In the era of cybercrime, threats can appear most unexpectedly. As one of Sweden’s most routine humanitarian aid organizations, the Swedish Red Cross found itself needing a helping hand when a cyber attack on the International Committee of the Red Cross also put sensitive Swedish data at risk. When it comes to managing GDPR, both timing and treading carefully are crucial – Truesec fully supported the Swedish Red Cross with its legal responsibilities following the breach.
Hackers in hoodies?
Forget those images. In the era of cybercrime, a new threat landscape has evolved. Different, darker. In parallel with the growing number of threat actors, the cybercrime industry has also matured and transformed accordingly.
Today’s cybercriminals are professionally organized. As business is booming, the threat actors’ playgrounds have expanded into previously untouched and ethically unthinkable grounds. In the era of cybercrime, nothing is what it used to be. As Truesec’s friends at the Swedish Red Cross would have to experience – anyone can become a target.
Targeted Cyber Attack Risks Exposing Personal Data of the World’s Most Vulnerable
Following the public announcement of the partnership between Truesec and the Swedish Red Cross, employees and external stakeholders might have wondered what was going on when mention of the Red Cross being victims of a breach started circulating in the media. Had Truesec failed in its mission to protect the Swedish Red Cross? But it wasn’t what it looked like. Rather the opposite, as you’ll soon see.
In January 2022, the International Committee of the Red Cross (ICRC) published a press release. The message: ICRC's servers containing personal data belonging to more than 515,000 people worldwide had been hacked. The breach included data such as names, locations, and contact information. Even worse, those affected included missing people and their families, detainees, and others receiving services from the Red Cross due to armed conflicts, natural disasters, or migration.
Martin Tägtström, CIO at the Swedish Red Cross, quickly informed Truesec.
There were several crucial questions. Might there be a risk for the Swedish Red Cross’ operations and IT systems as well? What about the systems monitored and secured by Truesec? Were there any signs of anything unusual? Martin asked Truesec to investigate further.
Incident Response Activated – Compliant Throughout the Crisis
Truesec immediately activated its Threat Intelligence Team. The goal was to find further information about the background of the attack – the attack as well as the threat actor. Fortunately, within a few days, it was clear that nothing was wrong with the IT systems secured, monitored, and managed by the Swedish Red Cross or Truesec. The breach was limited to the ICRC’s systems managed by another security partner.
"By then, it was all about trying to find out exactly what had happened. Although it was kind of a relief when we found out none of our own systems, or systems hosted by Truesec, were affected – it was still a short relief," says Martin.
He explains: "The affected system was developed and hosted by the ICRC to all Red Cross National Societies. These servers held the personal data that people provided to the Red Cross. More specifically, to help them find and reconnect with their families and learn what happened to relatives who are missing due to armed conflicts, natural disasters, or migration. Thus, the initial relief quickly turned into: Ok, what should we do now?”
While there was no immediate threat to the Swedish Red Cross, Truesec heightened its incident response readiness for Swedish Red Cross. Truesec’s Data Leak Detection Program was also activated to find further clues, data, or other traces from the breach.
Meanwhile, Martin and his colleagues had another challenge to deal with – GDPR. Following the introduction of GDPR in 2018, the requirements in case of a personal data breach risking affected individuals' freedoms or rights are very clear. Within 72 hours, incidents must be reported.
When it comes to GDPR, there’s no room for mistakes or second guessing. Fail to report, and you risk an integrity incident. Report the wrong things or too much, and you’ll risk other legal consequences. You need to act quickly and compliantly,” says Levi Bergstedt, Chief Legal Officer at Truesec.
About a week into the incident, Levi was called in. By then, Martin and this team had made a preliminary report to IMY, the Swedish Authority for Privacy Protection. They now wanted Levi’s expert assessment of the application to check whether it had been handled in accordance with applicable laws.
Balancing Cyber Law and the Human Perspective
"It was a very sensitive situation,” Levi recalls. ”GDPR demands informing the concerned parties of a breach. However, in this case, we were not just dealing with any data breach; we were indeed dealing with immensely sensitive personal information, such as in the case of political refugees, for example. Even a name or someone’s latest known location can be extremely sensitive. Thus, it was very much a balancing act between empathy and morality, law and order”.
Following the reporting to IMY, Levi advised the Swedish Red Cross on how to further analyze the situation from a legal perspective.
Together, they also went through all the contracts between the Swedish Red Cross and the International Red Cross to determine the contractual responsibilities. Following the incident, no technical impact or traces of intruders have been seen in any of the Swedish Red Cross’ IT systems.
"I think this incident is a good example of how we need to abandon the illusion that it’s possible to completely protect ourselves from cyber attacks,” says Martin.
He exemplifies what a more rational approach ought to look like:
"Rather, you need to know what to do when an attack strikes. No one can, of course, be prepared for everything; you still need to deal with a crisis once it occurs — but by then, you need to know you have the right resources and competence by your side. In this case, we were thankful we already had our partnership with Truesec in place. Truesec showed a huge willingness to help us with anything we needed”.