Cyber Attacks from the Perspective of GDPR: Ransomware

Nowadays almost every business sector integrates digital technologies. IT infrastructure and practice, if not updated regularly, ages and becomes weaker. Therefore, because of the amount and the category of information it holds, companies become targets for cyber attacks.

According to the Tech Republic, in 2018, malware attacks led the list of most popular cyber attacks – when cybercriminals steal data from victims’ computers, usually using spyware or remote administration malware to do so.

The next on the list – hacking – when taking advantage of vulnerabilities on the target’s software and hardware. Hackers currently cause the most damage to governments, banks, and cryptocurrency platforms. In the most recent incident, German Chancellor Angela Merkel’s Twitter account was hacked and her personal information was leaked. The incident can be interpreted as a warning, that even the officials in high power positions need to be aware of the risks.

Others on the list are:
Credential theft based attacks – corporate credential theft is usually a targeted effort. Attackers scour social media sites such as LinkedIn, searching for specific users whose credentials will grant access to critical data and information. The effectiveness of credential phishing relies on human interaction in an attempt to deceive employees, unlike malware and exploits, which rely on weaknesses in security defenses.
– Web attackswhen cybercriminals can extort website operators for profit, sometimes by threatening to steal client databases or shut down the website.
– DDoS or Denial-of-service attack – the weapon of choice for business rivals, disgruntled clients, and hacktivists. These attacks typically hit government institutions, and political events are a major driver. A denial-of-service attack overwhelms a system’s resources so that it cannot respond to service requests. A DDoS attack is also an attack on the system’s resources, but it is launched from a large number of other host machines that are infected by malicious software controlled by the attacker.

Criminals often perform DDoS attacks for profit, taking websites offline and demanding payment from the victims to stop the attack. That is called a Ransomware. And the Healthcare sector is the greatest target of them all. In 2017 the Healthcare sector suffered 45% of ransomware incidents globally. Financial professional sectors suffered 12% of ransomware attacks each, manufacturing – 7%, education and retail – 6% each, hospitality – 4%. Other sectors, including government, real estate, utilities- 8% altogether.  According to the Europol, ransomware attacks decreased on 2018, comparing to 2017, (dropped by almost 30%), but it remains the biggest malware threat since the ransomware codes are getting more advanced and more difficult to detect and/or defeat.

But how Ransomware relates to GDPR?

Ransomware is a type of malicious software that threatens to publish the victim’s data or perpetually block access. In order to regain access, attackers demand to pay a ransom.

The harms of ransomware are the following:

  • Temporary or permanent destruction of sensitive information;
  • Disruption of operations by crashing the network;
  • Command to pay the ransom in order to restore system and files.

Such illegal disposition of the company’s data may pose a risk to the rights and freedoms of the personal data subjects whose information company might hold. Therefore, ransomware attacks can be associated with GDPR and treated as data breaches.

While trying to meet GDPR requirements, many companies overlook the threat of ransomware attacks. During the attack, the company’s servers, desktops, laptops might be affected. The company must evaluate the data breach and possible damage. Diagnostics should be performed to know if personal data has been compromised. If so, local data protection authority must be informed within 72 hours. Breach report must contain the type of attack, the amount of personal data affected, including actions taken and planned to take in order to eliminate consequences. In the case of a serious breach, personal data subjects whose information was compromised must be informed as well. Companies that process sensitive data, must inform local data protection authority about the incident despite the severity of the breach caused by the attack.  If the attacked company fails to prove GDPR compliance, it will be forced to pay fines (more about breach notifications and GDPR fines).

Does a ransomware attack qualifies as a data breach?

Attackers tend to calculate the fine a company would face under the GDPR, before issuing their demands. And they would set their ransom demands just under the penalty the victim would face. Attackers expect victims to prefer paying the ransom and never report the incident, rather than to inform local data protection authorities, as they would start the investigation and could possibly find more GDPR violations and fine company on top of it.

On the other hand, companies may recognize that the risk to receive a fine is greater than to break the law quietly and to sweep a GDPR ransomware incident under the rug. Especially when it may be possible to argue that a ransomware attack does not actually qualifies as a breach and doesn’t need to be reported (if no personal data was possessed, changed or destroyed during the attack).

How to avoid ransomware attacks?

Data protection experts expect the increase of ransomware attacks in the coming years. Any company, regardless of the size, can be attacked. Attackers are aware that receiving GDPR fine could be fatal to smaller businesses. Therefore, it’s crucial to make sure the network is strongly defended to prevention from ransomware attacks or any GDPR violations.

The main ransomware prevention methods:

  • Update the software.
  • Purchase an anti-virus program that has a license. Using the right tool, attacks can be blocked, stopped from spreading, protects the system from infection.
  • Move data to the Cloud. Usually, clouds have proper security measures set to protect data and comply with GDPR.
  • Enforce passwords. It makes difficult for an attacker to access the account if it has a long and strong password.
  • Scan emails from SPAM and malicious content.
  • Keep offline data backups up to date.
  • Eliminate unused service accounts.

Staff training should follow after applying these steps in order to understand what these methods do and why they were put in place. As well as, what indicates ransomware and how the incident should be reported.

Google’s Jigsaw unit created a quiz that tests the ability to identify phishing emails. Our result was 8/8.  Check if you can identify phishing emails too. 

Share on facebook
Share on linkedin
Share on twitter
Share on pinterest
Share on email

Try our GDPR Compliance Tool GDPR Register for 14-days.

No credit card required.

Latest Posts
Personal Data Breach Reporting Requirements Under the GDPR

Personal Data Breach Reporting Requirements Under the GDPR

What is Data Breach? A personal data breach is security incident that results in the accidental or unlawful destruction, loss,...
Direct marketing rules and exceptions under the GDPR

Direct marketing rules and exceptions under the GDPR

Direct marketing includes text messages (SMS) and emails that a customer receives from a product or service provider. But activities...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What do companies have to include in the records of processing activities? GDPR Article 30 requires companies to keep an...
Data Protection Authorities (DPA)

Data Protection Authorities (DPA)

Data Protection Authorities (DPA) Data Protection Authorities (DPA) are independent public authorities that supervise, through investigative and corrective powers, the...
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

What is a DPA? A Data Processing Agreement (DPA) is a legally binding document to be entered into between the controller...
GDPR compliance checklist for controllers

GDPR compliance checklist for controllers

This is a simple GDPR compliance checklist for controllers that you can use to ensure you have considered most important...
GDPR Basics: Are you a Controller or a Processor?

GDPR Basics: Are you a Controller or a Processor?

What are ‘controllers’ and ‘processors’? With this short and simple article, we will try to explain the basics of controllers...
Templates for Records of Processing Activities

Templates for Records of Processing Activities

As we see every day, most companies and organisations still keep their Records of Processing Activities in spreadsheets. Through our...
Web plug-in requires visitor’s consent

Web plug-in requires visitor’s consent

In the light of the recent ruling of the European Court of Justice, website owners have to bear in mind...
First GDPR fine issued in Lithuania

First GDPR fine issued in Lithuania

A year after GDPR came into force, the Lithuanian Data Protection Authority (VDAI) has issued its first administrative fine. UAB ‘Mister Tango’,...

Zpracovává vaše společnost osobní údaje?

Zpracovávat vaše společnost osobní údaje fyzických osob, jako jsou:

  • Údaje zaměstnanců, zákazníků, uchazečů o zaměstnání nebo pacientů včetně:
    • Jméno nebo osobní identifikační číslo
    • Kontaktní údaje (e-mailová adresa, telefonní číslo, adresa)
    • Bankovní údaje, plat, údaje o pasu nebo jiné osobní údaje


Ar Jūsų įmonė renka ir tvarko fizinių asmenų asmens duomenis? 

Asmens duomenys gali būti:

  • Kliento, darbuotojo. paciento, kandidato į darbo vietą ir kt. 
    • Vardas ar asmens  numeris 
    • Kontaktinė informacija (el.pašto adresas, telefono numeris, adresas ir kt)
    • Banko sąskaitos  duomenys, atlyginimo dydis, paso duomenys ar bet kokia kita asmeninė informacija. 

Onko yrityksessäsi enemmän, kuin 250 työntekijää?

Kas teie ettevõte kogub ja töötleb isikuandmeid?

Kas teie ettevõte kogub ja töötleb füüsiliste isikutega seotud andmeid nagu näiteks:

Töötajate, klientide, tööle kandideerijate, patsientide:

  • Nimi, isikukood
  • E-posti aadress, telefoninumber, kodune aadress
  • Pangakontonumber, palgasumma, krediitkaardiandmed või mõnda muut tüüpi isiklikud andmed

Does your company collect any personal data?

Does your company collect and process any personal data of natural persons such as:

  • Employees, Customers, Job Applicants or Patients including:
    • Name or personal ID number
    • Contact details (Email address, Phone number, Address)
    • Bank details, Salary amounts, Passport details or any other personal data