The Red Cross reported this week that a cyber attack on a third-party contractor compromised the data of more than 515,000 people.
According to the International Committee of the Red Cross, some of the confidential information belonged to “highly vulnerable” people, including people in detention; missing persons and their families; and those separated from their families due to conflict, migration and disaster.
“We are all appalled and perplexed that this humanitarian information would be targeted and compromised,” said Robert Mardini, ICRC’s director-general, in a statement.
“This cyber-attack puts vulnerable people, those already in need of humanitarian services, at further risk,” Mardini said.
WHY IT MATTERS
The ICRC is tasked with providing a wide range of services, including reuniting families and providing on-the-ground healthcare, especially for people affected by armed conflict, natural disasters and other violent situations.
As the organization explained, the attack centered on an external, Switzerland-based company with which the ICRC contracts to store data. The data in question originated from at least 60 Red Cross and Red Crescent National Societies worldwide.
Experts noted that the attack serves as a reminder of business associates’ potential risk factors.
“Vulnerabilities at third-party vendors continue to remain top of mind for businesses and threat actors alike,” said Tom Garrubba, VP at Shared Assessments, to Healthcare IT News.
“Sadly, this attack affected such a noble organization as the Red Cross. If the threat actors knew this, this adds further evidence that threat actors can – and will – go after anyone,” Garrubba added.
“No organization, even those that have storied histories of doing good in the world, are safe from a cyberattack,” he continued. “Nonprofit organizations must realize they and their vendors can also come under attack and it’s absolutely imperative to conduct ongoing and mature third-party risk management.”
There is no indication, as of yet, that the bad actors have exploited their find.
“While we don’t know who is responsible for this attack, or why they carried it out, we do have this appeal to make to them,” said Mardini in a statement.
“Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering,” he continued.
“The real people, the real families behind the information you now have are among the world’s least powerful. Please do the right thing. Do not share, sell, leak or otherwise use this data.”
THE LARGER TREND
The ramifications of third-party attacks aren’t always as obvious as direct hits, but they can be even further-reaching in the long term.
For instance, a cyberattack on a radiation treatment software company this past year impacted at least 170 hospitals and health systems across the country.
ON THE RECORD
“The sad reality is that malicious actors will stop at nothing to steal people’s private information, and often the easiest way to access that data is through less secure third parties,” said Demi Ben-Ari, chief technology officer and co-founder of Panorays, in a statement sent to Healthcare IT News.
“To help prevent such cyber incidents, every organization must make it a priority to implement a comprehensive third-party security risk process. This should include, at a minimum, a combination of automated security questionnaires, external attack surface assessments, and continuous monitoring to check and remediate third-party cyber gaps,” Ben-Ari added.