Hackers are threatening companies to leak stolen user data online to hurt them through GDPR regulations – In return they are demanding ransom money.
On 25 May 2018, the new European General Data Protection Regulation (GDPR) which aims to improve information security on a global scale came into force. At the same time, this provoked the emergence of a new method for blackmailing the market.
Business owners are reporting that they are being a subject to cyber attacks related to ransomware where personal data that belongs to users or customers are exposed and the ransom demand is made in return for its retrieval.
Experts from Bulgaria based TAD GROUP point out the difference in the ransom methodology. This time cybercriminals aim to disclose private information to the public eye rather than encrypt it so it is unobtainable unless paid for.
Hackers threaten to publish the entire content of the database, containing personal data records, on a public server, that according to the regulation, means that the company will be severely fined.
This is the warning that Ivan Todorov, the founder of TAD GROUP, is issuing. According to him, the victims are medium and large-scale Bulgarian companies which are requested to pay a ransom in an untraceable cryptocurrency.
The ransoms vary from $ 1,000 to $ 20,000, while the fines for companies that the new EU regulation envisions account for 4% of the global annual turnover for the previous year or up to 20 million euros. In short, Ivan Todorov calls this type of hacker attacks “ransomhack“.
According to TAD GROUP, from credible sources, it has become clear that the attacked companies have taken in GDPR protection measures by creating policies for personal data storage and security in their offices but have not conducted information security tests to verify whether they are actually susceptible to virtual attacks from cybercriminals.
In other words, they did what is necessary to achieve compliance with the requirements of the Commission for Personal Data Protection. However, most companies did not consider securing their Internet-facing infrastructure.
The opinion of companies offering cybersecurity solutions (such as TAD GROUP) is that the only way to ensure a higher grade of security against cyber attacks is to undertake tests for information security – otherwise known as penetration tests.
The tests are a simulation of targeted cyber attacks, except that they are not done with criminal intentions but deliberately with the exclusive permission from clients and in accordance with their specific needs. The goal is to use the methods and techniques utilized by malicious third-parties in order to detect and patch security vulnerabilities. This is done with a signed contract and confidentiality agreement.
After performing the service, the results are documented in a penetration test report that is stored in the client’s profile where it can be viewed and downloaded. It can also be deleted from the TAD GROUP’s system if requested by the client.
“The cybersecurity as a whole is ever changing – if a system is not prone to successful attacks today, this does not necessarily mean that it will not be vulnerable in a month’s time. New vulnerabilities and exploits that lead to information leaks are emerging every day. This is why the more often these tests are performed, the more secure companies can feel”, explains Ivan Todorov and recommends that penetration tests are undertaken at least twice a year.
As the disruption in cybersecurity is often a consequence of human error, companies would benefit from the so-called social engineering tests. They are a set of tests carried out against employees operating from within the company’s headquarters and offices – usually via phone or e-mail, without employee’s knowledge. A wide variety of techniques are applied in order to force employees to disclose sensitive or confidential business information to affiliates who should not have access to it otherwise.
Companies that have already become a victim of a cybercrime have the obligation to inform the regulatory authority within 72 hours of confirming the data breach. For Bulgaria, the regulatory authority is the Commission for Personal Data Protection, which has to assess what sanctions to impose after a data breach occurs. However, if a company does not inform the regulator in time, sanctions will surely be imposed and their severity will differ for the worse.
Note: These are the findings of TAD GROUP, to contact the company for more information on the issue visit their official website.