Ransomhack: how are hackers using the GDPR against businesses?

The new EU General Data Protection Regulation (GDPR) lays down some strict penalties for non-compliance. The fines of up to 20 million euros or 4% of a company’s annual revenue for breaching the legislation are a real incentive for companies to make sure they’re compliant. But this has also given hackers a new idea: a ransomhack.

Ransomware is a form of malicious software that encrypts user data, preventing users from accessing it unless they pay a ransom. But Bulgarian cybersecurity firm Tad Group has revealed a new type of blackmail, whereby data isn’t held hostage if the company doesn’t pay up. Instead, the data is leaked – an attack inspired by the penalties under the new EU legislation.

Ransomhack: a consequence of the GDPR

Cybercriminals are riding the GDPR wave, and it’s no coincidence. The new law entered into force on May 25, 2018, but many businesses still haven’t complied yet. Experts believe that companies would rather pay the ransom and keep things quiet if they are ever hacked. That means they wouldn’t have to pay the fines laid down by the European legislation.

The GDPR requires any data breach to be reported within 72 hours of discovery. According to the Tad Group, the ransoms demanded from a ransomhack typically range from 1000 to 20,000 USD. So, in that sense, it’s easy to see why a company would rather pay the hackers’ ransom than the statutory fine.

The legislation states that a personal data breach has occurred whenever there is a loss of availability, integrity, or confidentiality regarding the data, whether accidental or intentional. In such cases, incidents must be reported as soon as possible to the national supervisory authority, so it can be determined whether there is a risk to the rights and freedoms of an individual person.

Reporting data breaches

The obligation to report a personal data breach to the supervisory authority is laid down in Article 33 of the GDPR. Moreover, if a personal data breach is likely to result in a high risk to the rights and freedoms of a natural person, then Article 34 requires those persons to be informed about the breach as well.

However, supervisory authorities don’t automatically impose a fine for being hit by a ransomhack. But regulators are in charge of determining whether the company had taken the appropriate technical and organizational measures to guarantee a suitable level of security in view of the risk before the attack.