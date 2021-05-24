THE deadline that the ‘Wizard Spider’ ransomware gang have reportedly set for the Government to pay a ransom passes today.

But what kind of value does the HSE data actually have? Who would use it against us? And what can we expect in the coming weeks and months? Here’s a quick explainer.

Does stolen HSE data actually have any value?

Yes. Even if no ransom is paid by the Irish State for it, it may still be sold and resold on the dark web. But it depends what’s contained within it. According to the Dark Web Price Index, some medical databases have low resale value; a US dentist’s client list of 120,000 people sells for as little as $50. Personal identification documents such as driving licences and passports are far more valuable, selling for between $20 and $1,000, depending on the nationality and the context.

It’s worth remembering that we haven’t yet been told exactly what the alleged stolen medical data includes.

Who would buy it and how might it be used to target people?

We have some recent examples of how criminals specifically target victims of medical database hacks. Last year, patients of a Finnish psychotherapy practice firm, Vastaamo, started to get extortion and blackmail threats.

Hackers had stolen the firm’s database and then contacted individual clients, threatening to expose the details of their mental health treatment unless they paid a fee of €200 in Bitcoin, increasing to €500 if not paid within 24 hours. Hundreds of patients’ data did end up posted online, although we don’t know whether this was connected to a refusal to pay or simply the hackers dumping it anyway.

This kind of crime takes time and personnel, though. The most likely scenario is that lower-tier scammers buy or attain chunks of it for their own purposes – email scams, text scams, even phone scams. If the data involved is not personally sensitive or embarrassing, it may still be leveraged to trick victims into thinking there’s more.

I’ve heard of people already getting calls and texts from people claiming to have medical information – has it already started?

It’s possible but unlikely. This episode is a perfect opportunity for the usual garden-variety email and text scammers to claim they have your details to see if you’re scared enough to fall into their usual traps.

But how would they have gained any of my details if they don’t have access to the stolen HSE data?

There are many, many data breaches containing at least one or two elements of your personal information. For example, go to the reputable security website haveibeenpwned.com and enter either your email address or mobile number. (Don’t worry; this is a trusted site run by security researcher Troy Hunt that is used widely as a security checking tool.)

It will immediately tell you whether your email address or mobile number was caught up in any major data breach in recent years – it’s very likely that at least one of your login details was (through no fault of yours; this is the consequence of all those news stories about big companies ‘suffering a data breach’).

If you can see that your email address has been involved in a data breach, haveibeenpwned.com will tell you whether your passwords, location and other typical account information may also have been compromised.

Here’s where it comes back to bite: what scammers sometimes do is to feed you back one or two bits of information from an older data breach in the hope that you’ll be freaked out enough to believe the other things they’re telling you – that they have more of your personal data or that they’ve compromised your account to a greater extent than they actually have.

You see this from basic ‘phishing’ scam emails all the way up to the wave of phone calls currently being received by Irish people from scammers claiming to be from the Revenue or gardaí, alleging that there’s an arrest warrant out for you. They have one or two true bits of information about you and use it to try and leverage you.

One footnote on this: the lack of guidance from authorities here as to exactly what has or hasn’t been stolen is unfortunate here. It leads people to fear that everything has been taken and that any scammer claiming they have sensitive data may be telling the truth.

Is it true that this data might be used by crooks for ‘years’, as authorities are warning?

Sadly, yes. When sold or dumped on the dark web, stolen details can have long tails.

Will the High Court injunction have any power against the criminals using my data?

Not on the dark web. The main effect of that will probably be to stop ordinary citizens (the usual gossips and voyeurs we all know and see) sharing nuggets in their own WhatsApp groups.