The US Department of Justice has arrested Vikas Singla, Chief Operating Officer (COO) and founder of Securolytics, a network security company. He is charged with a cyberattack against the Gwinnett Medical Center, Lawrenceville, Georgia. The indictment lists 18 offences that took place in 2018. However, it has taken until now for a federal grand jury to indict Singla.
Acting Assistant Attorney General Nicholas L McQuaid of the Justice Department’s Criminal Division said: “Criminal disruptions of hospital computer networks can have tragic consequences. The department is committed to holding accountable those who endanger the lives of patients by damaging computers that are essential in the operation of our healthcare system.”
What does the indictment tell us?
The attack initially took place on Sept 17, 2018. According to the indictment, the impact lasted for a period of one year and the Gwinnett Medical Centre lost over $5,000. There is also a claim that Singla stole data from a Hologic R2 Digitizer. The attack also impacted the hospital’s Ascom phone systems and 16 printers.
According to the indictment, the cyberattack:
- Disrupted the phone service
- Obtained information from a digitizing device
- Disrupted network printer services
The indictment says that Singla: “committed the attack for purposes of commercial advantage and private financial gain.”
It is not clear if Singla sold the stolen data or used it to extort the hospital.
Enterprise Times: What does this mean?
Cyberattacks from criminals and insider attacks from staff are nothing new. Organisations deal with both daily. What they don’t expect are the companies they trust to keep them safe to betray that trust. That is exactly what has happened here and seemingly for little gain.
The monetary value put on this case in the indictment is just a few thousand dollars, not the hundreds of thousand that most cyberattacks cost. It raises a number of questions. Among them, why such a small amount? Also, what was Singla’s goal? Until the trial, however, that won’t become clear, and the court documents currently give no date for that.
What is important is that this doesn’t impact the trust that organisations have with their cybersecurity providers.