GDPR Extortion Campaigns are on the Horizon

In recent years, DDoS and ransomware attacks have been the norm in cybercrime activity. Following the implementation of EU’s General Data Protection Regulation (GDPR), cybercriminals could turn to a new means of extortion scareware.

With its enactment on May 25 this year, the EU’s GDPR has seen a number of companies claiming the regulation could lead to a rise in cyber-exotortion by targeting companies that aren’t GDPR-compliant (yet), demanding money in return for not reporting them to regulators.

Take for instance a June Survey wherein 600 IT and legal professionals polled in the EU, UK and the US revealed that a mere 20% of companies surveyed believed they are GDPR compliant. Just over a half of those companies are in the process of implementing compliance norms while a quarter of those polled are yet to start. Furthermore, that percentage falls even further among smaller companies and businesses in Latin America, the Middle East and APAC regions, underlining the huge ‘market’ of companies for cybercriminals to target.

“With the arrival of the GDPR, data that was once considered to be ‘boring’ or ‘worthless’, residential addresses etc., can now be used as a source of revenue via GDPR extorsion,” Tom B, Red Team Leader at Thinkmarble told IDG Connect.

Major cybersecurity firm Trend Micro also envisions a future wherein GDPR-based extortion schemes could become the norm. Criminals may even attack with a combination of extortion and crypto-ransomware, a “double-whammy” as described by Trend Micro’s Principal Security Strategist Bharat Mistry. In such a scenario, the failure to pay a ransom could lead to a loss of data and the possibility of hearing from a data regulator who has been informed by the criminal that the latter has breached the organization. Paying an extortion fee, the cybercriminal could insist, would mean all of the above is negated.

“I don’t think they’ll target large enterprises but certainly the small to medium, and maybe not UK ones or European ones but certainly outside of EU borders,” Bharat Mistry added.

Image credit: Pixabay.