Cyber Extortion: Data Leaks as a Business Model?

By: Bart Giesbers

Is a new trend emerging in the world of hackers: data leaks as a business model? With the worst of the GDPR (General Data Protection Regulation) storm settling down and the era of "can't do it, it's against GDPR" hopefully behind us, hackers are discovering a new source of income: fear of fines.

Cyber extortion is one of the threats highlighted in the Europol Internet Organised Crime Threat Assessment 2018 (IOCTA). The IOCTA is a law enforcement-oriented evaluation of emerging threats and major developments in cybercrime over the past year. In this report, I found something noteworthy about cyber extortion through data breaches.

The GDPR has caused a lot of board members to fear hefty fines. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) is still busy imposing penalties for violations detected under the old data protection law (Wbp). This may be a sign of potential GDPR fines on the horizon.

It's not just GDPR-related fine concerns that are driving organizations to report data breaches. Other reporting requirements, such as the European NIS Directive and the Dutch Network and Information Systems Security (Wbni) Act, are also increasing the pressure to report incidents to regulatory authorities.

The GDPR mandates the reporting of personal data breaches within 72 hours. A breach can result in substantial fines, with a maximum of €20 million or 4% of a company's total global annual revenue. These are the maximum amounts set by the GDPR that are instilling fear in board members. Hackers are adept at capitalizing on this fear.

According to IOCTA 2018, the fear of fines can lead to scenarios in which hackers attempt to extort companies due to security incidents. Extortion itself is not new, and there are plenty of examples involving ransomware and cryptoware. What is new is that hackers are using the threat of GDPR fines as leverage to compel organizations to pay ransoms. Hacked companies may prefer to pay a smaller ransom to prevent the incident from being disclosed, rather than risk a substantial fine imposed by a regulator.

Personally, I'm not a fan of fear-mongering. Properly safeguarding personal data should have a more positive motivator than just the initial fear of an administrative fine. Moreover, a substantial fine to the maximum amount specified by the GDPR is only imposed in cases of severe and deliberate wrongdoing, as demonstrated in the penalty guidelines of the European Data Protection Board (EDPB).

Giving in to the hacker's threat not to disclose the incident or weakness allows for further attacks and extortion and contributes to the financing of criminal activities. Most importantly, it's never a guarantee that the attacker won't disclose or exploit the information, even if a ransom is paid. And, here's a free tip: even if you pay the hacker, it's still an incident. Do not follow Uber's example. Negligence or intentionally concealing an incident (or ignoring the Data Protection Officer's advice) can lead to an increase in the fine amount. Don't fall for hackers' latest marketing ploy; it only makes the incident worse.

Related Insights