The Lockbit hacker collective has followed through on its threats. Claiming, since the end of August, a sum of ten million euros in exchange for the return of pirated data, he has, in the face of the refusal of the Corbeil-Essonnes hospital to pay a ransom, disclosed, this Sunday, September 25, 11 gigabytes of confidential data. The Center Hospitalier Sud Francilien specifies, in a press release, that the information made public concerns "users, staff members and partners of the hospital", and that the stolen elements are in particular "the social security number of patients or still reports of examination and analysis". Of the 700,000 people for whom the hospital provides medical follow-up, we do not know, to date, how many are concerned. In any case, with this information, several malicious opportunities are available to hackers.
First, they could practice phishing, which consists of sending emails or text messages pretending to be a public body or a known company, in order to encourage the person concerned to enter their personal information. In particular, by having precise medical information on patients, hackers could more easily gain the trust of their victim. Then, with the recovered personal passwords, cybercriminals have the opportunity to hack other accounts, if the patient used the same password. Finally, they could choose to sell the collected data to scammers online, via the digital black market.
Lockbit's method, not very original, is terribly effective. It is known as "double extortion". First, the hackers recover the data, then they threaten to disclose it if they do not obtain the requested sum. To achieve their objective, they use "ransomware", in other words a virus that encrypts all the information on the target's computer network. This practice has been targeting French health establishments for years, which have the particularity of collecting thousands of personal data.
Thus, in September 2021, the hospitals of the Assistance Publique-Hôpitaux de Paris had reported the data leak of millions of people. A few months earlier, in February, 500,000 French people who had passed examinations in different laboratories had seen their data shared on a closed forum. The National Commission for Computing and Liberties had also sentenced the software publisher Dedalus to a fine of 1.5 million euros, guilty of not having been able to protect the sites for which they were responsible. Faced with the attack suffered by the hospital in his city and the previous examples, the mayor of Corbeil-Essonnes, Bruno Piriou, calls for "rethinking the computer systems of health establishments", in particular to ensure that they are not more centralized.