Ossian Smyth remembers the day well.
“It was the 14th of May,” he said in a phone interview Wednesday, Nov. 3, from his Dublin office. “Very early in the morning, I got a call from cybersecurity teams to say there’d been an attack on the HSE (Health Services Executive). That’s 100,000 employees with a population of five million.”
Smyth is a teachta dála, or TD, with Ireland’s Green Party. It’s essentially the same as being a member of Parliament in Canada.
He’s also the minister of state in charge Ireland's cybersecurity.
“What I was told was there had been a human-operated ransomware attack and it was widespread, and that the HSE had shut down all of its computers under advice from us, the government,” he said. “So all of their online services were no longer available and the systems in their hospitals were shut down, and they had to revert to pen and paper.”
That was six months ago, but Smyth says the effects of the ransomware attack are still being felt.
Each system had to be brought up again one at a time.
“The most critical ones are the ones you want to work on first,” he said.
“I’d say we’re 99 per cent at this stage.”
Unlike a similar attack in Newfoundland and Labrador last weekend — the provincial government has indicated it was a cyberattack, but has not said it was ransomware — authorities in Ireland were quite open publicly about what had happened.
That was mainly because Taoiseach (prime minister) Micheál Martin wanted everyone to know they weren’t going to play along.
“Our prime minister announced the first day that we were definitely not going to pay any ransom, and we were not going to negotiate either,” said Smyth.
“So we didn’t contact the criminals and we did not pay a ransom.”
Smyth said there was good reason to go public.
“We didn’t want to encourage more of these attacks. We have a lot of other critical infrastructure, our water and our gas and everything else. We didn’t want to attract more attacks.”
There was, however, an email contact made with the attackers by someone thinking they were being smart by pretending to be an HSE spokesman. The person used an email address that appeared on all the computer screens when the lockup happened.
“The attackers shared with them a small amount of patient data to prove what they had … and then the person took that information, the conversation that they had online, and gave it to the (Irish) Financial Times to publish an article.”
The article appeared on May 19, citing an unnamed source. That’s when it was revealed the ransom demand for unlocking the system was 19.9 million euros (almost $30 million CAD).
“One file reviewed by the FT includes admission records and laboratory results for a man who was admitted to hospital for palliative care,” the Times reported. “The broad details in that file matched a subsequent death notice seen by the FT.”
The paper reported that the hackers had proven they had patients’ home addresses and telephone numbers, as well as staff employment contracts, payroll data and financial statements.
“What it did was it meant that people were generally very worried about their data being published,” Smyth said.
When they realized they weren’t going to get anything, the attackers eventually revealed the key code to get the computers back up and running.
“Unfortunately, it took months to clear it up and the chief executive of the HSE estimated that he was going to need 100 million euros — in other words, five times the ransom demand — to do the rectification work afterward for the damage that was done,” said Smyth.
“So, it’s not a silver bullet to get your key back.”
Smyth said the same group of hackers had attacked hospitals in the United States, and may not have understood that public health care works differently.
“I’m not sure that they understood what the difference was between public and private health care, and that there is such an idea of an organization that’s not for profit, an organization that you cannot bankrupt, which is usually their threat.”
In a curious parallel to Newfoundland, Smyth said one thing that was not affected was vaccinations, possibly because the system was newer and not directly connected to the older infrastructure.
In the end, he said there was one valuable lesson to be learned: the importance of local authorities reaching beyond their borders.
The national police force, Garda Síochána, and local cybersecurity experts shared information with their counterparts in the United Kingdom, the United States and the European Union.
“We knew the team that attacked us was based in seven different countries, and we knew that they were attacking lots of other countries at the same time. So, we were looking to share information with other people who had been victims of this gang, and that was very productive and really necessary,” Smyth said.
"You can’t do this on your own. You need to co-operate. International co-operation is the answer, really.”
He added that his office is more than open to assisting Newfoundland and Labrador.
"I spoke to my team. They’re very happy to offer help if you need it.”
Peter Jackson, Local Journalism Initiative Reporter, The Telegram