After the recent ransomware attacks, many businesses will have turned their attention to ensuring that any such attack would not affect them in the future. However, many will be unaware that they may be facing a fine due to their lack of security systems.
What is ransomware?
Ransomware attacks usually begin by entering an organisation’s network disguised as an email attachment. Usually the emails emphasise urgency and, as such, many victims open the attachment out of instinct.
The attachment (ransomware) infects a host computer and encrypting files that can be located on the hard drive, as well as spreading through the local network affecting the computer systems of whole company. The attackers will then issue a demand to the company for a sum of money (or bitcoin – an online currency) to be paid before they will release a decryption key. There is no guarantee that the attacker will release the key, meaning there is a possibility that the data will never be restored.
The last major ransomware attack hit 200,000 victims across 150 countries and was only stopped when a young man triggered a “kill switch”. Whilst many believe that the hackers are the ones at fault, the ICO have switched that on its head by stating that the companies themselves may have things to answer for.
The Information Commissioner’s Office (ICO) had previously released a statement which set out that companies should be aware of their duty to protect personal data and that they should therefore seek to prevent such ransomware attacks.
Impact on data protection
The Data Protection Act requires that data controllers take measures to protect personal data against loss or destruction. Where the right technical measures have not been implemented by the victims of the ransomware attacks, the personal data is at risk.
Once a ransomware attack has taken place, technically the stored personal data has been lost and the company has breached the Data Protection Act. The company will be unable to access the data and will be unable to restore the data without the decryption key.
Where companies have a back-up system, a permanent loss of data can be avoided as the company will be able to access the data once it had been restored from back up. However, those who do not have such measures in place will be left with a permanent loss of data.
The ICO have stated that, even where a company has been subject to a ransomware attack, they would consider their compliance with the Data Protection Act and that where a company has not been compliant, they will consider whether or not to levy a fine against the supposed “innocent” victim.
The ICO has just issued a £60,000 fine to Berkshire-based Boomerang Video Ltd for failing to take basic steps to stop its website being attacked.
What should you be doing?
Practically, companies should ensure that they have the appropriate measures in place to protect the data from ransomware attacks. Such prevention can include ensuring that you have:
cyber security such as malware
security patches on all computers and mobile devices
only installed necessary software onto networked computers
back-ups (both an offline and an offsite back up)
tested these back ups
trained your staff on recognising cyber attacks
With a cyber-attack, the first step is to attempt to recover the back-up data and the second is to scan the system to ensure that it is secure again.
Where there has been serious data loss, it is likely that the data controller would have to inform the ICO of the breach. This means that not only are companies attacked by cyber hackers, but they have to report themselves to their regulating body to indicate that they have not been compliant, as the hack has resulted in loss of data. As a result they may be fined and “named and shamed” by the ICO for not being fully compliant.
Take appropriate measures to protect your systems from attack.
Train your employees to be aware of cyber-attacks and to recognise bogus emails.