Ransomware cyberattacks and measures to reduce the risk of a personal data breach

Pantelis Angelidis, Managing Director, QuadPrime Ltd, member of the MAP S.Platis Group

The cyber attack with malicious computer software (Ransomware/Ransomware) on a certain educational institution in Cyprus opened with noise the discussion on cyber security, once again putting on the carpet the fundamental question of every organization: how can they protect themselves from such attacks and what preventive measures should they take?

The concern was exacerbated by the extortion of hackers who demanded money not to release data of the educational institution. Data they had apparently extracted before locking down the organization's systems for ransom. The specific data concerned simple and sensitive personal data related to students, graduates, academic and administrative staff, researchers and/or partners of the educational institution. This development caused the involvement of the Office of the Personal Data Commissioner, which requested to be informed about the circumstances surrounding the incident and also about the measures taken by the educational institution to protect personal data. For example, whether the organization implemented the necessary technical and organizational measures, the amount of data affected and especially what the organization intends to do next. Questions regarding the application of the general data protection regulation, known as GDPR, which sets specific standards and responsibilities for the processing of personal data.

As a result, Ransomware cyberattacks are the most damaging to an organization. In such cases hackers target information of particular value to an organization, demanding a ransom for the release of the data. Attackers know very well that once they gain access to personal data, even without extracting it from the organization's systems (exfiltration), they have a powerful lever of pressure and blackmail in their hands. It is noted in this regard that according to Article 4 of the GDPR, unauthorized access to them is automatically considered a breach of personal data.

If the victim of the cyber-attack does not give in to the initial ransom demand, then the hackers usually come back with a second demand, publicly announcing that they are in possession of personal data, some of which they often release as persuasive. This double blackmail acts as a greater lever of pressure because now the breach becomes known to the competent authorities, the data subjects – i.e. the persons concerned – but also the wider public. Such disclosure inevitably has a negative impact on the reputation of any organization, potentially incurs financial penalties for insufficient safeguards in the storage of personal data, brings a flood of complaints from unsuspecting victims, and even results in lawsuits from data subjects.

The said attacked educational institution found itself in this predicament of double extortion after the hacker group publicly gave deadlines for the payment of the ransom. Since then, the Office of the Data Protection Commissioner has indicated that it has received complaints and concerns from affected data subjects who have been informed.

But the nightmare does not end here. There is also the triple blackmail scenario. In this scenario, since the victim doesn't give in, the hackers now target the subjects themselves since they have their personal data and threaten them with disclosure. If this data is sensitive, the success rates of extortion increase.

In addition to the mandatory cyber security measures to protect and prevent Ransomware type attacks, it is recommended that the organization proceed to increase its resilience. On the one hand, this will limit the damage in a successful cyber attack, and on the other hand, it significantly reduces the time it takes for the organization to return to normal operation.

There are many things that an organization of this size can and should do. does. Below are five basic and simple tips for reducing the risk of personal data breaches and improving resilience:

1. The volume of personal data is a decisive factor, both in measuring potential penalties, and in the organization's effort to identify and inform which data subjects are affected. Therefore, it is recommended to minimize the personal data stored.
2. Encryption is a very important mechanism for the organization's defense, which is also recommended in the articles of the Data Protection Regulation. That is why the organization should have the personal data it processes encrypted in backup files and databases.
3. There is often a reluctance to destroy personal data that is no longer needed. File management is of particular importance as mentioned above, and for this reason periodic housekeeping and destruction of personal data that has expired, is dormant or has been acquired and kept for no specific purpose is recommended.
4. A simple and well-tested data breach response plan must be in place in advance containing coordination actions and scenarios for notifying authorities, communicating with data subjects and other stakeholders to ensure transparency about the incident. It is also of particular importance that the organization can respond and communicate the incident within 72 hours from the time it became aware of it, which can become a particular challenge when holidays and weekends intervene.
5. Finally, many organizations mistakenly fear the cost of an in-depth investigation, unaware that it will allow them to quantify the risk to subjects and thus avoid unnecessary actions and financial penalties that can sometimes exceed the cost of the investigation. A detailed investigation process at legal, technical and operational levels is considered of particular importance, mandated by GDPR itself, and expected by competent authorities as part of the principle of organizational accountability following a breach.

There is clearly no easy way out for an organization that has been attacked by Ransomware and the personal data it processes has been compromised. The losses in time, resources and reputation can sometimes be enormous. The process from the moment the incident is discovered is arduous and tests the mettle of any organization of any size to a great degree.

Drawing lessons from organizations affected by Ransomware attacks globally, targeting and transitioning in a more resilient state it is a one-way street. A resilient organization is the organization that primarily has the capabilities to cope and the necessary capacity to absorb the consequences of any kind of security incident. Anticipation, preparation, vigilance and coordinated response are elements that increase organizational capacity and remain critical parameters for navigating today's rising tide of digital threats.