To tell or not to tell? That’s the dilemma faced by anyone who’s been hit by hackers or online fraudsters. We look at the reasons why so many businesses opt to stay quiet. And with GDPR around the corner, we also discover why keeping schtum about the loss of “personal data” is now no longer an option…
How much cybercrime is brushed under the carpet?
The latest Internet Crime Report from the FBI’s Internal Crime Complaint Center (IC3) reveals that just under 300,000 cybercrimes were reported to the Bureau last year. Losses from these incidents are estimated at $1.3 billion.
This is tip of the iceberg stuff. The FBI reckons that just one in seven internet crimes are brought to the attention of law enforcers. Likewise, the US Department of Justice estimates that just 15% of Internet crime is reported. UK figures paint a similar picture: Crime Survey of England and Wales figures suggest there were 3.6 million fraud cases last year, although only 622,000 were made known to the police.
A combination of embarrassment and scepticism about the chances of tracking down the culprit helps to explain why individuals tend not to report cybercrime. For businesses, there are also big commercial considerations at play…
Ransomware: pay up and shut up?
Unsurprisingly, the official advice for firms hit by ransomware attacks and other forms of cyber extortion is to report the incident rather than pay up.
But back in the real world, handing over the cash will often seem like the quickest and easiest way to make the problem disappear. After all, with just 20% of demands thought to exceed the £1,000 mark, rarely are we dealing with “break the bank” amounts.
When Trend Micro looked at this last year, they found that good intentions tend to go out the window when businesses are actually hit. Three quarters of businesses who had never been caught up in a ransomware attack somewhat idealistically declared they would never pay up. Yet two thirds of firms who had been hit hard in fact chosen to pay.
If there’s one big problem with this, it’s that quietly paying the ransom is no guarantee of getting your data back. Turns out, for an estimated 20% of cases where businesses paid the criminals, the encryption key they were hoping for didn’t materialise.
Don’t tell the boss…
You’ve clicked on something you shouldn’t have. You’ve been duped into handing over the wrong data to the wrong people. Or maybe you’re the one responsible for AV and firewall configuration or patch management, and you’ve kind of let things slide…
More often than not, when it comes to explaining how a data breach happened, there’s an element of human error in the mix. So if you know that data has been compromised due to some shortcoming on your part, do you own up and face the music – clear it up yourself or ignore and hope it goes away?
The self-preservation route is a hard one to resist – even (or perhaps even more so) within highly regulated sectors where the data is super-sensitive. For instance, a Crown Records Management Survey of big pharma IT insiders suggests that nearly a quarter are failing to report data breaches higher up the management chain. What happens on the shop floor very often stays there.
It wasn’t that important anyway…
In 2014, Irish-based bookies Paddy Power commenced legal action to recover data from an unnamed individual in Canada. In turned out that back in 2010, data relating to almost 650,000 customers had been stolen…
Paddy Power hadn’t reported the breach when it happened – and nor had it notified its customers. The rationale was that although names, addresses, email addresses and phone numbers had been stolen, account passwords and financial data hadn’t been compromised. In the absence of “evidence that any customers accounts have been adversely impacted by this breach”, the company stayed quiet.
Although the Irish data regulator “admonished” the bookmaker for its decision not to report it, admonishment was all it could do. Under the Data Protection Directive, the company hadn’t broken any laws.
So what’s changed?
Under the old Data Protection Act and in the words of the UK regulator, “although there is no legal obligation on data controllers to report breaches of security, we believe that serious breaches should be reported to the ICO”. In other words, the reporting of breaches was largely optional.
Due to come into force in May 2018 right across the EU and EEA, The General Data Protection Regulation (GDPR) marks a big change. For the first time, all organisations who have customers in the EU are faced with a mandatory duty to report security breaches resulting in the loss or compromise of personal data.
And now that the maximum fines regulators can levy is set to rise to EUR 20 million or 4% of annual global turnover, keeping quiet about breaches (at least, when personal data is affected) is no longer going to be an option.
You can find out more about GDPR here.
Nathan, could I translate your article to Portuguese?
Yes if you link to the original.
Two words to correct:
scepticism to skepticism
hit had – hit hard
Excellent article, thanks for all this organized information.
Thanks. British spelling.
Yep, not in the US not while corporate interests are held more important than individuals rights to know their information was exfiltrated right off a “secure” server.
“all organisations who have customers in the EU are faced with a mandatory duty to report security breaches resulting in the loss or compromise of personal data.”
It’s good article, thank you Nathan!
I think GDPR looks like it will become the speed camera for data collectors using the internet highways, useful if applied with teeth….otherwise just something other people people get caught up In…this is the human element of risk management..
You could well be right! Time will tell what teeth it has.
Wish we had such laws in India which would make reporting of data breach mandatory . Also it would be good to make the custodians of data accountable for security breaches.
Even I agree to your views, as I working for one of the client had a hit, but it got covered, its true that the organization tries to cover to avoid the damage in reputation.
Wow – shocked at just how much doesnt get reported. There must be so many much smaller incidents and attacks that arent reported because of the size, and embarrassment as you’ve stated.
Great article – thanks Nathan!
…and thank you Nathan 🙂
As a cyber victum ive been suffering with my teeth
Great article. I wonder if this regulation apply only to corporations or also to smaller companies who also procces and store personal data.
As a victum I have suffer alot as well as my family very hard for people to understand. Utilized for Porn threw disability agency is very hard for people to understand.
Nathan, another reason might be late reporting of data breaches or an inadequate level of detail may be provided to GDPR.