GDPR opens new opportunity for hackers to expand their craft of system exploitation in the Wild West of Cyberspace
It used to be if a hacker attacked a business and exposed customer details, the greatest loss was a temporary dip in reputational value.
Of course, some companies went out of business, but a number of major internet brands have endured the embarrassment of having customer details stolen due to inadequate information security. Whether it be proprietary technologies or outsourced services, if a company could survive the embarrassment of a data breach, in time and given the right strategy and spin they could turn it around, the hack would fade from the public memory, and they could thrive once again.
Next May, Friday 25 May to be exact, the General Data Protection Regulation (GDPR) comes into full effect. Friday 25 May 2018 is not to be ignored. 25 May 2018 should be repeated ad nauseam to your clients as the introduction date of a new business risk applicable to every European organisation that controllers and processes the information of private individuals.
By the end of April 2018, clients should have a sense of reassurance in their GDPR preparation. Otherwise, they should have fear and take immediate action before it is too late.
The Age of Privacy Rights will not be kind to those who ignore it. No longer can companies and organisations in Europe throw their proverbial hands in the air and say they messed up. Their mess up, their negligence, their lack of safeguards to protect the private details of individuals held in their databases and systems will come at a financial cost. Data breaches aside, not abiding by the GDPR can also destroy a business.
Hopefully, you have heard it before, companies and organisations can be fined the higher €10,000,000 or 2% of global turnover and depending on the violation it could exceed €20,000,000 or 4% of global turnover. GDPR is not something to ignore or delay: 25 May 2018.
A hackers perspective
From a hacker perspective, nothing changes. The hacker has never cared about the consequences to a target of a successful data breach. They will continue to attack systems. They will not stop exploiting databases and harvesting private details just because of a new law.
In fact, the threat of fines creates new opportunities for hackers to expand their craft of system exploitation.
In the Wild West of Cyberspace, it is not unfeasible for someone to tip off a hacker about the intimate details of a company or organisation’s system. A disgruntled employee, contractor, or competitor might post information on the Darknet on a tempting target hoping it will be of interest to a hacker and results in causing the organisation embarrassment and harm in the form of a debilitating GDPR fine.
A more targeted approach would be a competitor hiring the services of a hacker to attack their rivals. Hacking as a Service (HaaS) has been around for a long time. Although the term is relatively new, the idea of hiring a hacker to attack a rival and cause them harm is an old game.
The new game, or attack, is the idea of extortionware.
Extortionware is similar to the ransomware attack know as Doxing. A Doxing attack is when a hacker compromises a system and threatens to release private information found on the target system unless the victim makes a payment.
Enter the GDPR twist: imagine a scenario when a hacker gains access to data controller or processor’s system. They record their hack as proof of the victim’s vulnerability. The also syphon off all customer records from the victim’s database.
Instead of going public, they contact the victim and allow them to view the attack and provide some stolen records.
They then make an offer. It is a conservative number to encourage the victim to pay-to-go-away.
- $250,000 in bitcoins in the next 24-hours
- $500,000 in bitcoins in the next 48-hours
- $1,000,000 in bitcoins after 72-hours
- After 96-hours, we send the dossier to the ICO.
Considering an ICO fine in the millions of Euros, $250,000 would undoubtedly be tempting.
I have no doubt cybercriminals are already planning for 25 May 2018. The attack vector of extortionware is surely in the testing phase or already deployed.
In itself, this should be cause for concern to data controllers and processors. Under GDPR, the ICO will not view a data controller or processor as a victim of a cyber attack, but as the responsible negligent party whose action or lack of action allowed the hack to be possible.
The risk to business is no longer merely the embarrassment of having one’s system hacked. The consequences of mishandling the private details on individuals carry financial implications that will cause some companies and boards significant discomfort and force others into bankruptcy.