Europol, the EU’s policing agency, has warned that EU data protection laws may lead to an increase in cyber-extortion in a report released on Tuesday (18 September) .
The fifth Internet Organised Crime Threat Assessment (IOCTA) was presented at the INTERPOL-Europol Cybercrime Conference in Singapore, and warned of the implications of companies breaching General Data Protection Regulation (GDPR) rules and choosing to pay hackers bribes.
Under GDPR rules that came into force in May, violations can result in fines of up to €20 million or 4% of global turnover, whichever is higher.
Europol’s research shines a light on the fact that companies could be inclined to pay lesser extortion fees to hackers.
The report states:
“Hacked companies [may] rather pay a smaller ransom to a hacker for non-disclosure than the steep fine that might be imposed by their competent authority.”
Europol goes on to warn that if such companies are to negotiate with cybercriminals, then they “will only fund further attacks and other criminal activity” and that the organisation at risk has no guarantee that “the attacker will not disclose or otherwise exploit information.”
When pressed for the basis of the claim that companies may prefer to negotiate fees with hackers rather than pay GDPR fines, a Europol spokesperson told EURACTIV that the conclusion was drawn up from responses to a survey Europol had sent out to private partners.
The survey itself nor the ‘private partners’ who participated could be disclosed. A European Commission official also informed EURACTIV that they had not been consulted on the survey in question.
Nevertheless, Europol’s claims will no doubt raise alarms at the Commission, who struck a steadfast tone in response to the report.
“The GDPR includes a clear obligation on companies to notify data breaches,” a Commission official told EURACTIV.
“The enforcement of data protection rules is the responsibility of the data protection authorities. They have to assess a certain number of criteria when imposing a fine. One of these criteria is the good cooperation of the company with authorities, including informing them about data breaches.”
Europol’s critique of GDPR goes further than highlighting the shortfalls of compliance. The report also notes the technical ramifications that GDPR has had on cybersecurity policing across the continent.
The criticism centres around the operation of the WHOIS database, an online repository of information associated with registered domain names. Europol says that EU data protection law has “debilitating repercussions for cybercrime investigations,” in the context of WHOIS.
Subsequent to GDPR entering into force, the Board of the Internet Corporation for Assigned Name and Numbers (ICANN), established temporary requirements that call upon registries and registrars to redact all personal data from publicly available WHOIS records.
Europol say that this necessity is “significantly hampering the ability of investigators across the world to identify and investigate online crime,” as they no longer have the unimpeached access to data records that would previously have assisted in investigations.
The study arrives at a time when questions are being raised as to the effective execution of punitive measures for non-compliance.
At the Confederation of British Industry Cyber Security conference in London on September 12, Deputy Commissioner for Operations at the UK’s information rights authority, James Dipple-Johnstone, conceded that the UK “has not issued any fines for breaches of the new regime,” even though monthly data breach reports have risen rapidly since GDPR was enforced, amounting to as many as 500 calls a week.
Dipple-Johnstone added that much malicious activity online is often dealt with “advice, guidance and reassurance” rather than fines from UK authorities.
Questions will no doubt surface as to the issues of non-compliance with GDPR, as Europol’s study is digested by policymakers in Brussels.
The EU’s law enforcement agency also drew attention to the wider vulnerabilities that citizens and businesses face across the EU.
The use of ransomware and Distributed-Denial-of-Service (DDoS) attacks have become staples for online criminality, mobile malware is expected to rise as users shift from online to mobile banking, and social engineering threats are judged to become more prevalent.
Catherine De Bolle, Executive Director of Europol, wrote in the assessment that legislative developments on the continent “impact on our ability as law enforcement officers to effectively investigate cybercrime.”
“This emphasises the need for law enforcement to engage with policymakers, legislators, and industry, in order to have a voice in how our society develops,” she said.