Ransomware: Holding Your Data Hostage
Key Contact: Lowri Morgan-Macdonald
When you hear the word “ransom”, you may automatically think of innocent bystanders being held hostage at gunpoint, or the child of a prominent politician being kidnapped, each with the promise of their release only in return for the payment of a ransom (you might even think of a film starring Mel Gibson, which at least one member of our team quite likes)! But with advances in technology and the associated increase in cyber-crime, we are seeing more and more incidents of a different type of ransom, namely ransomware attacks.
Some of the most recent and high-profile examples of such attacks include Ireland’s state health services provider being forced to shut all its IT systems and having to cancel some medical appointments, after being subject to a ransomware attack. There was also a recent ransomware attack on Colonial Pipeline in the US, which led to its service having to be taken down for five days, causing shortages in the supply of diesel, petrol, and jet fuel across the US.
Ransomware was also a hot topic at the Information Commissioner’s Office (ICO)’s recent Data Protection Practitioner’s Conference (DPPC). The ICO’s dedicated Cyber Incident Investigation and Response Team reported a consistent increase in ransomware attacks over the past 12 months from a monthly average of 13 incidents up to a more alarming 42 incidents in 2020-21 – helped, no doubt, by more people working from home and using less secure hardware. They also confirmed that ransomware attacks account for one of the leading causes of personal data breaches reported and/or investigated by the ICO.
In this article, we are going to take a closer look at ransomware attacks, the impact that they can have on your business, and what steps you can take to protect against such attacks.
What is ransomware?
Ransomware is a type of malicious software that can stop you from accessing your computer, or the data stored on it, by locking the computer or encrypting such data. The attacker will then demand the payment of a ransom, often in the form of a cryptocurrency such as Bitcoin, in order to unlock your computer or decrypt the data. The attacker may also threaten to delete your data or publish it online if you refuse to pay the ransom.
What are the potential consequences of an attack?
A ransomware attack can of course have very significant financial consequences for your business, whether you decide to pay the ransom or not. At the DPPC, the ICO referenced Palo Alto Network’s Unit 42 Ransomware Threat Report which stated that the average ransom paid by organisations subjected to such attacks in 2020 was £225,000. Major news networks and newspapers in the US also reported that the Colonial Pipeline in the US paid the attackers a ransom of nearly £3.6 million! But, even if you do not pay the ransom, there are likely to be significant costs and losses associated with dealing with and remedying the effects of such an attack.
Such an attack can also lead to a personal data breach under the UK GDPR. This is because a personal data breach is essentially defined as a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data; and ransomware attacks are often likely to come within this definition.
At the DPPC, the ICO gave examples of some ransomware attacks that may not obviously be categorised as personal data breaches. These include where ransomware has encrypted personal data using automated tools so that an actual person has not viewed or access any of the personal data – they stated that such an attack would still constitute a personal data breach as availability and access to such data is still compromised. So it is important that specialist advice is sought in the event of any such attack and that policies and procedures are in place beforehand so that these issues can be identified and there is a plan on how to deal with them.
If a ransomware attack leads to a personal data breach, you must notify the ICO of the breach within 72 hours if it is likely to result in a risk to the rights and freedoms of individuals. An example given by the ICO of an attack that may not need to be reported is where you have a backup of your data which can be restored in a few hours, there is no detriment to the individual whilst the backup is being restored, it is subsequently restored and you are confident that no personal data has been exfiltrated. But, you will need to assess on a case-by-case basis whether any breach is likely to result in a risk to the individuals affected and ensure that you document any such assessment, whether you decide to report or not. You must also notify the affected individuals if the breach is likely to result in a high risk to the rights and freedoms of individuals. These determinations are not straightforward and are time-critical, in the midst of a cyber-attack you need advisors who can react quickly to give you the support you need.
If a personal data breach is reported to the ICO, the ICO will investigate the breach and will, in particular, investigate your compliance with articles 5(1)(f) and 32 of the UK GDPR. These are essentially the security principles of the UK GDPR, which require you to process personal data securely by means of appropriate technical and organisational measures.
As well as the potential financial and regulatory impacts, a ransomware attack can also be incredibly damaging for your reputation as customers, suppliers, partners, and various other parties may lose confidence in your ability to protect and manage their data.
How can you protect against an attack?
So, what can you do to protect yourself against an attack? Although you cannot completely eliminate the risk of an attack happening, there are some steps that you can take to reduce any such risk and to help deal with the consequences in the event that the worst does happen. These include:
- Security – ensure that you have appropriate security in place. There are plenty of resources available to assist with this, particularly on the National Cyber Security Centre’s website (https://www.ncsc.gov.uk/).
- Backups – maintain regular and up-to-date backups of your files and ensure that these are segregated from your main, live system to reduce the risk of an attacker also gaining access to such backups.
- Remote access – where you allow remote access to your network, use a secure VPN, use multi-factor authentication and ensure that your devices, operating systems and platforms are up-to-date.
- Data breach policies and procedures – have up-to-date policies and procedures in place to help you and your staff identify, investigate, report and respond to a security incident in accordance with data protection legislation.
- Disaster recovery and incident response plans – ensure that you have plans and procedures in place to deal with any such incident.
- Staff training – provide regular training to your staff in relation to cybersecurity and data protection so that they know what to do if there is an attack.
- Advisors – engage specialist advisors to help you plan for any such attack and who can be on hand if one should arise.
If you would like to discuss any of the above, or would like any advice or assistance in pulling together any policies, procedures, plans or training programmes, please contact [email protected].