GDPR Ransom Attacks

IT Pro Portal contemplates whether 2019 will be the "Year of the GDPR bounty hunters". They suggest that hackers might seek out insecurely held personal data and blackmail the Controller into paying a ransom, preying off the Controller's fear that it will face enormous fines from the Information Commissioner's Office if the breach is discovered.

Sadly this isn't a new phenomenon. It happened to Uber in 2016 and the company paid the hackers $100,000 to destroy the personal data they stole. $100,000 is potentially less than a fine, but crucially, it doesn't stop the Controller ALSO having to pay a fine further down the road for having inadequate security, so it's hard to see the economic benefit. In Uber's case, the ICO fined Uber £385,000 for that breach.

The Uber hack occurred two years prior to the GDPR coming into force, so although the ICO concluded its investigation in November 2018 (after GDPR was live), it was limited to the old law in setting the tariff. Nonetheless, £385,000 is not an insignificant sum.  In addition, Uber is reported to have paid a very much larger figure- $148 million, to US state authorities in a settlement of various penalties issued.

Significantly, the ICO said:

"Paying attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response the cyber attack". 

So, not only is paying a ransom unlikely to be a good deal, but it may in fact increase the level of the eventual fine, if the ICO feels the Controller has acted inappropriately in doing so.

In Uber's case, the company was not under a legal duty to report the breach to the ICO at the time of the hack, so the company perhaps thought they were within their rights to keep quiet and pay the hackers to do likewise.  But under the GDPR it is now the law that a Controller must notify the supervisory authority within 72 hours of finding out about a breach of personal data, unless the breach is "unlikely to result in a risk to the rights and freedoms" of the individuals concerned. Further, if the breach is "likely to result in a high risk to the rights and freedoms", the Controller also has to inform the individuals concerned without undue delay. It's interesting to consider whether paying hackers not to release stolen personal data would lower those risks of harm, so as to affect the notification thresholds. How much faith can a Controller place in a deal done with a criminal?

Given that paying a ransom seems unlikely to reduce the fine, Controllers will need to think very carefully about their response and obtain professional advice, if they are unlucky enough to be targeted.