Ransomware and Personal Data: The Secondary Threat (Part 2)

Posted 05/26/2017 by Patrick McGrath

Posted in

This blog continues the discussion of the connection between ransomware breaches and data privacy.

Concerns about ransomware extend beyond backup and recovering access to the lost files.A ransom request could be evidence of a theft of personal data that provides significant exposure to privacy regulations such as upcoming provisions within the EU’s GDPR. GDPR would require the organization to notify a supervisory authority and potential victims within 72 hours of knowledge of a breach. Organizations, therefore, need a way to search and discover what information has been breached in an effort to determine the extent of risk.

We have seen a tremendous escalation of data thefts using various hacking techniques, including phishing and ransomware. Last year, the SonicWall GRID Threat Network found that “ransomware use grew by 167 times year over year and was the payload of choice for malicious email campaigns and exploit kits.”

The ransom request itself is usually the first indication that an intrusion has occurred. This is particularly true for endpoints that are generally managed by users with decreased knowledge about data policies and decreased vigilance with system updates. Similar to any other data loss event, it could also be determined that personal data was also stolen based on necessary forensic analysis. If cyber thieves have the ability to steal data or make data unavailable, there’s an excellent chance they can and will use the information for other purposes as well. Particularly if un-encrypted.

In this event, the attack could require privacy breach notifications to supervisory authorities and potential victims, similar to those outlined in U.S. State laws and from upcoming European Union GDPR regulations. The exposure to bad PR, breaching trust with your customers and potential fines, all present considerable risk to your organization.

Beyond common sense infrastructure and data management practices, here are five privacy lessons from these events:

  1. Even if you have no direct evidence that personal data had been accessed or misused, the possibility that it could have still leaves you open to notification requirements.

  2. With the rapid adoption of cloud and SaaS application partners, data is becoming further distributed and it demands proper data protection coverage. Even if breached data was not stored on-premises under your direct control, it is still your responsibility to determine whether or not personal information could have been compromised, and if so, to enact notification procedures. They are your customers, prospects, donors and employees.

  3. Minimize your threat surface. Keep only the personal data necessary to service direct business and legal needs. Use archiving policies to identify instances of personal data, delete, encrypt and/or move to more secure locations that are fully tracked. Education is helpful, but automation is key.

  4. If you have 72 hours (refer GDPR) to notify a supervisory authority and victims once you become aware of a breach, access to information from servers, laptops, applications and SaaS partners becomes utterly critical. The ability to search across these silos could be the difference between compliance, embarrassment and major fines.

  5. Whether you are directly impacted by it or not, the EU’s lead with GDPR presents a prescribed programmatic approach with privacy practices that provide an excellent framework for the responsible handling of personal data.

 For more information about how Commvault can support your data management needs, check out the following articles: