Is a ransomware attack a ‘data breach’?

Addressing the threat of ransomware in a GDPR world

The General Data Protection Regulation (GDPR) was the biggest shakeup of EU data protection laws for more than two decades. A key component for businesses as part of GDPR is the need to bolster cyber security efforts. Unfortunately, organisations were not the only ones making provisions for GDPR; criminals were also interested in its arrival.

2017 was the year ransomware hit the headlines. The WannaCry attack on the NHS was arguably the biggest example, but running a close second was NotPetya, which affected advertising giant WPP, global law firm DLA Piper and the shipping company, Maersk. Thousands of smaller businesses were also hit.

The GDPR came into effect shortly after on the 25th May 2018. In addition to mandating the protection of personal data, it also outlines what the cost of failure to comply means for businesses.  The magnitude of the fine (four per cent of global annual revenue, or €20 million) caused frenzied activity in the run-up to the 25th of May. Organisations simply couldn’t afford not to comply. 

Cyber criminals also knew about the increased penalty and how to use GDPR to their advantage.

Increasing ransoms put businesses between a rock and a hard place

Ransom demands can now be much higher if the alternative is to pay a fine from the regulator. Essentially, senior management must choose between paying the ransom to sweep the incident under the carpet, or face a huge bill and unwanted publicity.

We’ve already seen an incident of this nature play out – the Uber hack, when the data of over 57 million customers was stolen. Cyber criminals successfully blackmailed Uber into paying over $100k hush money to keep the breach quiet.

Of course, a requirement of the GDPR is the data controller must report certain breaches to its supervisory authority. So, choosing to pay a ransom to cyber criminals to avoid reporting it to the regulator would already be falling foul of the regulation. If caught, the organisation would face penalties for the breach, and the failure to report. 

Does a ransomware attack count as a data breach under GDPR?

The short answer is “yes”.

You might think an attack is only a breach if the attacker has exfiltrated data, but that is not the case.

 The ICO states a breach can include:

  • access by an unauthorised third party;
  • deliberate or accidental action (or inaction) by a controller or processor;
  • sending personal data to an incorrect recipient;
  • computing devices containing personal data being lost or stolen;
  • alteration of personal data without permission; and
  • loss of availability of personal data.

The breaches we tend to think about are the first example “access by an unauthorised third party”.  Ransomware attacks may not be covered here because personal data might not be exposed to anyone at all. In many cases, ransomware will encrypt the data and the criminal will have the encryption key, but they may never have access to the data itself.  In fact, the entire process will be automated. The encryption key will be generated and held on a command and control server. For a mass-attack, the criminal won’t be actively involved in this stage and will just watch the bitcoins (or other cryptocurrency) roll in.

What about “loss of availability”? A ransomware attack will cause a disruption but, assuming an organisation has a good backup strategy in place and backups can be restored in a ‘timely manner’, you will meet the requirement for availability and access.

The key requirement here is “alteration”. Ransomware will cause an “alteration of personal data without permission” (at least the crypto-ransomware variants will) – and so counts as a breach.

Should ransomware infections leading to data breaches be reported to the regulator? 

Not necessarily.

In the UK, the ICO states “If it’s likely that there will be a risk then you must notify the ICO”. The onus is on the Data Protection Officer (DPO) to assess that risk and make a decision. If you chose not to report it, the decision must be justifiable and you must document it.

This is difficult. Even if the breach has been caused by what looks like a well-known type of ransomware, it could be a variant with different implications.

The ICO has made efforts to distance itself from the headlines about the maximum-level fines and clarify how it intends to enforce the regulation. Our recommendation is to err on the side of caution. It won’t always be possible within the 72 hours of the breach to be certain personal data is not at risk.  The default position should be to report the incident and only chose not to notify the ICO in the most definite cases.