Within the EU, GDPR seems to have an interesting impact on how companies/organisations respond to cyber attacks like this: if they don't pay the ransom, the data is leaked, and they are now liable under GDPR and will likely have to pay a (very large) fine to the regulator for the data leak. Attackers are surely savvy to this, and should set the ransom to be slightly lower than what they estimate the fine would be, which 'motivates' the organisation to pay the ransom.
In theory however, even if the organisation recovers the data by paying the ransom, they should still report this as a data breach, and would probably be fined by the regulator even though the data was recovered, since the breach still occurred in the first place.
I'd be very interested to know the impact the new California state laws on privacy have had on UC's decision to (seemingly) pay the ransom; I'm not based in the US, nor am I familiar with the jurisdiction, but I imagine that this will have been taken into account and might explain why UC acted differently to MSU here.
Because a lot of people just get this whole thing wrong.
This whole discussion got poisoned by fear mongering and not understanding of the actual rules. Yes you can be liable to a huge amount but you will be only be hit by that if you are either working with malicious intend or objectively don't give a shit about data security and privacy of your users.
There is no such thing as "estimated fine amount" to base you ransom on. It depends on how important the company treated its security and how obvious the data leak is.
> It depends on how important the company treated its security and how obvious the data leak is.
Indeed. Which allows an attacker who is familiar with previous regulatory action to estimate the fine based on the specific circumstances involved in their attack.
Different sector, different country, different regulatory body, different regulator. Maybe the fines are comparable but I have my doubts that this could ever be a viable strategy.
But in any case that is not the problem of the regulations.
I'm not convinced by this; if a company was approached by an attacker who threatened to
a) Release stolen data;
b) Anonymously supply the regulator with full details of the leak
unless a ransom was paid, I imagine that the threat of an audit and potential regulatory action would be enough to persuade the company to pay the ransom if it believed the cost of the ransom to be lower than the cost of an investigation by the regulator.
The incentive of the GDPR is for the companies to place inherent value in their data safety.
So either the companies can pay and not invest in future safety to come out cheaper in the short run with the added risk of future attacks. Or they could cooperate, proactively reach out to regulators with a plan to improve and pay the fine.
Or they could pay the ransom, which they deem to be less expensive than dealing with the regulator, and improve their data security to ensure they don't get caught out again.
I fully understand (and support) the reasoning behind GDPR; I just think that in this case there is a path which is easily open to abuse by attackers.
> Within the EU, GDPR seems to have an interesting impact on how companies/organisations respond to cyber attacks like this: if they don't pay the ransom, the data is leaked, and they are now liable under GDPR and will likely have to pay a (very large) fine to the regulator for the data leak.
Can you cite any examples where The threat of GDPR has contributed to the payment of fines
No I can't, and I don't see how anyone would know of such an example unless they were directly involved; if such occurrences were known publicly, the regulator would also know, which defeats the entire point.
I don't have any idea regarding the scale of the impact laws like GDPR have had on cybercrime; I'm just pointing out that there's clearly an interaction (and I'm not the first person to say this by any means), and that I would be interested to know whether the California privacy laws had any impact on UC's decision.
I'm a big supporter of GDPR by the way; this isn't an "anti-GDPR fantasy", just my observation on a potential interaction between GDPR and cyber crime.
They're definitely required to report the data breach even if they pay the ransom - in fact, since negotiating the ransom in large cases usually has taken quite a few days, they're required to report the data breach before paying the ransom or even deciding whether they'll pay the ransom or not, as they're required to report the breach to the controlling authority not later than 72 hours after having become aware of it.
Paying a ransom with the intent of attempting to hide the breach is very risky, since that's strictly illegal and hard to accomplish as it's hard to ensure that everyone involved, up to the lowest level of IT helpdesk technicians who might have noticed it, will forever keep secret the fact that the breach occured.
The GDPR has been here for two years already; the hypothetical scenario you describe has discussed but has not shown itself in practice.
The hypothetical scenario of "if they don't pay the ransom, the data is leaked, and they are now liable under GDPR and will likely have to pay a (very large) fine to the regulator for the data leak." has not materialized. The grandparent post is based on the thieves making an empty threat.
If criminals compromise your systems and steal data that you are legitimately storing in a reasonable manner, then the breach by itself is not a justification for any major fines under GDPR - but not reporting a data breach definitely is punishable.
Here's a recent example of a data breach in a telecom company- https://www.timelex.eu/en/blog/belgian-data-protection-autho... - "the data breach was correctly reported and that the company had taken appropriate organisational and technical measures. A data breach therefore does not necessarily give rise to a fine."
The only scenario where this threat might be real is if the breach would expose some previous wrongdoings, e.g. if the company was collecting the data in an illegal manner and had kept that fact hidden until the breach, if then, sure, that could be a valid basis for blackmail because the breach would suddenly expose the fact that you deserved some regulatory action long ago. Of course, any disgruntled employee also could try the same blackmail. However, if you're a legitimate company doing everything as required per law (including proper notification of data breaches), then the consequences of publishing that data would involve reputation costs and perhaps some civil claims for damages, but not any GDPR fines.
There's a potential for fines if breach happened because of your gross negligence, there's some precedent for that - for example, the Mariott data breach case. But again, the fines and their amount aren't automatic (the law just sets a ceiling), administrative proceedings take into account the circumstances and intent, all the largest fines assigned so far are significantly below the maximum. However, we should expect that the scenario of intentionally paying a ransom to hide the breach and "avoid the fines" would actually result in more severe penalties (because it checks pretty much all the boxes for aggravating circumstances) while properly handling a breach would result in reduced fines even if serious negligence was involved.
“ In late 2019, hackers using ransomware began not just blocking access to information but threatening to share it on the dark web -- harming the reputation of the organization or institution involved.”
Ransom probably isn’t the right term, it’s more like extortion. Failing to pay is hardly the moral high ground. It’s just the least expensive option. Businesses aren’t held accountable for their breeches by the US justice system and so facing the courts and captive customers/staff is the cheap and easy way out.
This is true but the reality is that 99% of the time the hackers will abide by their word. There really isn't much for them to release the data after taking the ransom. It makes it much harder for future people to pay up.
I found no source that claims anything even close to 99%. For example, CyberEdges CDR [1] says the chance is ~66%, and has increased in recent years from 50%. Sure the narrative that "ransomware relies on customer satisfaction" is funny, but it is also wrong. Do not assume that criminals are honest people. Out of three, one does not care about the long term sustainability of their business model.
At least at my company, ransomware payments are covered by insurance so it's always worth it to pay and have a pretty good chance at getting our data back.
Are you saying that short term thinking has no utility? I am willing to bet that there are a multitude of circumstances in most peoples lives that require short term thinking, or their lively hood or lives will be destroyed.
In a threatening situation, you solve the short term problem in order to have an opportunity to think long term, which will help to prevent these problems subsequently.
If we were talking chess, you wouldn't ignore the immediate moves of your opponent, because their idea of how the game should be played doesn't fit with your long term desire of how you want the game to turn out.
Perhaps I am a little too glib. You are correct, often without the short term there is no long term -- especially for small businesses. But as a whole, if institutions pay ransom then there is an incentive for folks to carry out this kind of extortion.
The problem with the equation is it doesn’t include the individual who had their data stolen. If the school didn’t properly construct itself to code and I got hurt inside of it, I can sue. But if my data was stolen and my credit is destroyed I don’t have an option (I haven’t heard of anyone claiming this, but it could be true and idk).
We need laws out in place to treat human data as someone’s property. If your data is mishandled with negligence and you experience provable hardship, there should be repercussions just like any other situation.
I'm not sure if you're just using building codes as an analogy or if you're recommending them as a model, so take this for what it's worth.
I agree there should be some laws in place, but I think building codes would be a terrible model for software. If a building doesn't incorporate code changes until the owner modifies some system, the building doesn't become less safe. Fire doesn't look for ways to get around building codes. Largely, there aren't new threats, just new, better ways of dealing with those threats. The incentive is for building owners to not modify their buildings so they can put off and avoid those code change costs as long as possible. If the building was up to code when it was built/modified, and you get hurt, you might be out of luck.
Software is nearly the opposite and it's faster. I think that makes it a more difficult problem to solve. The last thing you want is to make the entire world work like tech in the medical field...
Morality is a set of rules about what's right and wrong.
I'd say that we won't win or lose depending on whether we pay or don't pay. Root of the problem is legislature and regulation that allows infrastructure to be badly maintained without tangible repercussions.
If you make a school not-thunder-proof and it burns down during a thunder storm, how's that different from a ransomware attack that abuses an unmaintained X? Because blaming thunder is foolish, but blaming a hacker is understandable? That could be a source of some of the confusion.
Not surprising. University of Texas has something like 55,000 subdomains. I don't think 50 full time sysadmins/cybersecurity people could keep that secure.
Also interesting of note, why does UTexas's name servers point to University of Illinois's name servers?
Could be nothing. After all UI was where Firefox was developed originally by Marc Andreesen and others around 1994. This is also where the Apache web server was created.
37 comments
[ 3.1 ms ] story [ 84.3 ms ] threadIn theory however, even if the organisation recovers the data by paying the ransom, they should still report this as a data breach, and would probably be fined by the regulator even though the data was recovered, since the breach still occurred in the first place.
I'd be very interested to know the impact the new California state laws on privacy have had on UC's decision to (seemingly) pay the ransom; I'm not based in the US, nor am I familiar with the jurisdiction, but I imagine that this will have been taken into account and might explain why UC acted differently to MSU here.
One might as well ask
> Why does anyone stay in business in CA?
since (I believe) Californian state law has similar reporting requirements (and fines/civil liability) for breaches.
There is no such thing as "estimated fine amount" to base you ransom on. It depends on how important the company treated its security and how obvious the data leak is.
Indeed. Which allows an attacker who is familiar with previous regulatory action to estimate the fine based on the specific circumstances involved in their attack.
But in any case that is not the problem of the regulations.
a) Release stolen data;
b) Anonymously supply the regulator with full details of the leak
unless a ransom was paid, I imagine that the threat of an audit and potential regulatory action would be enough to persuade the company to pay the ransom if it believed the cost of the ransom to be lower than the cost of an investigation by the regulator.
Or they could pay the ransom, which they deem to be less expensive than dealing with the regulator, and improve their data security to ensure they don't get caught out again.
I fully understand (and support) the reasoning behind GDPR; I just think that in this case there is a path which is easily open to abuse by attackers.
Would you make the same claim about e.g. OSHA violations?
Nor the US where, for example, Target paid millions in a settlement for getting hacked.
I'm curious: Do you know of any cases of the scenario you described actually happening?
Can you cite any examples where The threat of GDPR has contributed to the payment of fines
I don't have any idea regarding the scale of the impact laws like GDPR have had on cybercrime; I'm just pointing out that there's clearly an interaction (and I'm not the first person to say this by any means), and that I would be interested to know whether the California privacy laws had any impact on UC's decision.
I'm a big supporter of GDPR by the way; this isn't an "anti-GDPR fantasy", just my observation on a potential interaction between GDPR and cyber crime.
Paying a ransom with the intent of attempting to hide the breach is very risky, since that's strictly illegal and hard to accomplish as it's hard to ensure that everyone involved, up to the lowest level of IT helpdesk technicians who might have noticed it, will forever keep secret the fact that the breach occured.
The GDPR has been here for two years already; the hypothetical scenario you describe has discussed but has not shown itself in practice.
Would we actually know if it had happened though? Or are you assuming that it would simply be infeasible to keep under wraps?
If criminals compromise your systems and steal data that you are legitimately storing in a reasonable manner, then the breach by itself is not a justification for any major fines under GDPR - but not reporting a data breach definitely is punishable.
Here's a recent example of a data breach in a telecom company- https://www.timelex.eu/en/blog/belgian-data-protection-autho... - "the data breach was correctly reported and that the company had taken appropriate organisational and technical measures. A data breach therefore does not necessarily give rise to a fine."
The only scenario where this threat might be real is if the breach would expose some previous wrongdoings, e.g. if the company was collecting the data in an illegal manner and had kept that fact hidden until the breach, if then, sure, that could be a valid basis for blackmail because the breach would suddenly expose the fact that you deserved some regulatory action long ago. Of course, any disgruntled employee also could try the same blackmail. However, if you're a legitimate company doing everything as required per law (including proper notification of data breaches), then the consequences of publishing that data would involve reputation costs and perhaps some civil claims for damages, but not any GDPR fines.
There's a potential for fines if breach happened because of your gross negligence, there's some precedent for that - for example, the Mariott data breach case. But again, the fines and their amount aren't automatic (the law just sets a ceiling), administrative proceedings take into account the circumstances and intent, all the largest fines assigned so far are significantly below the maximum. However, we should expect that the scenario of intentionally paying a ransom to hide the breach and "avoid the fines" would actually result in more severe penalties (because it checks pretty much all the boxes for aggravating circumstances) while properly handling a breach would result in reduced fines even if serious negligence was involved.
The ransomware threat is usually to destroy the data. That is obviously a problem but it's not a privacy problem.
https://cyber-edge.com/wp-content/uploads/2020/03/CyberEdge-...
In a threatening situation, you solve the short term problem in order to have an opportunity to think long term, which will help to prevent these problems subsequently.
If we were talking chess, you wouldn't ignore the immediate moves of your opponent, because their idea of how the game should be played doesn't fit with your long term desire of how you want the game to turn out.
We need laws out in place to treat human data as someone’s property. If your data is mishandled with negligence and you experience provable hardship, there should be repercussions just like any other situation.
I agree there should be some laws in place, but I think building codes would be a terrible model for software. If a building doesn't incorporate code changes until the owner modifies some system, the building doesn't become less safe. Fire doesn't look for ways to get around building codes. Largely, there aren't new threats, just new, better ways of dealing with those threats. The incentive is for building owners to not modify their buildings so they can put off and avoid those code change costs as long as possible. If the building was up to code when it was built/modified, and you get hurt, you might be out of luck.
Software is nearly the opposite and it's faster. I think that makes it a more difficult problem to solve. The last thing you want is to make the entire world work like tech in the medical field...
I'd say that we won't win or lose depending on whether we pay or don't pay. Root of the problem is legislature and regulation that allows infrastructure to be badly maintained without tangible repercussions.
If you make a school not-thunder-proof and it burns down during a thunder storm, how's that different from a ransomware attack that abuses an unmaintained X? Because blaming thunder is foolish, but blaming a hacker is understandable? That could be a source of some of the confusion.
Also interesting of note, why does UTexas's name servers point to University of Illinois's name servers?
Could be nothing. After all UI was where Firefox was developed originally by Marc Andreesen and others around 1994. This is also where the Apache web server was created.