Is a ransomware infection always a data breach? Yes.
FedEx’s disclosure of a material impact from NotPetya last week highlighted the awkward two-step that companies play around malware outbreaks and data breaches.
Does being infected with ransomware, wipers and other forms of malware mean that your company has suffered a data breach? Most security experts would say “yes,” but a disclosure by the parcel shipping giant Federal Express (FedEx) last week highlights the awkward two-step that most breached firms continue to dance on the matter.
FedEx became the latest U.S. firm to tell regulators that the NotPetya/XPetya wiper malware, which spread worldwide in late June, will have a material impact on the company’s financial performance. In a filing with the U.S. Securities and Exchange Commission dated July 5th, the company said that the NotPetya infection at its TNT Express subsidiary in June 2017 "significantly affected" the company's worldwide operations. FedEx said that it is "not yet able to determine the full extent of its impact, including the impact on our results of operations and financial condition." However, the likely financial impact will be material to the company.
According to the filing, TNT used the MEDoc financial software. A compromised update for that software was used to initially seed the NotPetya malware, which also spread using the Eternal Blue exploit for a known vulnerability in the Windows operating system.
But, on the question of whether the NotPetya outbreak constituted a “data breach,” the FedEx disclosure, which was included in the company’s annual 10-K filing, sends two, somewhat contradictory messages. On the one hand, FedEx said that – despite the ravages of NotPetya on its TNT subsidiary – “no data breach or data loss to third parties is known to have occurred as of the date of this filing.” And, indeed, numerous technical analyses and breakdowns of NotPetya suggest that its purpose is to destroy data, not leak it or hold it hostage. So was it a breach? (We’ll come back to this.)
Stepping back from the specific case of NotPetya to run of the mill ransomware, it seems pretty clear that you can’t assume that you didn’t experience a breach just because the malware you were infected with isn’t an information stealing program.
The simple truth is that malicious software that in some way touches or manipulates data is breaching that data. That includes data stealing trojans, file encrypting ransomware and much more.
This is an odd idea, but one that’s supported by some of the U.S.’s most important regulators. For example, in a ransomware advisory, The Department of Health and Human Services informed entities covered by HIPAA, the health information privacy act, that “when electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information).” That, HHS said, is a “disclosure” not permitted under the HIPAA Privacy Rule.
And FedEx seems to acknowledge the possibility that NotPetya may have taken company data. In its filing to the SEC, the company lists “costs associated with any data breach or data loss to third parties that is discovered” and “costs associated with the potential loss of critical business data” as possible consequences of the NotPetya outbreak.
That kind of two-step is common in many incidents like this. The breached firm acknowledges the compromise of its network and attackers’ access to sensitive information, but assures them that it has “no evidence” that data was stolen or misused. But those words should be cold comfort to victims including customers or business partners of the affected firm. Even if the stolen data is not used immediately, it almost surely will be eventually – otherwise why steal it? Saying that a data theft occurred but that nothing bad has occurred as a result is kind of like a police officer telling you your car has been stolen, but there’s no evidence that it is being driven.
Of course, in the lax regulatory environment of the U.S., whether any given victim firm needs to disclose depends in large part on what kind of business they do and whether their handling of sensitive data is regulated – as healthcare providers are by HIPAA or financial firms are by the Gramm-Leach-Bliley Act and a host of other laws. Even then, there is wiggle room.
Under HIPAA, for example, covered entities don’t have to disclose a breach if they determine there is a “…low probability that the PHI has been compromised.” In the case of NotPetya, for example, victims might argue that since the virus worked by encrypting the infected computer’s master boot record (MBR), not individual files, that protected health information (PHI) was not impacted.
Time will tell whether NotPetya-bitten firms also become victims of data breaches carried out by the same actors who placed the wiper malware. It may be the case that putting faith in cybercriminals showing restraint is a fool’s bargain.