Labour party data loss
I just got an email from the Labour party (of which I am a member) telling me that the third party that handles data on our behalf has been subject to a "cyber incident" and a significant quantity of Party data has been "rendered inaccessible".
It sounds like they've been hit by ransomware.
There are 400,000 members. If each one has 1kb of data, then that's 400 megabytes. I'd use linux, an SQL database, and I'd have a 2gb hard drive (or bigger). It really isn't a big deal for a modern computer.
So, there's two things here. Why is a third party (unnamed in the email) handling our data? It's not that difficult to run a computer, and if there's no-one in our Labour Party who knows how, surely we could hire someone?
Secondly, to be hit by ransomware in this way, means two things.
1) The company handling our data, didn't have adequate security and so got hit by the ransomware.
2) The company handling our data, hasn't considered ransomware in their backup strategy.
I'm not sure who to blame more, the Labour Party for farming out the data to a bunch of people of insufficient competence (the word "cowboys" comes to mind), or the unnamed third party who is supposed to look after the data for their incompetence.
This was discovered on October 29, and since the email was sent on November 3rd, clearly this isn't going to be just a case of restoring a recent backup.
So - how do you make a backup system that works even against ransomware?
An ordinary backup system won't work. If you take a full backup each day to the same media, then when the ransomware encrypts your data, you are copying the encrypted files onto your good data.
So what you have to do, is take a backup each day onto write-once media. A CD Rom will take 700 mb, enough for most databases. A DVD will take 4.7 gb and a Blu-ray will handle 50gb. You don't actually have to back up the whole computer in this way, just your data. You can always reinstall linux and your database software.
Then, when the ransomware announces itself, you can go back to a backup taken before the ransomware started encrypting your data.
But what if the ransomware waits a few months before announcing itself? You'd have to go back to a disk made months ago!
The way to avoid this, is to test the backup. It's really easy to tell the difference between good data and encrypted data, the test would only take a few seconds per file. So, you take the disk to a computer that has never been connected to the network, run the test program, and then you know. Let me know if you want me to explain how you can tell the difference between encrypted data and unencrypted data.
And as soon as you know "this disk has encrypted files on it" and those are files that you didn't encrypt, then you go back to the previous day's backup, and you've only lost, at most, one day of data.
Does this sound like a lot of work? Certainly, it is some work, probably as much as ten minutes per day, plus the cost of another computer - but set against the anguish of losing all your data, it isn't much. One disk per day, and a few minutes of checking.
No-one asked me.
I am available for consulting, for a modest fee.