Shane Chambers No Comments

Ransomware attacks may breach new EU GDPR data protection regulations.

With the introduction of the new EU general data protection regulation (GDPR) this time next year (25 May 2018 to be exact) – businesses all over the globe could find themselves in breach of the regulation and facing hefty fines should they fail to prevent a ransomware attack, phishing attack or similar. The message is finally getting out there – something needs to be done about ransomware and fast.

GDPR Data Breach From Ransomware

How Ransomware could cause a breach of GDPR?

As noted in this RTE article by @AengusCox – data protection and governance expert @DaraghOBrien, Managing Director of Castlebridge Associates, confirms GDPR is all about accountability. Not only do organisations have to comply with the regulation, they also have to demonstrate compliance through evidential proof (documentation, etc) of the controls, processes, technology, etc. that they have in place to protect the sensitive and personal data they hold on EU citizens (to include their staff, customers, vendors and third parties).

Daragh confirms that ransomware could indeed be seen as a breach of GDPR by the data protection commissioner, as ransomware typically can affect both the availability and access of personal data and can also affect the recovery of the personal data. Indeed, some viruses are known to upload personal data to hackers – a clear data breach and major breach of the GDPR.

As the GDPR comes more and more into focus through the year and into next year – security experts predict that hackers/scammers will begin to steal data with advanced ransomware and then blackmail the victims by threatening to report them to data protection commissioner.

What can be done?

In the RTE video interview, Daragh notes that security awareness training for staff is crucial now. Businesses urgently need to train their staff how to recognise and avoid clicking on links in phishing emails.

Many may not realise yet, but Article 39 1(b) of the GDPR regulation places a mandatory onus on organisations to undertake security awareness training for staff that deal with sensitive personal data. Read more