Criminals are taking advantage of misunderstandings surrounding the European Union’s General Data Protection Regulation (GDPR) to exploit gullible employees and organizations, according to Stephen Willis at Lastline. While GDPR is a European law, it applies to any organization that stores or handles data belonging to an EU resident. As a result, organizations around the world have been rushing to improve their security to remain GDPR-compliant and avoid hefty fines. Willis outlines two ways attackers have been capitalizing on this situation.
The first technique is a type of extortion that Willis calls “reverse ransomware.” This is when an attacker hacks into an organization and exfiltrates GDPR-protected data. They then notify the organization that they’ve stolen the data, and threaten to release it to the public unless the organization pays a ransom. Releasing the data would reveal that the organization is in violation of GDPR, which could result in a fine much higher than the requested ransom.
Willis points out that an attacker is extremely unlikely to destroy the data when they can keep asking for more money until the organization refuses to pay. It’s also worth noting that the organization in this situation is already in violation of GDPR, since the data has been accessed by a third-party. Any penalties down the road will be much more severe when data protection authorities find out the organization has been paying to cover up the breach.
The second, more traditional type of scam involves phony offers to help organizations become GDPR compliant. Scammers send emails with malicious links or attachments, or they ask targets to pay for bogus services in advance. Willis says one of the best measures to defend against any of these threats is employee training.
“Through ignorance or inattention, employees can be the biggest threat to cybersecurity,” he says. “It’s not enough to simply sit them down when you hire them and warn dire consequences if they let malware in the building. Owners need a thorough, ongoing education program related to online security that emphasizes its importance as being only slightly below breathing.”
Willis adds that GDPR is meant to be a set of minimum security standards, and that “viewing compliance as the starting point and continuing to refine network security will serve a company well in the long run.” New-school security awareness training is an essential tool to build a culture of security within your organization.
BetaNews has the story: https://betanews.com/2019/03/29/is-gdpr-the-new-hacker-scare-tactic/