New Money Making Scheme: After Ransomware Comes GDPR Extortion

The world has changed for the better when it comes to security and privacy of data, thanks to the European Union’s GDPR (General Data Protection Regulation). Companies, especially those operating in the EU-member states have started revising their terms of service and impose internal changes to comply with the requirements. In return for corporations taking care of their customer data better, it is expected for ransomware to become less effective. User education will cover any possibility of corporate employees from falling for trojan horses that can infect their machine for a ransom or even for mining cryptocurrency for the virus authors.

However, the cybercriminals continue their research and development to develop new ways for unsuspecting users to fall for their traps, their new interest is to use GDPR as an extortion racket. GDPR took full effect last May 25, 2018, with a heavy penalty of €20 million or 4% of their global revenue, whichever is higher.

Unfortunately, not all companies are ready for GDPR with just 20% compliance. With the survey result, 80% is ripe for being targeted. The new possibility of cybercriminals will test penetrate a target corporate network installation, then blackmail the company to pay an extortion, non-compliance means the hack will proceed.

“They’d have to find a way into a company’s system and reveal how they did it – thereby essentially proving that the organization is vulnerable to attack and that the information they hold can be stolen and used by threat actors. They could provide an example of the stolen data as evidence that they’ve exploited a vulnerability in the system, and thus demonstrate that the right measures haven’t put in place by that company to stop breaches happening. Big fines might be few and far between, and hackers might therefore not know what value an organization would place on a ‘hush job’. However, the $100,000 that Uber paid speaks volumes: they thought the breach was worth that amount. It’s always going to come down to the differential value, for a company to either risk a fine or pay the hush money that the criminal demands. If the ICO hands out lots of tiny fines, rather than demanding crippling payments, hackers may decide it’s not worth their time to hold companies to ransom.” said David Emm, Kaspersky Lab’s Security Researcher.

This extortion technique is confirmed by a Kaspersky Lab’s competitor, Trend Micro though not popular with big companies at the moment. Bharat Mistry, Principal Security Strategist for TrendMicro emphasized: “I don’t think they’ll target large enterprises but certainly the small to medium, and maybe not UK ones or European ones but certainly outside of EU borders.”

COO of Exonar, Julie Evans has expressed her opinion of GDPR fines as an object of extortion is a reality on the ground: “The perpetrator could threaten to expose the GDPR failure to thousands or even millions of consumers, even handling the Data Subject Access Requests (SARs) alone could be crippling for a company, especially if they are still doing that manually, let alone the cost of compensation that could come from such a class action – it would not be capped at 4%.”

It is strongly recommended that companies invest with a reliable and efficient backup system, in order to restore their systems in the event of any IT threats. Just like the ransomware issue, it will also be a good investment for any company to hire ethical hackers that will perform a thorough penetration testing against their corporate networks.