COVID-19: Coronavirus pandemic and cybersecurity, when cyber criminals exploit the health crisis in France

By Merav Griguer, Sharone Franco

03-2020

As our eyes are all riveted towards the global health crisis and our attention on reorganization of our daily lives accordingly, the risk of cyberattacks is on the rise.

As per usual in cases of worldwide events, the current epidemic unfortunately implies new opportunities for cybercriminals. Decreased vigilance, generalized anxiety disorder, work-from-home, network congestion are leading to a major spate of cybercrime. Companies are busy managing their day-to-day activities in time of crisis and are not paying sufficient attention to the increased cybersecurity threats arising from these exceptional circumstances.

The disturbing example of the cyber-attack suffered by the AP-HP (Parisian Hospitals) on Sunday, March 22 speaks for itself. The institution was subjected to a “denial-of-service attack” (DoS), the purpose of which was to make the targeted services unavailable. In this case, the attack took the form of blocked access to the hospitals ‘mailbox and external access to some of the information system applications. Thankfully harmless, this attack is far from reassuring knowing the extent to which hospitals have been the target of cyber-attacks on a much larger scale, leading to real practical consequences. Last November, the Rouen University Hospital was subject to an attack that paralyzed the hospital’s computers and severely disrupted all services; including management of operating rooms, admission and pharmacy. In the midst of the public health crisis we are currently experiencing, such cyber-attack could have dramatic effects.

The Agency for Digital Health (ANS), responsible for handling “Digital Health”, is waving a red flag regarding cyber-attacks linked to the COVID-19. These attacks could take the form of health-related informative messages on COVID-19. The population deep concern for this issue, and the anxiety surrounding it, necessarily implies a decrease in the overall vigilance of internet users.

As a result, these phishing scams are therefore flourishing more than ever. The French Data Protection Authority (CNIL) has warned users on the existence of many unofficial websites offering lockdown permission forms for the sole purpose of collecting users’ personal data.

For companies, working remotely is a risk factor that absolutely must be anticipated. The risk of attacks on information systems but also on networks, which are greatly in demand to organize remote work, is palpable. Access to confidential and financial information, impersonation scam, system and supply chain shutdown, the potential operational consequences are numerous.

In addition, an increased network demands generated by lockdown measures undeniably weakens their security and vulnerability to cyber-attacks.

In this context, the competent authorities were quick to recall the practical recommendations for limiting cybersecurity risks.

The National Cybersecurity Agency of France (ANSSI) recalled the importance of protecting oneself against cyber-attacks. The agency also refers to its security guide on remote work (“Digital nomadism” - French Version) published in 2018 on “how to secure remote access to the entity’s information system (IS) in order to manage the needs of confidentiality, data integrity as well as user authentication”.

The CNIL also reminds the best practices to adopt in terms of information security in order to protect the information system documentation and the personal data potentially targeted. Enhanced password security, encryption and/or cryptography of applications, securing websites, and these unchanged practical recommendations are now more than ever a paramount importance.

The legal consequences of such attacks should not be overlooked by the companies and organizations targeted. More specifically regarding the obligation to notify the data breach to the appropriate authority such as the CNIL or the ANSSI when applicable legal and regulatory conditions are met. Information and communication to individuals affected by the attack should also be properly carried out in some cases, leading to operational consequences and reputational risk induced.

Companies will also need to document these incidents as much as possible, including factual information and organizational measures implemented in response to these attacks. This data will also be decisive in the context of any legal action that may be taken following such incidents. The prosecution of perpetrators of cyber-attacks is often neglected, particularly because of the difficulties of identification encountered, which constitute cybercrime as such. However, filing a complaint in response to such attack seems to be advisable, more specifically to limit the company’s liability regarding any action that may be taken against it, but also to gather potential supporting documents towards insurance companies. 

For any question, please send us an email to: [email protected]