nahel-abdul-hadi-1226210-unsplash

Cyber Attacks from the Perspective of GDPR: Ransomware

Nowadays almost every business sector integrates digital technologies. IT infrastructure and practice, if not updated regularly, ages and becomes weaker. Therefore, because of the amount and the category of information it holds, companies become targets for cyber attacks.

According to the Tech Republic, in 2018, malware attacks led the list of most popular cyber attacks – when cybercriminals steal data from victims’ computers, usually using spyware or remote administration malware to do so.

The next on the list – hacking – when taking advantage of vulnerabilities on the target’s software and hardware. Hackers currently cause the most damage to governments, banks, and cryptocurrency platforms. In the most recent incident, German Chancellor Angela Merkel’s Twitter account was hacked and her personal information was leaked. The incident can be interpreted as a warning, that even the officials in high power positions need to be aware of the risks.

Others on the list are:
Credential theft based attacks – corporate credential theft is usually a targeted effort. Attackers scour social media sites such as LinkedIn, searching for specific users whose credentials will grant access to critical data and information. The effectiveness of credential phishing relies on human interaction in an attempt to deceive employees, unlike malware and exploits, which rely on weaknesses in security defenses.
– Web attackswhen cybercriminals can extort website operators for profit, sometimes by threatening to steal client databases or shut down the website.
– DDoS or Denial-of-service attack – the weapon of choice for business rivals, disgruntled clients, and hacktivists. These attacks typically hit government institutions, and political events are a major driver. A denial-of-service attack overwhelms a system’s resources so that it cannot respond to service requests. A DDoS attack is also an attack on the system’s resources, but it is launched from a large number of other host machines that are infected by malicious software controlled by the attacker.

Criminals often perform DDoS attacks for profit, taking websites offline and demanding payment from the victims to stop the attack. That is called a Ransomware. And the Healthcare sector is the greatest target of them all. In 2017 the Healthcare sector suffered 45% of ransomware incidents globally. Financial professional sectors suffered 12% of ransomware attacks each, manufacturing – 7%, education and retail – 6% each, hospitality – 4%. Other sectors, including government, real estate, utilities- 8% altogether.  According to the Europol, ransomware attacks decreased on 2018, comparing to 2017, (dropped by almost 30%), but it remains the biggest malware threat since the ransomware codes are getting more advanced and more difficult to detect and/or defeat.

But how Ransomware relates to GDPR?

Ransomware is a type of malicious software that threatens to publish the victim’s data or perpetually block access. In order to regain access, attackers demand to pay a ransom.

The harms of ransomware are the following:

  • Temporary or permanent destruction of sensitive information;
  • Disruption of operations by crashing the network;
  • Command to pay the ransom in order to restore system and files.

Such illegal disposition of the company’s data may pose a risk to the rights and freedoms of the personal data subjects whose information company might hold. Therefore, ransomware attacks can be associated with GDPR and treated as data breaches.

While trying to meet GDPR requirements, many companies overlook the threat of ransomware attacks. During the attack, the company’s servers, desktops, laptops might be affected. The company must evaluate the data breach and possible damage. Diagnostics should be performed to know if personal data has been compromised. If so, local data protection authority must be informed within 72 hours. Breach report must contain the type of attack, the amount of personal data affected, including actions taken and planned to take in order to eliminate consequences. In the case of a serious breach, personal data subjects whose information was compromised must be informed as well. Companies that process sensitive data, must inform local data protection authority about the incident despite the severity of the breach caused by the attack.  If the attacked company fails to prove GDPR compliance, it will be forced to pay fines (more about breach notifications and GDPR fines).

Does a ransomware attack qualifies as a data breach?

Attackers tend to calculate the fine a company would face under the GDPR, before issuing their demands. And they would set their ransom demands just under the penalty the victim would face. Attackers expect victims to prefer paying the ransom and never report the incident, rather than to inform local data protection authorities, as they would start the investigation and could possibly find more GDPR violations and fine company on top of it.

On the other hand, companies may recognize that the risk to receive a fine is greater than to break the law quietly and to sweep a GDPR ransomware incident under the rug. Especially when it may be possible to argue that a ransomware attack does not actually qualifies as a breach and doesn’t need to be reported (if no personal data was possessed, changed or destroyed during the attack).

How to avoid ransomware attacks?

Data protection experts expect the increase of ransomware attacks in the coming years. Any company, regardless of the size, can be attacked. Attackers are aware that receiving GDPR fine could be fatal to smaller businesses. Therefore, it’s crucial to make sure the network is strongly defended to prevention from ransomware attacks or any GDPR violations.

The main ransomware prevention methods:

  • Update the software.
  • Purchase an anti-virus program that has a license. Using the right tool, attacks can be blocked, stopped from spreading, protects the system from infection.
  • Move data to the Cloud. Usually, clouds have proper security measures set to protect data and comply with GDPR.
  • Enforce passwords. It makes difficult for an attacker to access the account if it has a long and strong password.
  • Scan emails from SPAM and malicious content.
  • Keep offline data backups up to date.
  • Eliminate unused service accounts.

Staff training should follow after applying these steps in order to understand what these methods do and why they were put in place. As well as, what indicates ransomware and how the incident should be reported.

Google’s Jigsaw unit created a quiz that tests the ability to identify phishing emails. Our result was 8/8.  Check if you can identify phishing emails too. 

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

Subscribe to our Newsletter

Your e-mail address is only used to send you our newsletter and information about the activities of GDPR Register. You can always use the unsubscribe link included in the mail.

Latest Posts
First GDPR Fine Issued in Lithuania

First GDPR Fine Issued in Lithuania

A year after GDPR came into force, the Lithuanian Data Protection Authority (VDAI) has issued its first administrative fine. UAB ‘Mister Tango’,...
Finnish DPA ordered a company to change their data processing practises

Finnish DPA ordered a company to change their data processing practises

An article was published recently in the Helsingin Salomat about the Finnish Data Protection Authority who had ordered a payment and...
Data Protection Officer’s role and responsibilities

Data Protection Officer’s role and responsibilities

In light of the latest survey conducted by the CPO Magazine, we are looking into the role of the Data...
GDPR Compliance Checklist for 2019

GDPR Compliance Checklist for 2019

Just recently, a report was published based on a survey of 252 global privacy professionals working for a wide range...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What do companies have to include in the records of processing activities? GDPR requires companies to keep an internal record,...
GDPR in B2B Marketing

GDPR in B2B Marketing

There are two separate EU level regulations to follow when processing personal data for direct marketing in B2B and B2C...
Data Protection Impact Assessment Guide

Data Protection Impact Assessment Guide

The General Data Protection Regulation (GDPR) has introduced a new obligation, which requires companies and organizations to carry out data...
Cyber Attacks from the Perspective of GDPR: Ransomware

Cyber Attacks from the Perspective of GDPR: Ransomware

Nowadays almost every business sector integrates digital technologies. IT infrastructure and practice, if not updated regularly, ages and becomes weaker. Therefore,...
Six Months With GDPR in Force. What Happened?

Six Months With GDPR in Force. What Happened?

The GDPR, that came into force on the 25th of May, 2018, expanded the EU‘s data protection area coverage, introduced...
Healthcare sector: How to Comply With GDPR?

Healthcare sector: How to Comply With GDPR?

Since GDPR entered into force, the personal data protection has become more challenging to the Healthcare sector. Meaning that data...

Zpracovává vaše společnost osobní údaje?


Zpracovávat vaše společnost osobní údaje fyzických osob, jako jsou:

  • Údaje zaměstnanců, zákazníků, uchazečů o zaměstnání nebo pacientů včetně:
    • Jméno nebo osobní identifikační číslo
    • Kontaktní údaje (e-mailová adresa, telefonní číslo, adresa)
    • Bankovní údaje, plat, údaje o pasu nebo jiné osobní údaje

 

Ar Jūsų įmonė renka ir tvarko fizinių asmenų asmens duomenis? 


Asmens duomenys gali būti:

  • Kliento, darbuotojo. paciento, kandidato į darbo vietą ir kt. 
    • Vardas ar asmens  numeris 
    • Kontaktinė informacija (el.pašto adresas, telefono numeris, adresas ir kt)
    • Banko sąskaitos  duomenys, atlyginimo dydis, paso duomenys ar bet kokia kita asmeninė informacija. 

Onko yrityksessäsi enemmän, kuin 250 työntekijää?


Kas teie ettevõte kogub ja töötleb isikuandmeid?


Kas teie ettevõte kogub ja töötleb füüsiliste isikutega seotud andmeid nagu näiteks:

Töötajate, klientide, tööle kandideerijate, patsientide:

  • Nimi, isikukood
  • E-posti aadress, telefoninumber, kodune aadress
  • Pangakontonumber, palgasumma, krediitkaardiandmed või mõnda muut tüüpi isiklikud andmed

Does your company collect any personal data?


Does your company collect and process any personal data of natural persons such as:

  • Employees, Customers, Job Applicants or Patients including:
    • Name or personal ID number
    • Contact details (Email address, Phone number, Address)
    • Bank details, Salary amounts, Passport details or any other personal data