The point that this report is making is that, with the prospect of massive fines under GDPR e.g. fines up to €20 million, or 4% of their global turnover, criminals could extort large sums of money from companies with the threat of a cyber attack that could lead to data security breach, which could in turn lead to a fine under GDPR. It has been suggested that criminals could first determine the penalty under GDPR that could result from an attack, and then demand a ransom of slightly less than that fine.
The recent trends in cyber crime are what have led to this latest chilling prediction. For example, the fact that cyber criminals appear to be abandoning exploit kits and indiscriminate attacks in favour of more strategic attacks with maximised financial gain is a trend that has become more apparent. This trend coupled with the fact that, although the number of reported breaches in 2017 was lower than in 2016, the amount of data compromised by cyber attacks increased, have led security commentators to believe that criminals will seek to exploit GDPR as a money-making weapon.
Predictions Started Last Year
Predictions that the threat of GDPR fines could be exploited by criminals first surfaced in the media last November when researcher Mikko Hypponen made the point that GDPR fine figures could give cyber-criminals who are using ransomware, or hackers stealing data, a price point to set the ransom at because now they know how much money they should be asking.
Hypponen argued that because the criminals know what data is worth / what covering-up a data breach may be worth to some companies (probably large, well-known ones), these companies may be actually willing to pay anything less than the full amount of the fine to avoid serious damage to their reputation, loss of customers and more.
According to Hypponen, ransoms could, therefore, be set at up to 2% or 3% of the targeted organisation’s global annual turnover. This could equate to millions of dollars in some cases.
Threat Of Reporting Too
As well as the threat of a ransom to avoid a direct, deliberate attack that would result in a fine, security commentators have also suggested that hackers / scammers could steal data with advanced ransomware and then blackmail the victims with the threat of reporting them to the data protection commissioner. This is because ransomware can affect the availability, access, and recovery of personal data.
Other Trends uncovered in the recent Trend Micro Report include:
- A 32% increase in new ransomware families from 2016 to 2017.
- A doubling of business email compromise (BEC) attempts between the first and second half of 2017.
- Rapidly rising rates of cryptocurrency mining malware (100,000 detections in October).
- A 22% increase from 2016 in BEC attempts to trick company employees into approving money transfers to criminal accounts, mostly targeting the chief financial officer (CFO).
- More attacks on vulnerable internet of things (IoT) devices, with software vulnerabilities also continued to be targeted (1,009 new flaws discovered and disclosed in 2017).
What Does This Mean For Your Business?
As well as being an opportunity to get the (data) house in order and to enhance competitiveness (GDPR compliant companies are more likely to want to deal with other compliant companies), the size of the fines and now the potential activities of extortionists are risks for the coming years for UK businesses. Even though these predictions relate to more daring and sophisticated crimes, companies should still make sure that they are at least covered against more basic attempts e.g. by keeping up to date with software patching, and covering all known vulnerabilities.
Ways that companies could protect themselves against hacking / ransomware threats include only giving users access to what they need and taking away admin privileges, backing up all critical files effectively and securely, and testing those backups to make sure that information can be restored in a usable form. Training of staff e.g. chief financial officers (CFOs) or anyone involved in payment, and establishing a clear process for checking and chain of command could reduce the risk of BEC attempts and socially engineered attacks. Businesses would also be wise to make sure that their Business Continuity and Disaster Recovery Plans are kept up to date in the light of emerging threats.
More security commentators are also now warning businesses against the potentially devastating combination of security oversights, increasingly aggressive threats and, perhaps, carelessness in some aspects of cyber and data security.