The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

Circle in Hell Awaits Habitat for Humanity Hackers



The Colorado branch of Habitat for Humanity says a long-running and “malicious” data breach started with ransomware in June, and is making it hard to even conduct business.

Dante Alligheri had a funny way of thinking about the hierarchy of sins and evil deeds when he wrote his famous poem “Inferno” (or “Hell”) in the 14th century.

For example: most of us living in the modern world would likely rank horrific, violent criminals – the serial murderers and mass shooters – as the ‘worst of the worst.’ But Dante didn’t see it that way. In fact, in laying out his nine circles of hell, Alligheri put those guilty of acts of violence in just the seventh circle. And even within the circle containing those who committed violent acts, those who commit violence against others are treated less severely than those who are violent towards themselves (suicides) or God and Nature.

Far worse than any violent act, for Dante, was fraud. Those who commit fraud, he argued, don’t simply surrender to their lowest instincts or appetites, but “pervert human intellect” and, in so doing, erode the very foundation of our social relationships, our society and civilization itself.

Fraudsters, from simple panderers and seducers to thieves and hypocrites, are placed in the eighth circle of hell – a level lower than those who commit violence and closer to Satan. They’re warehoused in a series of huge, concentric stone “Malebolge” (or “evil ditches”) and are among the worst of the worst in Dante’s view of the afterlife. Only those guilty of treachery are placed lower in Hell – frozen in a huge, icy lake in the ninth circle, the lowest reaches of The Inferno.

As is always the case with Dante: the thieves’ punishment fits their crime. Their pit is filled with huge reptiles who pursue the spirits of the thieves, wrap themselves around them, and bite them, often causing the spirit to burst into flames or morph into a serpent himself. “Just as they stole other people's substance in life, their very identity becomes subject to theft,” the critic Dorothy Sayers notes.

Of course, because it was written more than 700 years ago, The Inferno fails to regale us with the suffering of the modern day descendants of those 14th century slime balls like identity thieves, DDoS for hire crews or the group of as-yet-unidentified hackers who have been tormenting the Colorado branch of the charity Habitat for Humanity.

In a statement released this week, Habitat for Humanity Colorado (HFHC) said that it has spent months dealing with a “significant and malicious data breach” that “has severely handicapped our ability to efficiently conduct business.”

Habitat for Humanity, of course, is the non-profit charity group started in 1976 that builds affordable housing for low income families in the U.S. and elsewhere. According to a FAQ, the incident in question began with a ransomware malware infection in “late June” that targeted a server in HFHC’s main office in Lakewood Colorado. That server, HFHC said, was “connected to the Internet” and thus a target of attack by cyber-criminal groups operating from outside the U.S.

The incident continued for months “hijacking” the attention of the group. Because it works directly with would-be homeowners, HFHC stored a wealth of data including a customer’s names, Social Security Numbers, driver’s license numbers and so on. Information on HFHC employees was also stored on the server. In all, only around 250 individuals were affected – small potatoes, especially with news of the massive breach at Yahoo Inc. that affected some 500 million accounts.

“While there is no evidence that any of your personal information was taken; we only know that hackers may have viewed it,” HFHC said. The group is working with the FBI and has offered credit and identity theft monitoring for affected customers.

Moral questions aside, the incident does raise interesting questions about the intersection of ransomware and data theft. As this blog has noted before, the presumption has long been that ransomware infections and data breaches were separate phenomenon. Cyber-criminal groups carrying out ransomware scams had no interest in the data they were encrypting, just the payout they would receive from their victim.

But that was always a stretch – and wishful thinking on the part of victims. Most cybercriminal groups worth their salt are vertically integrated, and certainly aren’t past taking a survey of the data they’ve gained access to in the interest of selling it to third parties, even as they’re selling it back to a first party.

That notion was recognized by the Department of Health and Human Services wrote earlier this month that ransomware infections that affect electronic patient health information (ePHI) are reportable under HIPAA.

“When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired,” HHS said in its guidance. Looked at simply: “individuals have taken possession or control of the information,” HHS wrote. That constitutes a 'disclosure' not permitted under the HIPAA Privacy Rule.”

Whether the HFHC hackers will ever be brought to justice is unknown. Habitat for Humanity notes that it didn’t bother to file a police report, given that the attacks originated overseas, though it is working with the FBI. Few ransomware criminals have been brought to justice. Of course, as The Inferno suggests, those who escape punishment in this life may not be so lucky in the next.

Thumbnail image: Inferno Canto XVIII, Sandro Botticelli
Paul Roberts

WEBINARS

Webinar: Cyber Hunting Safety

Paul Roberts

Paul Roberts is the editor in chief of The Security Ledger and founder of the Security of Things Forum. A seasoned reporter, Paul has more than a decade of experience covering the IT security space. His writing has appeared in publications including The Christian Science Monitor, MIT Technology Review and The Economist Intelligence Unit. He's appeared on news outlets including Al Jazeera America, NPR's Marketplace Tech Report and The Oprah Show.