While the General Data Protection Regulation (GDPR) seeks to protect the data of E.U. residents by placing rules on how organizations handle personal data, it may have the unintended consequence of empowering attackers to blackmail organizations.
A key part of the legislation, which goes into effect on May 25, allow regulators to issue steep fines to companies that don’t comply with GDPR. The fines, which can reach up to €20 million or 4 percent of a company’s total global revenue for the previous year, whichever is higher, are a last resort. Penalties for non-compliance can start off with warnings and reprimands, escalate to a company being either temporarily or permanently banned from processing data and ultimately result in fines.
But that doesn’t mean that companies won’t eventually face financial penalties or that attackers won’t prey on this fear. If the EU really wants businesses to rethink security and privacy, it must enforce GDPR, including the fine component. The specter of hefty fines may motivate attackers to ask breached companies to pay them to keep the incident quiet, allowing organizations to avoid scrutiny and GDPR penalties. There’s already a precedent for companies to pay attackers to keep quiet. Uber, for example, paid attackers $130,000 to delete customer and driver data that was stolen in a breach and not disclose the incident.
The economics of hacking
Hacking is a business that, like all commercial enterprises, is impacted by market conditions, which includes government regulations. And GDPR is likely to affect how attackers conduct their campaigns. For example, GDPR makes attackers more likely to go after the easiest targets first. This could motivate adversaries to pursue targets that would otherwise prove uninteresting (such as the companies that fit the category of what GDPR calls “data controllers” or “data processors”) just for the sake of extortion.
Blackmailing victims to prevent stolen data from being publicly released isn’t new territory for cybercriminals. For example, after compromising a target, the FIN10 group contacted victims, showed them the stolen data and demanded hundreds of thousands dollars to prevent its release.
But the economics behind GDPR blackmailing make this type of extortion different from other forms. The payment demanded by attackers is likely to be lower than the fine an organization would face under GDPR. After all, attackers have an incentive to properly price the payment they’re requesting. They want to make a profit but need to name a price that’s smaller than the fine a company would face under GDPR.
And, from a business model perspective, this type of extortion lacks the shortcomings of other popular money making schemes, mainly ransomware and crypto-miners. With ransomware, victims won’t pay the ransom if they have sufficient backups and slow computers or high electric bills quickly lead to the discovery of crypto-miners. But with GDPR extortion, the demand for a payment is made after the adversaries have the data. Plus, there’s less of a chance that attackers will get caught for carrying out GDPR extortion. Organizations that pay attackers are unlikely to tell law enforcement agencies that they were blackmailed.
Paying attackers doesn’t make a breach disappear
GDPR has noble goals around security and data privacy and making information security a senior management issue. But the law doesn’t consider that financially motivated attackers will always attack enterprises and look for new ways to cash in in the process. Breached organizations may seriously consider paying attackers rather than face substantial fines for violating GDPR.
While companies may bristle at the fallout that could await them for violating GDPR, paying attackers is an even worse option. In addition to the ethical questions this raises, attackers simply can’t be trusted. They could demand more money or sell the data on the black market or publicly disclose it even if an enterprise pays them. Security breaches are challenging to hide. Uber tried to conceal it’s breach by paying the attackers but this attempt failed. The incident was publicly disclosed in late November 2017, damaging the ride-hailing company's reputation and costing the CSO his job.
A better option would be to comply with GDPR as best as possible. While some companies will inevitably face fines for exposing personal data, doling out financial punishment isn’t the law’s intent. GDPR, at its core, wants organizations to pay greater attention to data privacy and security. When the inevitable breach occurs, companies are best served by being open and transparent about the incident and reporting it to a GDPR supervisory authority. Instead of attempting to conceal a breach, enterprise should treat the incident as an opportunity to learn how to improve their security.