Ransomware attacks are, quite frankly, the greatest ever cyber threat in this age. That’s because the effects of ransomware attacks transcend from critical infrastructure to an individual level. Everyone, everything, or rather; anything in cyberspace can be affected by ransomware. At the individual level, there may be adverse effects that could result in loss of control of personal data, limitation of individual rights, discrimination, identity theft, damage to individual reputation among other effects. Data protection laws such as GDPR are purposefully intended to protect individuals from the latter. Such data protection laws require that a breach of either confidentiality, integrity, or availability of such data be reported.
In this blog series, we will go through some of the common breach scenarios that may warrant notifications to data protection authorities and affected individuals. In today’s case, we review a scenario where there is a breach at an organization that has proper backups and no exfiltration (unauthorized movement of data) whatsoever.
CASE: Ransomware With Proper Backup and Without Exfiltration
ACME Corporation was exposed to a ransomware attack. The data that was exposed to the attack was fully encrypted, at-rest, by the data controller. All the personal data that the attacker was trying to access was in effect inaccessible. ACME also had a log tracing technology that was tracing all data leaving the company. Taking a look at the logs, they determined with accuracy that the attackers only encrypted the encrypted data without exfiltrating it. The encrypted personal data affected by the breach relates to clients and employees of the company. It was composed of only a few individuals altogether. A backup was available, and the data was restored eventually. This event didn’t result in any consequences on the operations of the company. There was no delay in operations relating to the employees or clients.
From this case, the one thing that helped resolve the situation is having a backup. ACME may have gone to the lengths of encrypting their data and having some logging and monitoring efforts but would have been potentially extorted if they had no backup. Without a backup, few measures can be undertaken to prevent the loss of personal data. The data would have to be collected again if it was stolen whether encrypted or unencrypted.
Risks and Mitigations
The key risks, in this case, would be:
- Re-encrypted personal information - This would render personal information inaccessible without a backup.
If such a risk materializes into an incident, without compromising the availability of personal information, it may not need to be reported to a Supervisory Authority (SA) or customers as it is unlikely to result in a risk to the rights and freedoms of natural persons. Though in such an incident, the event should be recorded in the company’s internal register and further protection measures in handling the encrypted data should be considered.
Backup and access controls play a huge deal in protecting the personal information that is either encrypted or unencrypted. At the point that an actor can access data that is encrypted, he/she could encrypt it further or steal it which would potentially render personal information inaccessible. This is where the importance of backups comes into play in meeting privacy compliance.