A researcher has suggested that the GDPR fine structure could lead to
cyber-criminals being given price points to set their ransoms at because now they know how much money they should be asking.
The EU’s General Data Protection Regulation (GDPR) comes into force 25th May 2017. As part of the enforcement mechanism, a fine structure has been published to encourage compliance with the Regulation. The fine structure for GDPR is actually tiered depending upon the scope of the violation, but it has been published and widely publicised that lesser violations will attract fines of 2% of global turnover, and more serious violations will attract fines of up to €20 million, or 4% of their global turnover (whichever is greater).
Price Point Provided
Researcher Mikko Hypponen has made the point, therefore, that these figures could give cyber-criminals who are using ransomware, or hackers stealing data, a price point to set the ransom at because now they know how much money they should be asking.
Hypponen argues that because the criminals know what data is worth / what covering-up a data breach may be worth to some companies (probably large, well-known ones), these companies may be actually willing to pay anything less than the full amount of the fine to avoid serious damage to their reputation, loss of customers and more.
According to Hypponen, ransoms could, therefore, be set at up to 2% or 3% of the targeted organisation’s global annual turnover. This could equate to millions of dollars in some cases.
Not So Far-Fetched
Taking one recent incident as an example, Hypponen’s predictions may not appear too far-fetched. HBO network was hacked and the hackers are reported to have demanded $5.5m for the release of the stolen data. Even though this sounds like a very large sum, it is still less than 2% or 3% of the company’s 2014 annual revenue.
It is certainly possible that some companies would pay a ransom to keep a breach quiet as Uber were recently reported to have paid hackers $100,000 to delete the data from a hack that took place 2 years ago, and to keep quiet about it.
Hypponen has, therefore predicted that, after the introduction of GDPR on May 25th 2018, companies (particularly large turnover ones) will be targeted by hackers for personal information, and will be given ransom demands that are close to GDPR fine levels.
Taking Advantage of GDPR
Another prediction of how cyber-criminals may use GDPR to their advantage is by hackers / scammers stealing data with advanced ransomware and then blackmailing the victims with the threat of reporting them to the data protection commissioner. This is because ransomware can affect the availability, access, and recovery of personal data. These things, as well as passing personal data to hackers via the ransomware are technically serious breaches of GDPR by the victim company.
As well as hackers stealing data directly, ransomware is fast becoming the most popular way for cyber-criminals to make money, and is likely to be a greater threat after GDPR. The fact that it is automated and doesn’t require any special user rights to operate it makes it a popular choice, and an ideal way for criminals to sell data to the highest bidder (which is often the victim company).
There are even reports that large companies / corporations and banks have been buying up stores of Bitcoin as a short-term way to deal with data breach / ransom-based cyber attacks.
What Does This Mean For Your Business?
Where GDPR is concerned (especially with the pressure of the approaching deadline) many companies are seeing it as an opportunity to address possible data security / privacy loopholes that could leave them at the mercy of cyber attackers anyway, and to expand their ability to manage the use of data.
GDPR could even be viewed as a way of developing a global standard for data protection, which could be an opportunity for businesses to offer products and services worldwide that comply with this standard.
Quite apart from GDPR, businesses and organisations of all kinds should be trying to continuously improve their cyber resilience anyway.
Ways that companies could protect themselves against hacking / ransomware threats include only giving users access to what they need and taking away admin privileges, backing up all critical files effectively and securely, and testing those backups to make sure that information can be restored in a usable form.
One way in which companies could test their response to a live ransomware Trojan in their network is to plant dummy files in the network that should never be touched by legitimate users and act as alarms.
Companies and organisations should also make sure that they have workable Business Continuity and Disaster Recovery Plans in place, and to be aware that paying hackers does not guarantee the return of stolen data, and could increase reputational damage if the public see this as a way of trying to hide a breach.