On the portal of the Garante per la Potezione dei Dati Personali (Italian Data Protection Authority), the measures against the Lazio Region, the company LazioCrea S.p.A. and ASL Roma 3 were published following the data breach suffered by the Lazio Region in 2021. We provide some food for thought.
Small summary
On 1 August 2021, the Lazio Region’s systems stopped working due to ransomware inoculated by the RansomEXX collective. We are in the midst of a COVID-19 emergency and the unavailability of the IT services provided by the Lazio Region has a direct consequence on the vaccination processes and active management of the emergency, as well as on normal working procedures. For more information on what happened, the reconstruction in this article is recommended.
The Guarantor’s Measures
On 21 March 2024, i.e. after approximately 960 days, the Garante ruled on the matter with three very interesting sanctioning measures, which, for the sake of convenience, are collected in the table.
Measure | Subject | Sanction | Link to the measure |
---|---|---|---|
10002324 | LazioCrea S.p.A. | € 271.000 | Link |
10002287 | Lazio Region | € 120.000 | Link |
10002533 | ASL Rome 3 | € 10.000 | Link |
The measures are very interesting for a number of reasons, not only technical but also organisational, and demonstrate a series of omissions that many public and private companies still insist on not rectifying; here are some food for thought.
Network segmentation
Network segmentation, coupled with segregation of functions (the former is technical, the latter organisational) are absent in many companies. These are functions that cannot be improvised, but are essential to achieve a level of security that prevents the proliferation of the threat (be it ransomware or other). In the past, we have spoken extensively on this portal about network segmentation as well as segregation of functions. With regard to the Lazio Region data breach, the Garante spoke out very harshly.
if LAZIOcrea had adequately segregated the networks on which the server systems and workstations of its employees and of the Lazio Region were located, the company itself would not have had to proceed with the shutdown of those server systems, and therefore the healthcare facilities would not have suffered the unavailability of access to numerous information systems and the relative data the segregation of networks is, moreover, one of the most common measures adopted in data centres that host computer systems for the processing of various categories of personal data, including data relating to health, which LAZIOcrea – as a company operating in the ICT sector according to the in house providing model – should certainly have ensured in view of the context and the characteristics of the processing operations for which it has been designated responsible by the Region and the health structures;
Source: GDPD Provision 10002324, Data Breach Lazio Region, Pg.29
It is worth reiterating that this problem is common to many actors: the November 2023 order against ASL Napoli 3 Sud, which was the victim of a data breach in 2021 reports:
The failure to take adequate measures to ensure the security of networks, both in relation to network segmentation and segregation, and with regard to remote access via VPN, did not comply…
Source: GDPD Measure 9941232, Data Breach Naples 3 South, Pg.18
It is therefore a deficiency common to many realities that denotes, at best, an ignorance of elementary safety procedures. At worst, however, genuine negligence in implementation.
Maintenance of obsolete systems
There is a very interesting note on obsolete systems in the Garante’s provision. It is usually wrongly assumed that maintaining an obsolete system constitutes a security breach per se: this is not true. It is, unfortunately, common to find ‘legacy’ systems engaged in delivering services based on dated applications that do not require obsolete hardware and systems. In the case of the Latium Region, there is an important passage in the Garante’s ruling that deserves careful reading.
At the same time, keeping in operation an application managed by a system that has reached ‘end of life’, for which patches or system updates are no longer available, does not in itself constitute a security breach, since such an application can appropriately be isolated within a perimeter designed to ensure its operation. In fact, the vulnerability exploited by the external agent in connection with the ‘privilege escalation’ was not exposed outside the regional network, as stated in the Manager’s pleadings;
Source: GDPD Provision 10002287, Data Breach Lazio Region, Pg.12
The Garante therefore takes the ‘end-of-life’ of a system seriously and logically does not condemn it a priori provided it is properly secured through isolation and thus protection procedures. End-of-life systems are not simply old systems, they are above all systems whose vulnerabilities and attack techniques are known; it follows that they must be considered compromised and treated as such. When there is no possibility of updating them, they must be adequately protected.
Shutting down infected systems
The CISA (Computer Infrastructure Security Agency) released a number of essential steps to counter the consequences of ransomware some time ago. Among these steps is the disconnection of infected devices and, consequently, their shutdown. The ’emergency shutdown’ procedure is also known in Italy in other contexts: perhaps some readers will remember the episode that occurred in 2018 on PECs that led Telecom to shut down the systems. A widely discussed procedure, but provided for in extraordinary conditions. In the case of the data breach at the Lazio Region, the Garante’s position is clear.
the unavailability of access to the data stored on the aforementioned systems was caused
Source: GDPD Provision 10002324, Data Breach Lazio Region, Pg.29
(i) directly from the cyber attack which, by compromising the application layer of the virtualisation system, rendered approximately 180 virtual server systems unavailable and the data processed therein inaccessible
ii) indirectly by LAZIOcrea’s decision to shut down all the server systems since, at the time of the cyber attack, it was not able to determine which were compromised, nor to prevent further propagation of the malware given the lack of segregation of the networks on which they were hosted.
Switching off as a last resort is considered valid only in very rare conditions and does not exempt from sanctions, especially if the consequences of such a procedure could have been avoided. To this end, it is worth recalling what the Garante itself reported immediately afterwards:
Article 25 of the Regulation does not require the implementation of specific technical and organisational measures, but rather that the measures and safeguards identified and adopted by the data controller be specifically related to the implementation of the data protection principles in the context of the processing operations actually carried out; the measures and safeguards must be designed to be robust and the data controller must be able to implement additional ones in order to cope with any increase in risks. Whether the measures are effective or not depends on the context of the processing and other elements that the controller must take into account when determining the means of processing
Source: GDPD Provision 10002324, Data Breach Lazio Region, Pg.29
Shutdown is therefore an acceptable last resort if the other safety measures planned and implemented have failed. It is not considered acceptable if there are proven failures in the security perimeter and if therefore the shutdown action, however avoidable, becomes the only plausible option. Although also unrelated to this point of the measure, it is interesting to note what has already been reported in relation to the segregation “LazioCrea should certainly have ensured in view of the context and the characteristics of the treatments in relation to which it has been designated responsible by the Region and the healthcare facilities”.
Conclusions
The three measures are a source of many reflections that can only be properly grasped by reading them in their entirety. However, it is very important to realise that many public and private entities persist in disregarding these ‘basic’ data protection measures years later.