As of this past May, the new regulation governing the protection of personal information came into effect. However, considering the changes brought on by the GDPR, European regulatory authorities estimate that only 1/3 of businesses currently fully complies. Although sanctions can be significant (up to 4% of overall sales), compliance remains complex and the investment required can be substantial. Because of this, and the regulation’s many problem areas, cybercriminals and crooks have seized the opportunity.
A Simplified Approach for Cybercriminals
Out with Ransomware, in with Ransomhack…Ransomware was designed to block access to a user’s data by encrypting it, and only unblocking it in exchange for a ransom. With Ransomhack, cybercriminals have made things easier. Ransomhack does not bother to encrypt the user’s data; it generates a flaw in the victim’s system. The cybercriminal then demands a ransom in order not to cause a crisis or make the breach public, as well as all the personal data associated with it. Simple but effective, the ransoms are also reduced to encourage the company to pay directly instead of notifying the regulatory authorities. According to a study by the Tad Group, a Bulgarian cybersecurity specialist, ransoms range from $1000 to $20,000 dollars. Although it seems prudent, denouncing a security breach linked to a Ransomhack may lead to sanctions by the regulatory authorities. In fact, they state that companies that haven’t taken adequate technical and organisational measures appropriate for their business (and the kind of information they hold) will be sanctioned.
These sanctions, plus the ensuing media scrutiny such a disclosure would provoke, pushes companies to pay the ransoms.
The Scammers Prerogative
And as if being the target of cybercriminals wasn’t enough, the GDPR has given birth to a new scam for professionals. The various GDPR-related scams all share the same objective – they offer to provide proof of GDPR compliance for money.
The CNIL (the French regulatory body) has already identified two kinds of scams:
- The “paid for” compliance declaration form
- Premium rate phone numbers used to provide a simple compliance declaration
In order to reduce the number of scams, certain regulatory bodies have begun to communicate about the fact that it is very important NOT to pay for any declaration whatsoever, and that compliance cannot be obtained with a simple document. They also take the opportunity to provide an overview of the GDPR’s basic principles.
“GDPR compliance requires more than just exchanging or sending documentation. It requires true support by a person qualified in personal data protection to identify the actions to implement and to monitor them over time. Before you commit, it is highly recommended that you research information online about the company making contact with you.” (Quote from the CNIL)