General security

Pay GDPR? No thanks, we’d rather pay cybercriminals

Susan Morrow
December 1, 2021 by
Susan Morrow

Once upon a time, ransomware was a simple cybercrime. You knew where you stood; the data was encrypted, and you either paid the ransom or not. Yes, life was simple back then. 

I am being facetious, of course, but as with many cyberattack tactics, ransomware has become more complex and multi-faceted. Encrypting corporate files is no longer enough for ransomware thieves. No, ransomware criminals now steal data first to put even more pressure on an organization to pay the ransom.

This double-whammy is placing corporations in a squeeze: pay the ransom and protect any personal data caught up in the attack, or pay a data protection non-compliance fine, which in the case of GDPR can be up to 4% of global revenue or 20 million euros (whichever is higher).

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

A double-edged sword of ransomware pain

Ransomware has always been a pain. Ransomware attacks such as WannaCry caused serious disruption to business continuity and services, causing massive operational problems and costing enormous amounts of money. Three years after the WannaCry attack, the UK's National Health Service (NHS) has evaluated the attack's impact as having cost around £92 million ($116 million) and causing 19,000 appointments to be canceled.

But now, ransomware is a double-edged and painful sword. The recent Colonial Pipeline ransomware attack began with the attackers stealing 100 gigabytes of data the day before the ransomware infection shut down the Colonial infrastructure, causing chaos for millions of customers. Colonial has since admitted to sending out breach notification letters to 5,810 individuals, mostly current or former employees: the stolen data contained personal information including name, address, date of birth, social security number, and health insurance information. In other words, the type of personal data that is protected in law by regulations such as GDPR and CCPA.

Colonial paid around $4.4 million in ransom, with some of the money recovered. However, the company may still have been in breach of various data protection laws. This catch-22 situation that companies find themselves in begs the question, is the double-whammy of ransomware placing the company at threat of secondary extortion, this time from the regulators?

Between a rock and a fine

The problem of ransomware-initiated personal data exposure and regulatory fines is likely to be a trend in the coming years. The act of ransomware double extortion is gaining popularity amongst the cybercriminal community. In 2020, 40% of ransomware families were designed to steal data before encrypting it. Once that data is exfiltrated, it is in the hands of cybercriminals. Therefore, methods of ransomware protection that suggest back-up of data to ensure business continuity, only go so far in mitigating the impact of a modern ransomware infection.

The problem is that ransomware actors are not the most trustworthy of humans. Even if a company pays the ransom, they cannot guarantee that the personal data will stay safe. It's like putting a child in a room with their favorite sweets and saying, "do not eat." Most kids will eat the sweets in a game theory-esque pay-off vs. constraints scenario.

Cybercriminals are cunning: the fact that regulations such as GDPR are enforced and carry heavy fines is not lost on them. Along with the fear of data exposure and the embarrassment and loss of custom, cybercriminals also use the fear of non-compliance fines to extract a ransom.

This was the case in the Uber cyber-attack of 2019. The company paid cybercriminals $100,000 to keep quiet about the breach to stave off the regulators. This strategy backfired on Uber with a series of knock-on effects, including the then chief security officer Joe Sullivan, being charged with concealing the attack.

This tripartite of players are interwoven in a complex game of pay-off vs. constraints; the question is, can the good guys in this scenario, aka the regulators and the victim organization, work together to thwart the activities of the ransomware cybercriminals?

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Cooperation can win out in a game of ransomware

The likelihood is that this tactic of double-extortion is here to stay because it is effective — it results in a greater pay-off. It is, in evolutionary terms, a stable strategy. But paying the ransom will not guarantee that a company will be protected against regulatory fines. Cybercriminals renege on promises. The Sophos State of Ransomware 2021 report found that 92% of companies who paid the ransom did not get all their data back.

Any additional pressure on a company to pay the ransom, such as being worried about large regulatory fines, will play into the cybercriminals' plan but may well not prevent personal data exposure.

The data protection regulator's mantra upholds an individual's privacy by preventing data exposure. If a company goes outside those constraints, they are fined. Cybercriminals are using this to put even further pressure on a victim organization to pay up. Regulators need to be part of a cooperation strategy to reduce ransomware threats.

One way to do this is for regulators to cooperate with organizations when a ransomware attack happens. Instead of a company hiding an attack, if they tell the regulators in good time, this should be a consideration when any non-compliance decisions are made. Further, some countries are now making payment of a ransom illegal. In 2020, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) published an advisory stating that ransomware payments may place an organization in breach of OFAC regulations. 

Ultimately, a victim organization must work to prevent a ransomware attack from happening. A proactive security posture that prevents cyberattacks is the baseline for ransomware prevention.

Infosec works with the U.S. government to provide resources and tools to an organization to help fight the ransomware threat.



Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.