Data Breach: the importance of cybersecurity
Recent cases of data breach
In recent news, SIAE suffered a “ransomware” hacker attack by the cybercrime group Everest, which, according to SIAE, would have stolen about 28 thousand files ( a total of 60 gigabytes of data) belonging to associates including payment data, identity cards, tax codes, and music tracks (mostly unpublished).
Ransomware is a malicious computer program that can “infect” a digital device (PC, tablet, smartphone, smart TV), blocking access to, or stealing all or some of, its contents (photos, videos, files, etc..). The goal of hackers who install this type of program is to ask for a ransom to secure the return of the stolen data or to prevent the data from being leaked (on this point see the sheet of the Italian Authority for the protection of personal data available at the following link https://www.garanteprivacy.it/temi/cybersecurity/ransomware).
In the case of SIAE, the attack started with phishing activities, i.e. using text and WhatsApp messages as bait to some SIAE members asking them to reply in order to avoid being deleted from the association: some of the members “took the bait” by replying to the messages. In this way, the hackers first gained access to the SIAE computer system and then sent an email to the association threatening to publish the stolen data on the dark web, with a ransom demand of 3 million euros in bitcoin (that SIAE declared it did not want to pay).
An additional recent attack was suffered by Amazon’s well-known streaming platform, Twitch. In this case, hackers first removed and then leaked a torrent file of over 125 gigabytes containing a lot of data and confidential information related to the platform, including the source code of Twitch and the fees of some of its creators. Furthermore, many people will remember the very serious data breach suffered by the Lazio Region in August 2021, which paralysed the IT systems (also used for the booking of Covid-19 vaccines) for many days.
Unfortunately, hacker attacks have significantly increased during the pandemic, due to the massive use of digital devices by companies that have adopted the work from home model: with home systems potentially more exposed to the risk of unauthorised intrusions. In fact, according to a recent European Commission study on cybercrime, cyber attacks in Europe in 2020 saw a 75% increase over 2019.
The victims of data breaches are not limited to big techs, but also public administration and companies in the fields of healthcare, research and education, online services, banking & finance, hardware and software technology manufacturers and critical infrastructure. All types of companies, regardless of their size, are at risk from a cyber attack.
What is a data breach?
Art. 4 of the General Regulation on the protection of personal data n. 2016/679 (better known as “GDPR”) defines data breach as the “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Thus, three types of data breach can be distinguished:
1. confidentiality breach, which is when there is an unauthorised or accidental disclosure of or access to data;
2. integrity breach, which is when there is an unauthorised or accidental alteration of data;
3. breach of availability, i.e., when there is an accidental or unauthorised loss, inaccessibility, or destruction of data.
Obviously, the data breach may concerns data that is not personal in nature but is equally confidential (e.g. sensitive company information, company payment data, etc.).
The causes of data breaches
There are many causes of data breaches, from malicious events such as hacker attacks to accidental events or human errors. Here are some examples:
– weak or stolen credentials: a weak password (or a strong but not securely stored password) can increase device vulnerability and facilitate unauthorised intrusion by hackers;
– application vulnerabilities: using outdated hardware and/or software increases the risk of attack;
– over-authorisation: companies should limit access to IT systems as much as possible by keeping them constantly updated;
– physical theft and loss: an abandoned device, confidential paper documents, files and other physical property are lost or stolen are frequent causes of data breaches;
– human error: an unintentional disclosure of data can occur due to errors or negligence by employees (who may not have been properly trained by the company).
The above examples, in turn, are frequently caused by poor business management characterised by a lack of internal procedures, the presence of inadequate external suppliers, the absence of strict back-up procedures, etc.
What are the risks of a data breach?
The consequences of a cyber attack on a business can be extremely damaging. First of all, consider the risk of data loss, which may be temporary or permanent (especially in the case of inadequate backup systems). In addition, the company may suffer significant financial losses (especially in the case of payment data theft), or lose important business opportunities and, certainly, may suffer significant damage to its reputation.
In addition, if the data breach involves personal data, the Privacy Guarantor may impose fines of up to 2% of annual worldwide turnover.
What to do in the event of a data breach?
The company that has suffered a security breach that also involves personal data must, as data controller, without undue delay and, where possible, within 72 hours of becoming aware of it, notify the breach to the Authority for the protection of personal data unless it is unlikely that the breach of personal data involves a risk for the rights and freedoms of individuals, A special telematic procedure is available on the Italian Authority site, which can be reached at https://servizi.gpdp.it/databreach/s/.
Notifications to the Authority made after the 72-hour deadline must be accompanied by the reasons for the delay.
In addition, if the violation entails a high risk for the rights of individuals, the data controller must communicate this to all interested parties, using the most appropriate channels, unless it has already taken measures to reduce the impact.
If the violation (even if not related to personal data) has been caused by illegal or fraudulent behavior it is appropriate to proceed with the reporting to the police (for example, Postal Police).
How to prevent cyber attacks?
To limit the risk of cyber attacks as much as possible, adequate and up-to-date security measures must first be implemented. In fact, article 32 of the GDPR requires companies to adopt adequate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: the pseudonymisation and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. This certainly involves an investment in IT security as well as periodic checks on the status of company systems.
It is advisable, then, to take care of the “human factor”, drawing up accurate policies on the use of IT tools, to be kept up to date, spreading knowledge within the company as widely as possible and monitoring the effective adoption by all staff of the established procedures.
It is also essential to provide regular training to staff.
Finally, it is also important to check the reliability of your external suppliers, and to ensure that they have appropriate contracts in place: providers with certifications or codes of conduct should be preferred.