Many hackers might see their efforts as an innocent attempt to try and outsmart big corporations, or more often, as a means of making a quick illegal buck from these big companies in an extortion racket. The problem though, is that the subsequent uses of malware or ransomware to bring down company networks can have serious consequences. Not only does it means that these companies can lose millions and potentially need to lay off people whose families depend on them for an income as result , but in the case of systems which people’s lives depend on, it can lead to death.
This is the wake-up call that a group of hackers has had to face, as The Hacker News is reporting that a ransomware attack on the University Hospital of Düsseldorf (UKD). The cyberattack caused a failure of IT systems that then resulted in the death of a woman who had to be sent to another hospital that was 20 miles away. This is the first known death of a person as a direct consequence of a cyberattack and the incident is being rated by the authorities as a homicide.
The hackers reportedly exploited a Citrix ADC CVE-2019-19781 vulnerability to cripple the hospital systems on September 10, which led to the tragic incident. The incident was apparently misdirected as the hackers were targeting the Heinrich Heine University based on an extortion note that they left behind. That does not excuse their behavior, and even though ransomware gangs have previously indicated they would not target hospitals or medical facilities, in a connected world like the one we live in, any small hack or system failure could lead to greater and unintended consequences. This may be the first casualty officially reported due to a cyberattack, but there could easily be many other times where people may have died or got seriously injured as the result of an attack of this nature.
Hopefully, this will only hasten the resolve of the law enforcement agencies to track down the perpetrators and get them into prison. While companies, hospitals, and government organisations should never be complacent about their cyber security, they shouldn’t need to divert attention from their core purpose to do so. Sadly, there are always those criminal elements trying to take advantage of situations and now that someone has died from an attack, maybe now authorities will treat them with more severity in future.
Last Updated: September 25, 2020