PROSPECT — Ransom.
The word filled the screens of the 25-unresponsive computer monitors at the optometry offices of Dr. Thomas DeLuca, Dr. Anthony Marciano & Associates.
“My heart froze,” DeLuca said. “I didn’t sleep for three nights.”
DeLuca isn’t the only cyber victim around — hackers have been increasingly shifting their attention from large corporations to small businesses, which are less likely to have robust cyber defenses. A 2018 survey by the Connecticut Business & Industry Association found that 24 percent of Connecticut companies experienced a data breach between 2016 and 2018. Of those companies, nearly 90 percent reported having 100 or fewer employees and 74 percent employed 50 or fewer people.
Part of the reason small businesses are usually easier targets is because they don’t expect to be targeted. A 2016 report by the UConn Janet & Mark L. Goldenson Center for Actuarial Research found that 85 percent of small businesses believe that cyber criminals attack large corporations more often than small businesses. Yet, between 2012 and 2014, the percentage of phishing attacks targeting small businesses instead of large corporations rose from 18 percent to 61 percent.
DeLuca’s offices had fallen victim on the morning of Nov. 29 to a ransomware attack, a kind of cyber-attack that locks an owner out of their computer system until a ransom has been paid. In this case, the hacker behind the attack also made away with personal information from the 26,000 patient files DeLuca had on record, potentially including patients’ names, Social Security Numbers and some health information.
“At this time, we are not aware of any attempted or actual misuse of anyone’s information as a result of the incident,” DeLuca’s office said in a statement on Jan. 15. “However, we have sent notification letters to potentially impacted individuals out of an abundance of caution to notify them of this incident and to provide resources to assist them. We sincerely apologize for any inconvenience or concern this incident may cause.”
Arthur House, Connecticut’s chief cybersecurity risk officer, said it’s difficult to ascertain the actual number of attacks that occur because there is no legal requirement to report them.
“I think it’s very healthy to announce what happened,” he said.
House explained that personal information is a commodity on the dark web because it can be used to accomplish a number of scams, like filing a false insurance claim or opening a line of credit.
“Personal information is sellable on the dark web,” he said. “I’ve seen the price range from $30 to $200.”
DeLuca said he received a call Wednesday from the Internal Revenue Service, which is concerned the stolen information may be used to file false tax returns.
DeLuca said he did have cybersecurity insurance at the time of the attack, which helped him notify his customers by letter shortly after the incident. He said did not pay the ransom.
“They wanted $4,000 but if I paid, my IT person said they’ll freeze (the computers) again,” he said. “I had good security, I have a good company, I don’t know how it got through.”
He said he had his patients’ information backed up onto a separate system which enabled him to purge the compromised system. The process took him three days and left him shaken.