Data breach: Order of Psychologists of Lombardy

Indice

On 10 October 2023, the NoEscape collective claimed an attack against the Order of Psychologists of Lombardy. The attack threatened to expose particular category data related to the Order’s activities. Let us try to understand what happened.

The fact

On 10 October, a message was published claiming a data breach that had occurred against the Order of Psychologists of Lombardy. Further information can be found on the Ransomfeed platform page.

The claim screen

The collective, according to the message within the text, exfiltrated approximately 7 GB of data consisting of

  • Identity papers
  • Agreements and contracts
  • Financial Documents
  • Report
  • Various documents

As with all other data, it is important to bear in mind that statistically, the publication of data on the hacker portal takes place four to five days after the material has been collected. Time is needed for the hackers to classify and publish it. If we were to accept this thesis at face value, the infection and exfiltration would have taken place around 4-5 October. As of the current date (10 October 2023), no documents have been published externally; there are six days left before the NoEscape collective makes them available. According to NoEscape’s screenshot, the day of the attack would be 3 October 2023. For more information on this collective, please refer to the tab within the Ransomfeed platform.

Preliminary remarks

There are some aspects that make this data breach particularly significant.

The first aspect concerns professional secrecy: in similar cases to the detriment of doctors and healthcare facilities, documents of absolute confidentiality concerning the doctor-patient relationship have been exfiltrated and published. The topic has been dealt with extensively in a special article below. The hope is that these documents do not include any information relating to the doctor-patient relationship.

The second aspect concerns more strictly the private life of the doctor: the publication of identity cards and various documents could reveal personal and private information about doctors that should not have been in the public domain. This applies both in the personal sphere and, a fortiori, in relation to the type of work performed.


Updates

10/10/2023 – Current status

At the moment (10/10/2023 – 09:35AM) no press release appears on the portal of the Ordine degli Psicologi Lombardia. Neither within the “Latest News” section, nor within the “Press Releases” section.

16/10/2023 – 08:04 – Data publication day

We are 16 hours away from the publication of the findings. At the moment, the OPL portal still has no news of the data breach, neither within the ‘News’ section nor within the ‘Press Releases’ section.

17/10/2023 – 01:12 – Data publication day

Today, the NoEscape collective will make available the data, which are currently anticipated by the words ‘Coming soon’. In the meantime, it is confirmed that, as of today, there is still no news of the data breach, neither within the ‘News’ section, nor within the ‘Press Releases’ section of the Ordine degli Psicologi Lombardia portal.

17/10/2023 – 18:20 – Data not yet published

NoEscape has not yet published the OPL data. In the meantime, it is confirmed that, as of today, there is still no news of the data breach, neither within the ‘News’ section, nor within the ‘Press Releases’ section of the Ordine degli Psicologi Lombardia portal.

18/10/2023 – 08:40 – File list published but not files

NoEscape published the list of files and folders postponing the publication of the 7 Gb of data in 6 days and 16 hours. This is a well-known technique to pressure the victim. Within the file-tree would be present:

  • fiscal documents (taxes, budgets, expenditure commitments),
  • 2022 income of natural persons,
  • contractual documents with suppliers,
  • CVs and letters of assignment,
  • order board documents (invalidity orders, signature sheets, resolutions, etc.),
  • documents on the activities carried out,
  • photographs of board members,
  • documents relating to complaints by persons and related pleadings,
  • identity documents,
  • audit-related documents,
  • some folders with the name ‘Protection\Cases_\Files’.

The main concern could be the group of files and folders contained within the main folder ‘Cases_’.

With regard to the display of passwords, there seem to be some potentially dangerous references:

  • access to a file with a password linked to the budget.
  • several files with ‘password_link’ linked to the exhibits.

At the moment, since no file has been released, it is impossible to ascertain the actual severity of the situation, but it is clear that it is already possible to make an estimate of the type of data on file, which includes direct personal data, indirect personal data, and obviously also data of a particular category. As regards updates to the site, we note that the ‘Latest News’ section contains an update that does not, however, concern the data breach. While the ‘Press Releases’ page continues to receive no updates.

21/10/2023 – The Order of Psychologists Lazio publishes a statement

Today the Ordine degli Psicologi Lazio published a press release that can be read by clicking here. Or by downloading the PDF version acquired at the time of publication.

Within the communiqué, there are a few sentences that deserve reflection.

Having adopted the necessary emergency procedures, also with the support of a company specialising in digital forensics, we proceeded in the following days to rebuild the physical and virtual machines from scratch and restore the archives thanks to the backups stored in Vodafone’s cloud and the external disks kept in the safe.

From what has been said, it is interesting to observe the application of the ‘3…2…1…Backup!’ rule, which requires at least one copy to be kept offline, usually in a safe. And again:

It should be noted that the actual archives amount to hundreds of GB and that the dynamics and timing of the attack would certainly not have allowed the total acquisition of the archives. The link redirects to the following page where, on 3 October 2023, the publication of 7GB is threatened.

Another interesting piece of information is indeed the reduced amount of data exfiltrated, compared to the total, which clearly could not have been only 7Gb. We also learn from the press release that the notification procedure to the Data Protection Authority is being followed correctly.

These findings have already been documented in the Data Breach register and due notification has been sent to the Office of the Privacy Guarantor. The small amount of data declared as copied by the attackers, compared to the actual volumes of the Order’s databases, reduces the risks for those concerned.

It is learnt, inter alia, that there would be no particular category data concerning cases handled by the OPL.

There is, in fact, no evidence that there is any data of registered psychologists because the seven sample documents published concern internal documents in anonymous form and three identity documents of our consultants that are actually already public in the transparent administration section. The case file is contained in a descriptive .txt file with no specific content and consists of a pure list, but there is no proof that the file has been copied. However, the execution of the declared data represents a low risk compared to the actual files.

It will be necessary to wait for the outcome of the publication, but it is possible to note a few things from the communication. Apart from a few technical-linguistic inaccuracies, it is unobjectionable that this communiqué deals particularly directly with the information it contains, as well as the information regarding the modus operandi of the accident. Regarding the post-accident consequences, there is a very interesting sentence in the communiqué:

The small amount of data claimed to have been copied by attackers, compared to the actual volumes of the Order’s databases, reduces the risks for those concerned.

The conclusion reached by the order is entirely consistent and is part of the accountability of the risk estimate that was used to assess the impact of the computer incident.

23/10/2023 – NOESCAPE site not available

The portal of the NoEscape group has been unavailable for several days. It is therefore not possible to check the exfiltrated files. If there is any news, the article will be updated.