Page 50 - the SyI Quarterly 15
P. 50

Cyber  Updates











                             ‘Ransomware’ Cyberattacks



                   and measures to reduce the risk of a


                                    personal data breach




                                      By Pantelis Angelides MSyI





          In the early months of 2023 we witnessed in many areas
          of the world a rise of cyber-attacks and particularly attacks
          with malicious software (Ransomware). The attacks targeted
          different sectors such as critical infrastructure, financial,
          manufacturing, construction, education and others. Some
          of these attacks made headlines news and left devastating
          results to the victim organisations while others were not
          so disruptive but affected personal data. In any case this
          extended wave of ransomware attacks has opened the debate
          on cybersecurity with a bang, putting back on the table the
          fundamental question of every organisation: how can they
          protect themselves from such attacks and what measures
          should they take proactively?

          The concern is heightened by the extortion of hackers
          who in most cases are asking for money not to disclose
          data from the victim organisations. Data which they had
          apparently extracted before locking the organisation’s systems
          demanding a ransom. When the data in question concern personal data then the game changes
          considerably since such development will prompt the involvement of the Data Protection Authorities.
          In such case the Data protection office will request information about the circumstances surrounding
          the incident and the measures that the organisation has taken to protect personal data. Such as, for
          example, whether the organisation was applying the necessary technical and organisational measures,
          the volume of data affected and, in particular, what the organisation would plan to do next, i.e. take
          further measures, inform the individuals affected, etc.


          Examining the aftermath of a successful ransomware cyberattack, it is safe to conclude that is one of the
          most damaging to an organisation. In such cases, hackers target information that is of particular value to
          an organisation, demanding a ransom to release the data. Attackers understand once they gain access
          to personal data, even without extracting it from the organisation’s systems (exfiltration), they have
          a powerful lever of pressure and extortion tool in their hands. It should be noted in this context that
          unauthorised access to personal data according to Article 4 of the General Data Protection Regulation
          (GDPR), is automatically considered a personal data breach.

          If the victim of the cyber-attack does not submit to the initial extortion for ransom, then hackers usually
          come back with a second extortion, publicly announcing that they are in possession of personal data,
          part of which they often release as evidence. This double extortion acts as a greater lever of pressure
          because now the breach becomes known to the relevant authorities, the data subjects - i.e. the persons


                                                          50
   45   46   47   48   49   50   51   52   53   54   55