Ransomware is a malicious software designed to block access to a computer system until a sum of money is paid. However, some forms of ransomware allow deeper penetration into the internal resources of the targeted entity, and may allow the attackers to:
- steal sensitive data, or
- view sensitive information before encrypting it selectively.
These circumstances imply unlawful access to personal data, in other words, a data breach. Depending on the circumstances, the data breach should be reported to the competent DPA and/or to the data subjects involved. Notwithstanding the fact that the entity that suffered the ransom attack is the victim, sometimes the DPA can decide to further punish the entity with a fine. This is what the Italian DPA did regarding a local health board.
The Lack of Privacy by Design measures that led to the Data Breach
The ransomware attack consisted of a virus that blocked access to the board’s database and a ransom request to restore the database functions. In particular, the attack put in jeopardy the personal data of almost a million data subjects (842.118). After it suffered a ransomware attack, the local health board diligently reported the data breach to the DPA which immediately launched a full-scale investigation. The investigation led to the detection of the following critical issues:
- lack of privacy by design measures (i.e. failure to implement adequate measures to ensure the security of the internal networks, both in relation to their segmentation and segregation)
- the absence of a detailed Data Breach Policy
- poor technical and organizational security measures in place (I.e. the local health board’s VPN authentication procedure involved only a single-factor authentication by username and password)
In particular, the lack of segmentation of the internal networks allowed the virus to spread into the whole network from the first point of entrance.
After the Ransomware and the Implementation of New Security Measures… the Fine!
After the breach, the local health board, among others:
- acted to mitigate the damages suffered by the data subjects
- implemented new technical and organizational security measures (i.e.: a new VPN authentication procedure accessible through username and password)
Notwithstanding all these new measures, due to the previous extensive lack of security measures that led to the data breach the Italian DPA issued a fine of 30.000 euro.
In conclusion, implementing the correct technical and organizational security measures and a detailed Data Breach Policy is important both to prevent data breaches and DPA fines! If you want to learn more about these and other measures to protect personal data, please feel free to contact us via firstname.lastname@example.org for further information.