Sunday 18 November 2018

Fears of cyber extortion by hi-tech criminals as new data rules to come into force

General Data Protection Regulation (GDPR) will come into force on the May 25
General Data Protection Regulation (GDPR) will come into force on the May 25
Gareth Morgan

Gareth Morgan

CYBER experts fear that hi-tech criminals will turn the authorities against everyday businesses - by hacking into their systems and then reporting the data breach unless a ransom is paid.

New laws called the General Data Protection Regulation (GDPR) will come into force on the May 25, replacing the existing data protection framework.

Experts say it will be a game changer as cyber extortion, or the kidnapping of personal data, is fast becoming one of the most lucrative tactics for hackers.

Personal information can be extracted from a company by hackers, and the businesses  given the opportunity to pay a ransom.

If not paid, then the breach is reported anonymously to the Data Protection Office, bringing the threat of large fines and regulatory nightmares.

Irish businesses need to protect themselves from an impending wave of cyber extortion as a result of this, according to cyber security expert James Canty, of Magnet Networks.

“After several years of cyber crime attacks, from May onwards we will now have GDPR legislation punishable by law if your business doesn’t have adequate controls in place to protect any PII information it may be holding,” said Mr Canty.

“This presents an opportunity for the ‘ordinary decent cybercriminal’ to obtain PII from a business and demand a ransom for not letting the authorities know that they easily obtained your information.”

Businesses targeted in this fashion receive an email with the sort of information the hackers have been able to extract.

“The demand would state that the appropriate protections are not in place in the company and that information was easily extracted.

“The business will then be faced with three options – paying an extortion fee, taking the risk that the criminals will report the stolen data anonymously to the Data Protection Officer, or self-declaring the data breach within 48 hours. Either of the latter two options will involve inspections, fines and a large amount of regulatory work.”

“Companies need to have a next generation application-aware firewall along with advanced endpoint protection and local real-time analysis on each machine,” he added.

Adrian Weckler Q&A

What is GDPR?

The General Data Protection Regulation (GDPR) is a new set of rules to radically tighten up privacy laws across the EU. It will affect every company and organisation. Ut means that you have a lot more rights over how personal information is handled, stored and processed.

What is ‘personal information’?

Lots of it is the kind of stuff you would naturally expect, such as your name, your medical information or your bank details. But it also includes your computer’s ‘IP address’ and location data from your phone. This is why it’s such a big deal for some of the big tech companies, like Facebook, which bases its advertising model on this kind of info.

So is it mainly tech companies  affected?

Not at all. Any company (or organisation) that holds any personal information about you has to sit up and pay attention.

So what do these companies have to do?

When a service needs your consent to use your personal information, it has to get it clearly now. So it can’t, for instance, revert to obscured ‘opt-out’ boxes. And if some organisation suffers a serious data breach that is likely to affect you, it will now have to tell you about it. Ordinary people are now also supposed to have easier access to their personal data from companies as well as the right to transfer that data  or have it deleted altogether.

When is this actually taking effect?

Enforcement of the new rules come into effect from Friday, May 25.

What does it mean if you run a business?

An awful lot. For starters, non-adherence won’t be treated with the typical slaps on the wrist that have existed in Ireland and Europe up to now. The penalties include fines up to €20m or 4pc of global annual turnover.  Data Protection Commissioner, Helen Dixon, has repeatedly said that her office won’t shy away from bringing down the hammer. There won’t be any ‘bedding in’ period.

Lots of bigger businesses will need to appoint new staff such as a data protection officer. Smaller companies will probably need to check their systems are compliant and that they have some procedure for dealing with the new rights that customers and ordinary people have.

What about social media - will it change?

Anyone with a Facebook account will have noticed messages or pop-ups recently. Mainly, it has just made its settings a little more prominent and easier to adjust.

It’s the same for Instagram and Whatsapp (both of which are owned by Facebook). They’re asking you to “review” your privacy settings and to accept them or quit the services.

Online Editors

Business Newsletter

Read the leading stories from the world of Business.

Also in Business