Security researchers have discovered hackers are already leveraging Europe's new General Data Protection Regulation (GDPR) to blackmail hackers into paying hefty ransoms to safeguard data. In May, the stringent data privacy law went into effect prompting businesses across the globe to take a closer look at their privacy policies and quickly ensure they are in compliance.
The pressure on firms using or processing EU personal data is further elevated in light of the heft fines for firms who fail to comply - up to €20 million or 4% of annual turnover, whichever is higher.
Hackers are looking to tap into this pressure and fear of data leaks and extort businesses in a new form of cyberattack dubbed "ransomhack".
According to Bulgarian security company Tad Group, this new form of attack differs from regular ransomware attacks since it does not encrypt or hold customer data hostage in return for a steep ransom. Instead, the hackers aim to publicly leak the customers' private records via a public server online unless the ransom is paid.
So far, medium and large-sized Bulgarian companies have been targeted with hackers demanding they pay up the ransom in cryptocurrency. The ransom demands range from $1000 to $20,000 - a seemingly smaller price to pay as opposed to the fines levied under GDPR.
Researchers said the companies targeted have taken steps to ensure GDPR compliance and create policies for data storage and security, but have failed to conduct information security tests or penetration to actually verify if their systems are susceptible to cyberattacks.
Although the landmark GDPR does represent a significant step forward for user data privacy, security and transparency, it also presents new opportunities for cybercriminals to exploit both customers and businesses.
With the added threat of legal action and potential fines under GDPR, companies may be tempted to quietly pay hackers rather than have data breaches and security failings publicly disclosed by them or other parties. Researchers have anticipated cybercriminals could exploit this vulnerability as a new opportunity for digital extortion.
In Trend Micro's 2018 Security Predictions report, researchers predicted hackers will likely pair ransomware and GDPR to exploit businesses.
“Cybercriminals could target private data covered by regulation and ask companies to pay an extortion fee rather than risk punitive fines of up to 4% of their annual turnover. Companies will have ransom prices associated with them that cybercriminals can determine by taking publicly available financial details and working out the respective maximum GDPR fines the companies could face. This will drive an increase in breach attempts and ransom demands,” the report read. “We expect GDPR to be used as a social engineering tactic in the same way that copyright violations and police warnings were used in past FAKEAV and ransomware campaigns.”
Patch management, bolstered security systems and practices, regular backups and effective security solutions are crucial as the first line of defense against such threats.
“The current success of ransomware campaigns - especially their extortion element - will prompt cybercriminals looking to make generous profits out of targeting populations that will yield the most return possible," Trend Micro researchers added.