Orders granted requiring Google owned firms to provide detail of identities

HSE move to secure information on those who downloaded cyberattack material unopposed

The material involved included sensitive patient information stolen in the cyberattack.
The material involved included sensitive patient information stolen in the cyberattack.

The High Court has ordered that the HSE be provided with details of persons who uploaded and downloaded confidential material taken in the recent cyber-attack onto an internet security’s firm’s web-service.

The orders were secured against Chronicle Security Ireland Ltd and its US-based parent, Chronicle LLC, in respect of material downloaded onto its malware analysis service ‘VirusTotal’. Both companies are owned by Google.

Mr Justice Senan Allen said on Tuesday he was satisfied from the evidence put before the court to grant the order.

He noted there was no opposition from the defendants to the orders, known as ‘Norwich Pharmacal’ orders.

READ MORE

They require the defendants to provide information about subscribers who uploaded or downloaded the material onto ‘VirusTotal’ which is a service designed to screen documents to ensure they are virus free.

The information includes subscriber details including email addresses, phone numbers, IP addresses or physical addresses.

Through their lawyers, Chronicle said they were neither opposing nor objecting to the making of the order sought by the HSE.

Wanted to assist

Chronicle said that while it wanted to assist the HSE as much as it can, it could not, for data protection reasons, hand over any subscriber details in the absence of a court order.

Seeking the orders, Jonathan Newman SC, with Michael Binchy BL, for the HSE submitted the orders could be granted.

Such orders should be made sparingly but, in this instance, there was a “clear breach” of the HSE’s confidentiality and rights, he said.

Previously the High Court heard, during May, approximately 27 files stolen from the HSE were downloaded onto ‘VirusTotal’.

The material contained sensitive patient information including correspondence, minutes of meetings and corporate documents, the HSE claims.

That material was downloaded 23 times by ‘VirusTotal’ subscribers before it was removed by Chronicle on May 25th last.

In a sworn statement to the court the HSE’s National Director for Operation Performance and Integration Joe Ryan said it became aware of an article published by the Financial Times last month, which referred to some stolen data, and a link used to access the stolen data online.

The HSE sought the return of the data referred to in the article and an explanation as to the location of the link referred to in the article but the FT indicated it had obtained the stolen data from a confidential source which it refused to reveal, he said.

Following the cyber-attack, the HSE obtained a High Court order on May 20th last that restraining any sharing, processing, selling or publishing of data stolen from its computer systems.

When the FT received a copy of that order, it handed over the information obtained from the source to the HSE’s cyber security advisors, Mr Ryan said.

An analysis of the material received from the FT had disclosed the stolen documents were uploaded on ‘VirusTotal’.

After contacting the defendants, the stolen material was deleted from the ‘VirusTotal’ platform, Mr Ryan said.