10000 peoples data stolen in genetic testing company Asper Biogene leak News ERR
pLaadi alla uus Eesti Raadio äpp kust leiad kõik ERRi raadiojaamad suure muusikavaliku ja podcastidppPersonal and health data belonging to approximately 10000 people has been illegally downloaded from the Tartubased genetic testing company Asper Biogenes database the State Prosecutors Office said on Thursday Those affected are in the process of being notifiedppA criminal investigation has been launched by the Southern Prefectural Criminal Bureau which is in the process of collecting evidence The Data Protection Inspectorate Andmekaitse Inspektsioon has also initiated a supervisory procedure against the data processorppAsper Biogene which specializes in the diagnostics of hereditary diseases alerted the Police the State Information System Agency Riigi Infosüsteemi Amet and the Data Protection Inspectorate on November 11 ppThe company said it had learned someone had illegally accessed its database and downloaded various files An investigation was launched by the authorities to clarify the detailsppApproximately 100000 files were copied and downloaded The database contains 10000 peoples information and those affected will be notified personally by their health care providersppIt is not yet known exactly what was downloaded but it is known some of the files contained genetic testing results ordered by healthcare providers and individuals from the companyppForty healthcare companies have been affected including fertility testing the Data Protection Inspectorate saidppAsper Biogene is cooperating with the police to clarify the circumstancesppKretel Tamm senior prosecutor at the Southern District Prosecutors Office said the available evidence suggests the attack was deliberate and well thought out ppAlthough every click leaves a trail in the virtual world cybercrimes are usually very professional they are well planned and traces are mixed Usually the aim is to make a criminal profit from the crime In this case too a financial claim was made against the company after the attack and the company turned to the police Tamm told a press conference on ThursdayppRain Vosman head of the Southern Prefectural Crime Bureau said the criminals acted skillfully ppThe perpetrators have also made a ransom demand and it is worth reiterating that no money should ever be paid in such circumstances This encourages them to continue but does not guarantee that the data will be returned or that the perpetrator will delete it Any company or service provider that comes into contact with personal or health data must ensure that the data in their hands is well kept this means uptodate and secure information systems he saidppVosman said the Police have started gathering evidence to identify and prosecute those responsibleppWe are working on several theories in close cooperation with authorities in Estonia and internationally In this case Asper Biogene has done its best to inform the Police and other authorities about the cyberattack The company has already patched the security hole in its server the official saidppThe ransom demand was a financial claim threatening to release the information in the hands of the perpetrator and damage the companys reputation These kinds of demands must not be obeyed Vosman stressedppHe said that there are several versions of events but due to the ongoing investigation the police will not disclose the detailsppThe Data Protection Inspectorate registered Asper Biogenes alert on November 15 ppThe agencys Director General Pille Lehis said considering the number of people affected this is the biggest data leak recorded so farppIn addition 40 healthcare companies have been affected including fertility testing Lehis told the reporters at the press conference adding the case is not related to the Estonian Genome ProjectppEast Tallinn Central Hospital the Northern Estonia Medical Center and Elite Clinic are the most affectedppThe consequences of data leakage could have been mitigated if the data had been encrypted or pseudonymized within the company said Lehis ppUnfortunately what has happened shows that threats in cyberspace are still not taken seriously Successful external attacks on organizations and the consequences they bring should not be taken as inevitable It is the responsibility of every data processor to among other things ensure data integrity and confidentiality Behind the data are real people and real lives that can be severely affected in such situations Data protection is essential and we all have a responsibility to ensure that our data is protected she saidppLehis added that during the investigation healthcare service providers who are responsible for data processing and their processes will also be studied ppShe said people affected by the data leak should be very cautious about emails referring to their genetic data ppWe know of a case in Finland where information was leaked from a mental health hospital and these specific individuals were blackmailed said LehisppCriminal proceedings were initiated under the section of the Penal Code on illegal access to a computer systemppTamm said those responsible could be fined or sentenced to up to three years in prisonppThe size of the fine depends on the size of the company the extent of the damage and its cooperation Lehis said Its too early to name a figureppPeople affected will be able to apply for damages if there is material or moral damage ppMedical institutions have already started notifying patients For example PERH said victims can ask which data was stolenppppFollow ERR News on Facebook and Twitter and never miss an updatepp
Editor
Mari Peegel Helen WrightppERR News is the Englishlanguage service of Estonian Public Broadcasting run by a fully independent editorial teamTo read up on ERR News comments rules and to contact ERRs other services please follow the link belowStaff contacts commentsppArhiivp
Editor
Mari Peegel Helen WrightppERR News is the Englishlanguage service of Estonian Public Broadcasting run by a fully independent editorial teamTo read up on ERR News comments rules and to contact ERRs other services please follow the link belowStaff contacts commentsppArhiivp