Our CEO Christy Wyatt recently joined Scott McGrew on NBC Press:Here, the Silicon Valley version of “Meet the Press.” Alongside Reuters’ Joe Menn and USA TODAY’s Laura Mandaro, the four had a lively discussion on privacy, security and the General Data Protection Regulation (GDPR). Some of the topics covered included “the fine print,” “consumer awareness,” “accountability,” “data as currency,” and “snake oil compliance.” Have a watch: NBC Press:Here
Have a Coke and (not) a smile. Bleeping Computer reported last week that a Coca-Cola subsidiary company former employee was found to be in possession of an “external hard drive containing information that appeared to have been misappropriated” from the company. According to Catalin Cimpanu, the incident impacted 8,000 Coca-Cola employees and the data types stolen were varied. There is no information provided on how the malicious insider may or may not have used the data. You can read the full story at: Coca-Cola Suffers Breach at the Hands of Former Employee.
Ransom is the new ransom
In cybersecurity, when we think about “ransom” our minds typically conjure images of the chaos that ensues inside companies when they realize they’ve been struck with encrypting malware like WannaCry. That scenario is accurate, but there are also several other forms of ransom taking place in our new digital and GDPR world.
At eWeek, Sean Michael Kerner published an article about how Canada’s Imperial Bank was the victim of cybercriminals attempting to extort a ransom in exchange for NOT making stolen data public. In the case, encryption isn’t an attack element, as the goal of the attackers is to either expose the data or get paid not to. You can read the entire piece at: Two Canadian Banks Report Breaches Exposing Customer Data.
With the arrival of GDPR, the security and compliance industry can expect to see this type of ransom crime and privileged insider risk increase. Why?
GDPR mandates hefty penalties for companies that are breached. In most cases, penalties will far outweigh the actual cost of a breach, which cybercriminals know. Rather than auction stolen data to fellow criminals for pennies or try and exact a ransom to unencrypt it, criminals will likely offer to ransom it back to the organizations they steal it from in exchange for not exposing it publicly. The extortion price will be substantially higher than what could be earned on the dark web, but significantly lower than an actual GDPR breach fine. Paying extortion may create an ethical dilemma for companies, but it will make smart business sense as it will be much lower than financial penalties.
Privileged insiders are central to this scenario. As holders of the kingdom’s keys, cybercriminals will be motivated to either bribe or fool them into giving up their credentials. Once criminals have hold of these, they will have an opportunity to earn payouts way beyond anything ever seen in the past.
It gets worse
Fooling and bribing insiders will get easier. GDPR privacy regulations will actually shield cybercriminals’ operations. With studies showing that employees are willing to sell passwords, getting a piece of a substantial extortion payment in exchange for credentials may end up being too much to resist.