Ransomware attacks across the globe are mutating, exposing organisations’ vulnerability in having their data extracted from the network and forcing the victims to pay hefty ransom fees for its safe destruction, or it will be leaked to the world via the internet. Attackers are, in some cases encrypting the data collecting the ransom fee and then extorting more money by threatening to release the data extracted.
Cybercriminals in this situation will make contact to inform you, for example, that they have stolen 100 gigabytes of personal data. To prove this, they will release a link that contains a small extract of the data stolen.
This threat is the most frightening that an organisation can experience. You have mapped your data in compliance with the data regulation, and you have a record of processing activities, but the attacker is holding all the aces in this situation.
Pressured by a deadline to pay the ransom, usually 48-72 hours; secondly, the attacker knows that you have only 72 hours to report the breach to the data protection authorities. How do you investigate the exposure of the attack, and which data subjects employees? Customers? Suppliers? are at risk, and how many are affected.
The costs begin to accelerate as the attack progresses. Suppose you are lucky and have cyber protection insurance. In that case, your insurers will need to know the full extent of the breach, often calling expensive third parties to help with the exercise. The internal disruption of employees diverted the breach response away from their typical role. Depending on the level and volume of the stolen data, this exercise can take weeks to conclude.
The Great Unknown
How can you negotiate with the attacker effectively if you cannot put a value on the data? Is it 100 gigabytes of machine logs with no personal data, 100 gigabytes of intellectual property, financial information or a valuable customer database? Or a mixture of all three. Most organisations will pay the ransom so as not to risk the worst-case scenario.
Change the dynamics of the conversation.
(a) Have an accurate record of processing activities ROPA
(b) Have accurate data maps of your processing activities
(c) Regularly assess your global data privacy status.
Having the above information outlined in (a), (b), and (c) puts you in a much stronger position to defend yourself on such calls.