GDPR-based extortion is a dangerous myth

Eerke Boiten, Professor of Cyber Security at De Montfort University, argues that extortion via GDPR fines is not a realistic addition to the criminal repetoire

With the GDPR only three months away, there is a nervous sentiment running through the media. There are plenty of reasons to be worried, especially for those organisations that were still not fully compliant with the 1998 Data Protection Act. But the risk of extortion really should not be one of those reasons.

Has ransomware run its course? Probably not, as we expect to find out in the EPSRC multidisciplinary research project EMPHASIS. The volatility of bitcoin, the lack of financial gain and worm-like spreading of WannaCry and NotPetya, and the latter's likely destructive motivation, all indicate shifting patterns of behaviour. Security software is also emerging that prevents attacks or catches them early. But we also know that there is still plenty of potential for sophisticated targeted ransomware attacks around.

We do look at ransomware as the first potential method for high profit complex organised cybercrime. And following on from there, all of us need to think creatively of similar and similarly successful methods. Extortion based on threats or actual cyber attacks is a reality already - due to the reputational and business cost that an attack can cause. However, extortion via GDPR fines is not a realistic addition to the criminal repertoire.

Several recent headlines in this area can be traced back to the security vendor Trend Micro. It just released its 2017 round up report. Although there is only a single innocuous mention of GDPR in the 37 page report, the accompanying press release contains a throw-away line:

"...it's likely that some will try to extort money from enterprises by first determining the GDPR penalty that could result from an attack, and then demanding a ransom of slightly less than that fine, which CEOs might opt to pay."

Let us look first at "determining the GDPR penalty that could result". Too many GDPR discussions move all too quickly to the maximum fines - €20M (or 4 per cent of annual turnover) for one class of breaches, and half of that for another class. The GDPR itself does not say more than that. Maybe the blackmailer could determine the likely fine from past trend data?

Looking just at the UK, the ICO has had the power to fine up to half a million pounds since 2010. Thus far it has not fined anyone more than £400,000, ever. The ICO issued 54 fines in 2017, for a total of just over £4M. Around £3M of that was for unsolicited marketing in one form or another.

The most liberal interpretation of "security" applies to only nine of these monetary notices, for a total of just over £700,000. The highest fine was £200,000 for a hospital dealing insecurely with information about IVF treatment. The lowest was an almost symbolic £1,000 for a barrister making unencrypted sensitive customer information visible online.

[Turn to next page]

GDPR-based extortion is a dangerous myth

Eerke Boiten, Professor of Cyber Security at De Montfort University, argues that extortion via GDPR fines is not a realistic addition to the criminal repetoire

Clearly, the ICO has not issued many nor high fines for data breaches of any form in its recent history. It is also very clear about its intended fining regime under GDPR:

"it's scaremongering to suggest that we'll be making early examples of organisations for minor infringements or that maximum fines will become the norm.

The ICO's commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick."

Add to that that the ICO take into account how deliberate or negligent an organisation has been in setting the level of the fine (if any), and it must be clear that there is no guarantee at all that any particular data breach will lead to a fine - and hence no sense in asking for a ransom amount that lies sufficiently below that level. Finally, paying the ransom demand wouldn't get the victims off the hook: breach notification becomes mandatory under the GDPR, so they would still be liable for a fine of up to €10M for failing to report the breach!

Criminals might only try this blackmail if sufficiently many victims fear serious fines; this is why media hyperbole over fines and suggestions of GDPR extortion are actually irresponsible.

The situation is not fundamentally different in the rest of the EU. The higher fines have been for the larger players like Facebook, who can under GDPR indeed finally expect data protection fines that make a minor dent in their operation.

Another suggested GDPR extortion is by threatening what is essentially a denial of service attack on the subject access rights (SAR), by having many people ask for their data in a short period. Although theoretically possible, the associated blackmail remains a risky crime, and though there are plenty of instances of non-compliance on SAR now, ICO did not actually issue a single fine for it in 2017.

Financial damage for organisations through the GDPR can be through compensation costs as well, but even that opens no interesting avenues for shady behaviour like we saw for PPI. Article 80.1 does allow collective claims for compensation, but it severely restricts the involved organisation, in particular they must be non-profit.

"We have always preferred the carrot to the stick", the Information Commissioner says. Whatever you may think of that in general, it does have the pleasant consequence that nobody else can indirectly use GDPR fines as a stick either.

Eerke Boiten is Professor of Cyber Security, Cyber Technology Institute, School of Computer Science & Informatics, De Montfort University