Natasha Bougourd warns of a new level of danger as the GDPR gives the baddies a new tool to play with
GDPR is the topic on everyone’s lips in the business world, as the incoming regulation sees the biggest shift in data protection laws since the 1995 Data Protection Directive. We’ve seen a lot of scaremongering around GDPR, with talks of fines in the millions for data breaches. We know that it’s unlikely the Information Commissioner’s Office (ICO) will enforce the maximum penalties on businesses that experience data breaches because of its history of lighter enforcements.
Whilst this will put many minds at ease, businesses must be acutely aware of the cyberthreat landscape. 2017 was dubbed the ‘year of the cyber-attack’ thanks to high-profile hacks and data breaches from around the world. May’s worldwide WannaCry attack brought Ransomware, a specific and insidious type of malware that encrypts a user’s files and demands a ransom payment for their decryption, into mainstream headlines for the first time. The hit on the NHS initially looked like a targeted attack on the UK’s health system, but it was later proven to be more of a spray-and-pray exercise with businesses of all sizes hit across the globe.
The creators of WannaCry appeared to make a paltry £108,000 out of the worldwide attack, which took down over 200,000 systems; it’s estimated that the hackers received only 200 payments. A ‘killswitch’ was found within days of the attack, halting the spread of the Ransomware virus. Whilst it’s encouraging to see businesses refusing to give in to the hackers’ demands and pay up, the real cost lies in the downtime caused by cyber-attacks like this.
Take the NHS for example; within minutes of the virus infecting systems, the service was, in parts, incapacitated; doctors and nurses couldn’t access patient records, with GPs resorting to pen and paper, whilst non-emergency operations were cancelled and the public was advised to only use A&E services in cases of emergency. A figure of £180,000 was attributed to the emergency measures the NHS put in place in the immediate aftermath of the attack, but this doesn’t take into account the cost of downtime or the costs incurred by individual trusts, so the overall costs could run into the hundred thousands or even millions. A post-mortem report into the effects of the attack showed that over a third of trusts were affected, as well as almost 600 GP practices. A total of 19,000 appointments were cancelled, over 100 of which were cancer-related. By these figures, it’s not too far off the mark to say that this cyber-attack, had it taken down the entire NHS, could have cost lives.
The Petya/NotPetya Ransomware attack that again struck worldwide in June 2017 hit businesses hard financially. International shipping company Maersk was infected with the Petya virus, which affected its business operations substantially for two weeks, even shutting down its largest terminal in Los Angeles. The malware stole authentication credentials to infect the network, using this hack to block access to vital systems that operated the company’s shipping terminals globally. Not only were files locked down, but the applications themselves were inaccessible. Maersk took the safety measure of shutting down its Maersk Line APM Terminals, meaning it couldn’t move cargo for days. In the two weeks of disruption, customers were unable to make new bookings or receive quotes before the business returned to its usual operations.
Whilst Maersk has stressed that the business hasn’t lost customers as a result of this cyber-attack – which is unlikely due to the reputational damage associated with data breaches – it has estimated revenue losses of £234 million from its two weeks of downtime. Research into high-profile data breaches, including TalkTalk, Barclays and Carphone Warehouse, unanimously showed that businesses suffer an immediate drop in customer sentiment. TalkTalk lost over 100,000 customers following its data breach, indicating the loss of trust for thousands of customers.
Similarly, American pharmaceutical company Merck reported losses of over $310 million (£214 million) in its Q3 revenue alone, with projections that a similar loss would be reported in Q4 because of the Petya attack. It estimated that $135 million had been lost in sales, whilst the other $175 million was attributed to the cost of recovering from the attack. Petya caused a production shutdown at Merck that halted the manufacture of prescription medication and vaccines, with the impact so severe that employees weren’t allowed to work. The fact that this has impacted on Merck’s revenue for a significant period of time following the attack should be a stark warning to businesses.
So how is this relevant to GDPR?
Heimdal Security researchers have concluded that hackers are likely to use GDPR as leverage to extort money out of businesses. Security Evangelist Andra Zaharia argues that social engineering (a form of ‘psychological manipulation’) is an integral cog in the Ransomware machine, with hackers posing as colleagues or threatening to release compromising information if their demands are not met. Zaharia believes cyber criminals will take this to the next level by using your data as a ‘bargaining chip’, knowing the consequences your business faces will be reputational damage, legal consequences and potential financial punishment from the ICO.
The Uber hack is an example of how hackers can successfully manipulate a business into paying in order to keep a breach quiet. Whilst the hackers didn’t use Ransomware to breach the Personally Identifiable Information (PII) of 57 million customers, they successfully forced Uber into paying over £75,000 to delete the stolen data and to keep the hack under wraps. Whilst we understand the highest fines under GDPR will be used only in the most extreme cases, it’s likely the ICO would have penalised Uber not only for the hack, but the cover-up too, as both are significant breaches under GDPR; the cover-up is likely to be the most severely punished of the two.
The hackers responsible for Uber’s data breach have shown how effective this socially-engineered manipulation is; Zaharia of Heimdal Security argues this will only become a more effective technique as the supposedly large fines (real or perceived) and reputational damage attached to GDPR are used as blackmail.
As Ransomware is already the most profitable form of malware, it makes sense that it will become the weapon of choice under GDPR. What’s more, it requires few high-level administrative rights in order to infiltrate a system, meaning it can still slip past some modern security solutions. Ransomware, or other forms of malware, won’t be used in isolation, however. Social engineering tactics like impersonating employers, blackmail and extortion will go hand-in-hand with destructive viruses. Phishing, which directs users to fake login pages in order to steal login credentials, is also on the rise as cyber criminals become more sophisticated in replicating humans and reputable brands like Apple or Amazon.
The three examples here demonstrate how businesses suffer financially because of cyber-attacks; Merck and Maersk experienced huge financial losses due to downtime, which resulted in a loss of sales, while Uber paid up to hackers in order to keep its enormous data breach quiet, and could face further consequences as UK, Australian, US and Filipino authorities launch investigations into the breach and cover-up.
Whilst it’s true that under GDPR, the ICO will have the power to fine businesses 2% or 4% of global turnover, depending on the severity of the breach, it’s unlikely we’ll see those fines implemented on a large scale. The GDPR is designed to protect the personal data of individuals, not to make examples out of businesses. We know it’s important to not buy into the scaremongering around fines in the millions, but this shouldn’t come at the expense of compliance.
The GDPR requires businesses to put in place ‘appropriate measures’ to protect their PII data from hacks and breaches. Should a business follow this instruction and still experience a data breach, proving to the ICO that these security measures were implemented will ensure the punishment isn’t severe. By putting measures in place to address GDPR, like encryption (a security method explicitly mentioned in the regulation), robust anti-virus solutions and implementing a culture of privacy by design, you also get the added benefit of protecting your business from cyber criminals prepared to use GDPR to their advantage.