You are currently viewing Cyber Attacks from the Perspective of GDPR: Ransomware

Cyber Attacks from the Perspective of GDPR: Ransomware

Nowadays almost every business sector integrates digital technologies. IT infrastructure and practice, if not updated regularly, ages and becomes weaker. Therefore, because of the amount and the category of information it holds, companies become targets for cyber attacks.

According to the Tech Republic, in 2018, malware attacks led the list of most popular cyber attacks – when cybercriminals steal data from victims’ computers, usually using spyware or remote administration malware to do so.

The next on the list – hacking – when taking advantage of vulnerabilities on the target’s software and hardware. Hackers currently cause the most damage to governments, banks, and cryptocurrency platforms. In the most recent incident, German Chancellor Angela Merkel’s Twitter account was hacked and her personal information was leaked. The incident can be interpreted as a warning, that even the officials in high power positions need to be aware of the risks.

Others on the list are:
Credential theft based attacks – corporate credential theft is usually a targeted effort. Attackers scour social media sites such as LinkedIn, searching for specific users whose credentials will grant access to critical data and information. The effectiveness of credential phishing relies on human interaction in an attempt to deceive employees, unlike malware and exploits, which rely on weaknesses in security defenses.
– Web attackswhen cybercriminals can extort website operators for profit, sometimes by threatening to steal client databases or shut down the website.
– DDoS or Denial-of-service attack – the weapon of choice for business rivals, disgruntled clients, and hacktivists. These attacks typically hit government institutions, and political events are a major driver. A denial-of-service attack overwhelms a system’s resources so that it cannot respond to service requests. A DDoS attack is also an attack on the system’s resources, but it is launched from a large number of other host machines that are infected by malicious software controlled by the attacker.

Criminals often perform DDoS attacks for profit, taking websites offline and demanding payment from the victims to stop the attack. That is called a Ransomware. And the Healthcare sector is the greatest target of them all. In 2017 the Healthcare sector suffered 45% of ransomware incidents globally. Financial professional sectors suffered 12% of ransomware attacks each, manufacturing – 7%, education and retail – 6% each, hospitality – 4%. Other sectors, including government, real estate, utilities- 8% altogether.  According to the Europol, ransomware attacks decreased on 2018, comparing to 2017, (dropped by almost 30%), but it remains the biggest malware threat since the ransomware codes are getting more advanced and more difficult to detect and/or defeat.

But how Ransomware relates to GDPR?

Ransomware is a type of malicious software that threatens to publish the victim’s data or perpetually block access. In order to regain access, attackers demand to pay a ransom.

The harms of ransomware are the following:

  • Temporary or permanent destruction of sensitive information;
  • Disruption of operations by crashing the network;
  • Command to pay the ransom in order to restore system and files.

Such illegal disposition of the company’s data may pose a risk to the rights and freedoms of the personal data subjects whose information company might hold. Therefore, ransomware attacks can be associated with GDPR and treated as data breaches.

While trying to meet GDPR requirements, many companies overlook the threat of ransomware attacks. During the attack, the company’s servers, desktops, laptops might be affected. The company must evaluate the data breach and possible damage. Diagnostics should be performed to know if personal data has been compromised. If so, local data protection authority must be informed within 72 hours. Breach report must contain the type of attack, the amount of personal data affected, including actions taken and planned to take in order to eliminate consequences. In the case of a serious breach, personal data subjects whose information was compromised must be informed as well. Companies that process sensitive data, must inform local data protection authority about the incident despite the severity of the breach caused by the attack.  If the attacked company fails to prove GDPR compliance, it will be forced to pay fines (more about breach notifications and GDPR fines).

Does a ransomware attack qualifies as a data breach?

Attackers tend to calculate the fine a company would face under the GDPR, before issuing their demands. And they would set their ransom demands just under the penalty the victim would face. Attackers expect victims to prefer paying the ransom and never report the incident, rather than to inform local data protection authorities, as they would start the investigation and could possibly find more GDPR violations and fine company on top of it.

On the other hand, companies may recognize that the risk to receive a fine is greater than to break the law quietly and to sweep a GDPR ransomware incident under the rug. Especially when it may be possible to argue that a ransomware attack does not actually qualifies as a breach and doesn’t need to be reported (if no personal data was possessed, changed or destroyed during the attack).

How to avoid ransomware attacks?

Data protection experts expect the increase of ransomware attacks in the coming years. Any company, regardless of the size, can be attacked. Attackers are aware that receiving GDPR fine could be fatal to smaller businesses. Therefore, it’s crucial to make sure the network is strongly defended to prevention from ransomware attacks or any GDPR violations.

The main ransomware prevention methods:

  • Update the software.
  • Purchase an anti-virus program that has a license. Using the right tool, attacks can be blocked, stopped from spreading, protects the system from infection.
  • Move data to the Cloud. Usually, clouds have proper security measures set to protect data and comply with GDPR.
  • Enforce passwords. It makes difficult for an attacker to access the account if it has a long and strong password.
  • Scan emails from SPAM and malicious content.
  • Keep offline data backups up to date.
  • Eliminate unused service accounts.

Staff training should follow after applying these steps in order to understand what these methods do and why they were put in place. As well as, what indicates ransomware and how the incident should be reported.

Google’s Jigsaw unit created a quiz that tests the ability to identify phishing emails. Our result was 8/8.  Check if you can identify phishing emails too.