South Carolina School District Does the Ransomware Two Step
A South Carolina school district is the latest to do the ransomware two step: assuring parents that data encrypted and held hostage by the criminals wasn’t “accessed” by them. Nice try.
One of the convenient fictions of ransomware attacks is that the cybercriminals who operate ransomware schemes have no interest in the data they’re encrypting – they just want to get paid. By this logic, ransomware attacks aren’t data breaches because the data isn’t exfiltrated or stolen – just encrypted and left where it is.
And it’s a popular fiction, at that. The latest ransomware victim caught peddling this fiction is Dorchester County, South Carolina, where School District officials have acknowledged that 25 of 64 servers operated by the district were infected with ransomware. The infection prompted the district to pay $2,900 in ransom to have the data decrypted, according to a report by a local ABC News affiliate.
“A thorough investigation determined this was a ransom request and there was no identity theft involved and no student or staff information had been accessed or compromised,” the District said in its statement. This, even though if you read further in the statement, Dorchester County makes clear that student data was compromised.
“Data on 24 of the 25 servers (has been) successfully retrieved and restored, but the data on one server was corrupted rendering it inaccessible by us or anyone else,” the District said. That data included information on 26,000 students, which was being re-entered by hand. That included 32 students for whom no paper backups of their school records were available to restore. That information “is currently being redeveloped through the joint efforts of parents, teachers, and staff.”
In short: the statement both assures parents that no student data was affected by the breach, while speaking in detail about the fact that 26,000 students’ records were affected by the breach.
Nice try. As this blog has noted before: such statements are blatantly false. Any data encrypted by the ransomware was, by definition, “accessed” by the malware and constitutes a breach. It is worth noting that this is the definition that the U.S. Department of Health and Human Services uses when determining whether protected health information has been leaked, in violation of the HIPAA patient data privacy law.
In its FAQ on ransomware infections, HHS notes that “the presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident under the HIPAA Security Rule,” where a security incident is defined as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”
It’s also worth noting that the EU’s General Data Protection Regulation (GDPR) takes a similarly tough line. Under GDPR, a personal data breach is “any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
Note that language about “unlawful destruction” and “alteration.” GDPR clearly imagines and clarifies that encrypting data is a breach. Alas, in the U.S. – where federal officials have failed for more than 20 years to craft a meaningful, nation-wide data protection law – no such clarity exists.
Typically, U.S. state data breach laws come into force only when there is evidence that the stolen data has or will be used to commit crimes, such as fraud. That’s the case in South Carolina, where the state’s data breach law comes into force only when the personal identifying information “was not rendered unusable through encryption, redaction, or other methods” and “is reasonably believed to have been, acquired by an unauthorized person when the illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to the resident.”
That wording is problematic on two fronts. First: it adopts the “when the illegal use of the information has occurred” standard that is so common in the U.S. Second: it might be seen to create a loophole that would render any crypto ransomware attack unreportable because the victim’s data is rendered “unusable through encryption.” Sure, the wording of the law is about the data’s proper owners encrypting their data as a means of protecting it, but there’s plenty of ambiguity in there that victims like Dorchester County can use to justify not classifying the incident as a data breach.
The kinds of self-contradictory statements and false assurances coming out of places like Dorchester County make clear why the U.S. needs a strong, federal data protection law along the lines of GDPR that banishes the ransomware two-step and the illusion that data being encrypted by a malicious program is somehow unaffected by it.