On May 20th, it was confirmed that the Health Service Executive secured injunctions from the High Court that would restrain any sharing, processing, selling or publishing of data stolen during the cyber attack. But what is the real reason behind such an injunction?
How Does The Super Injunction Protect People’s Data?
Minister for Health, Stephen Donnelly welcomed the injunction, saying it was “very welcome and shows how seriously myself and my colleagues in Government are taking this event”.
In reality, seeking out an injunction through the courts wasn’t really a choice the HSE had to make. It was a no-brainer.
The injunction offers certain legal mechanisms that could protect any medical data leaked as a result of the cyber attack. For example, if someone downloaded a spreadsheet of peoples’ data and posted it on a Facebook page, the injunction would mean Facebook was legally compelled to remove that as soon as possible.
While it would have been unlikely that this would have happened, it also ensures that media outlets don’t publish anything uncovered by the leak.
What The Injunction Doesn’t Protect
The reason we shouldn’t celebrate the injunction too much is that we’re dealing with cyber criminals here. The most important thing is that the people who have locked the HSE systems and held the department to ransom, do not care about court injunctions.
They have stolen the data, have threatened to leak it and almost certainly will. Whether this gets leaked on the dark web or gets sold to prospective fraudsters doesn’t matter. An injunction won’t protect your leaked personal data from getting into the hands of scammers.
The Injunction Also Limits The Political Fallout
There are some additional aspects of the injunction worth considering.
Processing For Good
I’m not suggesting this is a primary reason for the HSE injunction, but it’s a noteworthy side effect. On the surface, anything that limits the processing or sharing of leaked data seems beneficial to those involved, but it could hinder our ability to find out if we have been impacted. The injunction specifically includes the “processing” of leaked data and herein lies the problem.
Websites like Have I Been Pwned trawl the internet for publically available data leaks, indexing this data and creating a secure searchable service to help people find out if they have been affected by data leaks. I’ve checked their service several times and, unfortunately, have found my data subject to several leaks.
As a result of this simple service, I’ve updated my passwords and secured my online profiles. This was only possible because I could easily find out that I was impacted. Speaking with the founder of Have I Been Pwned, the HSE data may have never made it to this service given the data was unlikely to be “pasted” publicly which this service depends on.
Secondly, even if it was publicly “pasted”, the injunction would legally compel websites to remove this data. Even in the period between the paste being available and being removed, the injunction should also forbid a service like Have I Been Pwned from processing it.
There are arguments on both sides of the fence here. Not making the data available publically, of course, reduces the likelihood of peoples’ data being used for fraud. However, people not being aware their data has been leaked makes them more susceptible to fraud.
Limiting Political Fallout
The injunction also means fewer people know they’re impacted which arguably reduces the political fallout, unless the HSE plans to contact those affected in the event of a leak. We’ve reached out to the HSE for comment on this scenario to see if there is a plan.
Finally, as abhorrent as it might seem on the surface, there could very easily be newsworthy material in the leaks which lead to some morally questionable articles making their way to print. Imagine a scenario where a list of medical cards being held by high profile individuals who weren’t entitled to, gets leaked.
A news outlet could make the call that public outrage at the news story itself would outweigh the fact this is personal data. An injunction stops this from happening or at least greatly reduces that scenario.
The most important thing for you out of all is that you go on high alert for all sorts of scams. Even more important is that you contact vulnerable family and friends who are more susceptible to scams. There had already been a sharp uptick in scams by text, phone and email over the past few weeks. While the cause is unclear, many believe it’s likely linked to a large leak of personal data by Facebook. What’s certain is that those receiving scam calls and texts have had their data leaked somewhere and should this HSE data become available to scammers, a court injunction won’t help. Stay frosty!