The General Data Protection Regulation (GDPR) came into effect on 25 May 2018, forcing corporations to strengthen their IT Security by the way data is used and stored.

According to the outline of the regulation, fines and penalties will be enforced based on the following criteria:

  • Nature of infringement
  • Intention
  • Mitigation
  • Preventative measures
  • History
  • Cooperation
  • Data type
  • Notification
  • Certification

These fines and penalties could be up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of:

  • The basic principles for processing, including conditions for consent, under Articles 5, 6, 7, and 9
  • The data subjects’ rights under Articles 12-22
  • The transfer of personal data to a recipient in a third country or an international organisation under Articles 44-49
  • Any obligations pursuant to Member State law adopted under Chapter IX
  • Any non-compliance with an order by a supervisory authority (83.6)

As Cyber Watchdogs, it is our duty and responsibility to predict vulnerabilities and foresee the risks. This led us to thinking, how easy would it be to blackmail an entity not complying to the GDPR outline? Certainly a person, entity or competitor with less than pure intent could inflict serious financial and reputational damage to such an entity.

Scenario A: Hackers could target these vulnerable entities and hold the information for ransom for a percentage of the defined GDPR penalty

Scenario B: Competitors could exploit the opportunity to ad financial strain on the annual turnover and day-to-day operations of the compromised company

We do understand the goal of the GDPR is to force entities to prevent these vulnerabilities and do agree with the concept, but if Facebook, Sony or eBay for example, with millions in financial resources, could still be exploited…who is to say a small business have the same financial resources to prevent a breach? Is the only alternatives for a small business to pay the penalties, pay the ransom or shut their doors? This could lead to damages extending far beyond the reputation of the company, but could result in financial bankruptcy and even contribute to rising unemployment statistics.

Even though companies do not fail to comply to the GDPR, the lack of understanding the policies of the regulation could see them falling victim to blackmail fueled by fear of the alternative.

Since the inception of GDPR, we have done some investigation and found multiple instances of clear breaches according to the regulation. This is not to say these companies refuse to adhere to the outline of the regulation, but simply lack the resources and/or understanding of the GDPR to prevent and protect against attacks. Could they be held for ransom? Yes, they could…and the ransom demands could extend for as long as the financial viability is greater than the cost of the alternative.

If we think about the theory clearly, this form of ransomware does not need a victim’s interaction like clicking on a link or opening a malicious file…it could purely be a method of investigating a company’s public information with a defined Google search and using the results to engage in what we call #BlackBreach.

It is important for companies to start budgeting for continuous IT Security and regular pentesting to be conducted on vulnerable infrastructure. The cost of a pentest and vulnerability assessment is less than the repercussion of a data breach. Encourage your staff to understand the GDPR and what it means in the context of your company policies and procedures.

“If the determination of intent trumps the availability of resources for protection of information…who will win the war?”

Follow us on Twitter to comment