Europe’s GDPR leveraged in new form of cyberattack dubbed a ‘ransomhack’

The introduction of the European Union’s General Data Protection Regulation law pertaining to online privacy has seen the creation of a new form of targeted cyberattack dubbed a “ransomhack.”

First described by Bulgarian security company Tad Group, a ransomhack differs from traditional ransomware in that it doesn’t hold customer data hostage but instead is aimed at releasing stolen data publicly unless a ransom is paid.

The switch in modus operandi by hackers stems from the penalties a business can face under GDPR regulations if they are found not to have adequately secured the stolen data to begin with. What constitutes adequate protection is subjective, but any companies facing an adverse GDPR finding would be facing significant financial costs should they agree to pay a fine or battle it in court, making the prospect of paying a ransom to hush up the data breach often more appealing.

According to Hackread, the victims so far have been medium-sized and large Bulgarian companies that are requested to pay a ransom in an untraceable cryptocurrency. The ransoms are said to vary from $1,000 to $ 20,000, whereas an adverse GDPR finding can see a fine as high as 4 percent of the global annual turnover of the company in the previous year up to a maximum of 20 million Euros ($23.3 million).

Interestingly, paying the ransom also offers a number of risks. As well as the hacker perhaps coming back with more ransom demands, the GDPR states that companies that have become the victim of the cybercrime must report the incident within 72 hours of confirming the breach. In the event that they fail to do so, that also attracts a substantial fine, meaning that if they’re caught after having paid a ransom and not having reported it, the cost to the company continues to rise.

Image: Tad Group

Article originally appeared in SiliconAngle


Leave a Reply