by Bharat Mistry
For all the panic it caused, WannaCry looks finally to have been contained by organisations round the globe. But this isn’t the time to forget about it and move on. There are valuable lessons to be learned about this attack, why it was so successful and what can be done to prevent it happening again. The unpalatable truth is that many of those organisations caught out by WannaCry earlier this month could face punitive fines if the same kind of thing happens again in a year’s time.
That’s right: the EU General Data Protection Regulation (GDPR) is coming, adding a whole new level of urgency to firms realising they need a major cybersecurity overhaul after WannaCry.
Data breach or ransomware?
On first look, there might not be anything obvious to link a ransomware attack to forthcoming European data protection laws. After all, those hit by WannaCry had all their data encrypted by attackers rather than stolen. However, a closer look at the GDPR tells us different.
Article 4.12 states:
“personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
Customer data was most definitely accessed unlawfully and then lost, or arguably destroyed, once encrypted by the WannaCry hackers.
Similarly, Article 5.1 has this:
“Personal data shall be: processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
What’s more, Article 32 states that data controllers or processors should take account of “the state of the art” to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.
“In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.”
WannaCry was preventable
How did organisations get hit by WannaCry? By failing to patch a known Windows SMB vulnerability (CVE-2017-0144). This allowed attackers to drop a ransomware file on the affected system, and encrypt corporate files with 176 extensions, including those used by Microsoft Office, databases, file archives, multimedia files, and various programming languages. Of course, among these files was the all-important customer data set to be regulated by the GDPR.
So what would this mean in the eyes of the regulators? First, that any firms handling customer data which were hit by WannaCry would have potentially been guilty of allowing “unauthorised or unlawful processing” of this regulated data. They also technically suffered a personal data breach, despite no data being stolen, by virtue of that data being lost or de facto destroyed in the ransomware attack.
More damning still, because an official Microsoft patch was available for weeks before the attack, the victim organisations could be said to have failed to take adequate security measures given the evident risks. Even virtual patching technologies exist to protect unpatched or unsupported systems.
Getting security right
Scores of NHS Trusts and countless other organisations were caught out by WannaCry. But if it had happened just over a year later, they could have been on the hook for non-compliance with GDPR principles. Those fines reach 4% of global annual turnover or €20m at the top end. They’d also have been forced to notify the ICO within 72-hours of a data breach, which in itself could cause a bigger fallout in terms of negative publicity and associated costs.
This month marks one year until GDPR’s implementation and the message is simple: best practice security protected organisations against WannaCry and it will help protect them against GDPR fall-out after 25 May 2018.