This might also interest you...

Ransomware: Are you the victim or the perpetrator?

3 Jul 2017

After the recent ransomware attacks, many businesses will have turned their attention to ensuring that any such attack would not affect them in the future.  However, many will be unaware that they may be facing a fine due to their lack of security systems.


What is ransomware?


Ransomware attacks usually begin by entering an organisation’s network disguised as an email attachment.  Usually the emails emphasise urgency and, as such, many victims open the attachment out of instinct. 


The attachment (ransomware) infects a host computer and encrypting files that can be located on the hard drive, as well as spreading through the local network affecting the computer systems of whole company. The attackers will then issue a demand to the company for a sum of money (or bitcoin – an online currency) to be paid before they will release a decryption key.  There is no guarantee that the attacker will release the key, meaning there is a possibility that the data will never be restored.


The last major ransomware attack hit 200,000 victims across 150 countries and was only stopped when a young man triggered a “kill switch”.  Whilst many believe that the hackers are the ones at fault, the ICO have switched that on its head by stating that the companies themselves may have things to answer for.


The Information Commissioner’s Office (ICO) had previously released a statement which set out that companies should be aware of their duty to protect personal data and that they should therefore seek to prevent such ransomware attacks.


Impact on data protection


The Data Protection Act requires that data controllers take measures to protect personal data against loss or destruction.  Where the right technical measures have not been implemented by the victims of the ransomware attacks, the personal data is at risk.


Once a ransomware attack has taken place, technically the stored personal data has been lost and the company has breached the Data Protection Act.  The company will be unable to access the data and will be unable to restore the data without the decryption key.


Where companies have a back-up system, a permanent loss of data can be avoided as the company will be able to access the data once it had been restored from back up. However, those who do not have such measures in place will be left with a permanent loss of data.


The ICO have stated that, even where a company has been subject to a ransomware attack, they would consider their compliance with the Data Protection Act and that where a company has not been compliant, they will consider whether or not to levy a fine against the supposed “innocent” victim.


The ICO has just issued a £60,000 fine to Berkshire-based Boomerang Video Ltd for failing to take basic steps to stop its website being attacked.


What should you be doing?


Practically, companies should ensure that they have the appropriate measures in place to protect the data from ransomware attacks. Such prevention can include ensuring that you have:


  • cyber security such as malware

  • security patches on all computers and mobile devices

  • only installed necessary software onto networked computers

  • back-ups (both an offline and an offsite back up)

  • tested these back ups

  • trained your staff on recognising cyber attacks


With a cyber-attack, the first step is to attempt to recover the back-up data and the second is to scan the system to ensure that it is secure again.


Where there has been serious data loss, it is likely that the data controller would have to inform the ICO of the breach.  This means that not only are companies attacked by cyber hackers, but they have to report themselves to their regulating body to indicate that they have not been compliant, as the hack has resulted in loss of data.  As a result they may be fined and “named and shamed” by the ICO for not being fully compliant.




  2. Take appropriate measures to protect your systems from attack.

  3. Train your employees to be aware of cyber-attacks and to recognise bogus emails.

Share on Facebook
Share on Twitter
Please reload

Please reload

  • FB
  • Twitter
  • LinkedIn
  • Youtube

Short Richardson & Forth, 4 Mosley Street, Newcastle upon Tyne, NE1 1DE

Tel: +44 (0)191 232 0283  ·  Email:


Short Richardson and Forth Solicitors Limited is a private limited company registered in England and Wales under company number 10572065, authorised and regulated by the Solicitors Regulation Authority No 637150.

Short Richardson and Forth Solicitors Limited is a private limited company constituted and run in accordance with the provisions of the Companies Act 2006. The term “partner” has been used to denote individual senior solicitors employed by Short Richardson and Forth Solicitors Limited.