigate ransomware attacks. Our services encompass security reviews aimed at identifying potential vulnerabilities and incident response planning to ensure businesses are well-equipped to manage a crisis. With our proven expertise and experience, we empower businesses to understand the risks they may encounter and guide them through the essential measures required for effective protection.
If you would like to learn more about our services or discuss your specific needs, please do not hesitate to contact us.