pe3check -

GDPR could ramp up cyber extortion demands, warns researcher

The ransom demanded for stolen or encrypted data is likely to rise after the General Data Protection Regulation compliance deadline in May 2018, according to a cyber security researcher

The EU’s General Data Protection Regulation (GDPR) could effectively drive cyber criminals’ ransom demands higher, says Mikko Hypponen, chief research officer at F-Secure.

The sums demanded by cyber attackers in the past have been fairly arbitrary, he believes, because there has been no way to determine exactly what data is worth to a targeted organisation.

But Hypponen said this will change when the GDPR compliance deadline arrives on 25 May 2018, because after that, companies can be fined up to 4% of their global annual turnover or €20m, whichever is greater, if data is leaked and they are found to have not looked after personal data properly.

“So while GDPR is good for the consumer, it also gives a price point for criminals because now they know how much money they should be asking,” he said.

Because the attackers know exactly what the data is worth, Hypponen said they also know that companies are likely to be willing to pay anything less than that to avoid the full amount of the fine and to avoid damage to the organisation’s reputation by keeping the breach secret.

As a result, he said, demands could go up to 2% or 3% of the targeted organisation’s global annual turnover, which, depending on the organisation, could be tens or even hundreds of millions of dollars instead of the current levels of thousands and low millions of dollars.

US authorities revealed this week that the hacker charged with hacking TV network HBO threatened to release stolen data and TV content if HBO did not pay $5.5m, which is considerably less than 2% or 3% of its 2014 annual revenue of $5.4bn, which equates to $108m and $162m, respectively.

Hypponen predicted that after May 2018, there will be targeted hacks where personal information is stolen from companies and they will start to get demands that are closer to the potential GDPR fines.

With just over six months to go before the compliance deadline, organisations are being urged to get their houses in order, not just because of the potential fines, but also for sound business reasons.

At EEMA’s recent ISSE 2017 conference in Brussels, Belgium’s secretary of state for privacy, Philippe De Backer, said the GDPR is really a business opportunity and should be viewed as such.

“For many, the focus is on compliance challenges and on the huge fines for non-compliance, but in reality the GDPR is an expansion of the ability to manage the use of data,” he said.

“The GDPR is also about enabling companies to know what data they have, securing that data, and managing that data effectively to enable them to identify new business opportunities.”

According to De Backer, the GDPR is effectively creating a global standard for data protection, and is therefore an opportunity for European businesses to offer products and services worldwide that comply with this standard.

This, in turn, enables trust between organisations and their customers, which he said is essential to doing business online and will be important to most businesses well into the future.

Read more on Hackers and cybercrime prevention