Recently a “cyber-criminal” (please note that I’m not using the overhyped and irresponsibly used term “hacker”) broke into the Virginia Department of Health’s database and stole a bunch of records. The criminal claimed that they also deleted the backups of the records (which was false) and demanded a ransom of $10 million.
Instead of paying, Virginia is working with the FBI to apprehend the criminals. Are they doing the right thing here? I would say “yes” and “no”. Understand that I am basing this upon the same information that you have—I don’t have any secret information about the case.
Yes they are doing the right thing by refusing to pay the ransom, and by working with the appropriate law enforcement agencies to track down the criminal(s) responsible. It would be foolish and useless to give into the demands, as the criminal will either a) not give you the records or b) give you something more like a virus with them.
Based on the articles that I’ve read, there is a possibility that the information that was stolen includes identifiable information such as your Social Security number (this is only in the case of Virginia residents who have had prescriptions filled). The articles do not specify if the state is working with Credit reporting agencies to prevent Identity theft.
This would be where I have to say “No.” If your bank is breached, or a store that you’ve used a credit card at is breached (or the credit card processing agency), they typically offer those infected with a years’ worth of credit monitoring. And they typically bear the burden of the cost of the monitoring. It’s a small price for them to pay, in order to regain your trust.
The articles don’t specify if Virginia is doing any of this. If they are then I say they’re doing everything right (as far as things I’ve looked at). But if they aren’t doing anything to prevent the Identity theft, then they are putting their residences at an unnecessary risk.
These articles also emphasize the need for stronger security and the need to maintain backups off-site. The criminal claims that the backups were still attached to the system, and that he/she deleted them. If that’s the case, then the state failed right there.
This is an issue that everyone can monitor and take some learning examples from. Especially when it comes to maintaining backups and protecting your information. You may not be able to control it once you put it on someone’s server, but you definitely can control it on your computer.
If you’re a resident of Virginia and were affected by this (or know someone who is), please drop me a note and let me know if the state is doing anything to help you safeguard your personal information in this matter.
Have a great day:)