Data breach caused by ransomware

Is there a data breach in your own organisation? Or have you identified a data breach somewhere else in your environment and do you want to give the Dutch DPA a tip-off because you are worried about it?

Directly reporting a data breach or giving a data breach tip-off

On this page you can read what you have to do if your organisation has become the victim of a ransomware attack. Here you can also read what you can do to mitigate the risk of a data breach caused by ransomware.

Infection with ransomware

Ransomware is a form of malware (malicious software) that takes a computer or files hostage. Usually, payment is demanded after that. An infection with ransomware can be contracted in various ways:

• through phishing with infected files in an email attachment;
• by abusing vulnerabilities in software (this risk is greater if software has not been updated);
• through advertisements on the Internet that contain a vulnerability;
• by hacking a computer network, after which the hacker installs ransomware on the network.

Ransomware may also infect files on connected hard disks, network storage, USB sticks and virtual (cloud) disks, or take them hostage.

Data breach caused by ransomware

Has ransomware encrypted files that contain personal data? Then this is a data breach. There must have been access to the files to be able to encrypt them. First the files must be opened, only then will the ransomware be able to encrypt the data and subsequently store the encrypted contents.

So when you see that the files have been encrypted, it is certain that an internet criminal has had access to the files and opened them. And that also means that this criminal has been able to view, copy, steal or manipulate the data in those files.

Establishing the scale of the breach

Has your organisation become the victim of a ransomware attack? Then you will have to establish the scale of the breach. This requires (technical) research. A commonly used method for this is a digital forensic investigation.

Without an investigation you are unable to establish the scale of the infection. You cannot assume that the breach has been restricted to the visibly infected file or system. The infection may affect the entire system and all linked files. As a result, it could be that:

• Access has been obtained to a lot more personal data.
• More has happened with the data than appears at first sight. The data may, for example, have been copied or manipulated.
• The ransomware (or other malware) is already in the backups. As a result, just restoring a backup is not enough for putting a stop to the data breach.

By conducting an investigation (or having this conducted), you can determine which personal data have been accessed without authorisation. And whether the data have been copied, for example. When conducting an investigation, consider the following:

• Because of the destructive nature of ransomware attacks, restoring the logfiles and finding out what actually happened is often difficult. Do you doubt about the possible consequences of the unlawful access? Then proceed from the worst-case scenario.
• You have to submit the factual findings of the investigation into the breach to the Dutch DPA, if the Dutch DPA asks for this. The Dutch DPA may also ask you to submit reports and other documents that were drawn up based on the investigation into the ransomware attack.

Do you not conduct an investigation? Then you have to assume that all data in the system, including in files and systems linked to that system, have been exposed to the breach. And that these data have been copied. You will have to inform all possible victims (data subjects whose data have been affected by the breach) in that case.

Note: You cannot assume that the breach has been stopped if you have only restored the encrypted files from the backups and removed the ransomware.

Is no information available with which you can establish what else has been done with the personal data? Then you cannot assume that the risk for the victims is limited. In other words: do you not have proof that personal data have been copied, for example? Then this is not the same as proof that the personal data have not been copied.

Logging

When establishing the scale of the breach, logging and monitoring of the logging can also help. This is possible when the system has been set up in such a way that all manners in which data can be accessed are logged.

When checking the logfiles, keep in mind that:

• A thorough investigation of the firewall logfiles and the conclusions from this are essential for establishing the risk for the possible victims. Data may have been copied without leaving a trace in the system logs. 
• This is the case when the attack is more sophisticated; the malware has the functionality to edit logfiles and remove the traces. In that case, the attacker may have penetrated the system a good while before the encryption.

Tip: Use a separate log server. Here you store the logs separated from the regular network. Sometimes, logs may be removed by ransomware or other malware. This makes it important to protect log data against unauthorised alteration.

Reporting to the police

Have you become the victim of ransomware? If  so , it is important to report this crime to the police. In consultation with the Public Prosecution Service, the police may decide to start an investigation. In this way, you help map out criminal activities. This enables the police to detect criminal offences and prevent other people from becoming victims.

Reporting a data breach caused by ransomware

The consequences for the victims of ransomware attacks can be significant. This is because, in addition to encryption, there may be unauthorised access to, copying or further dissemination of the personal data affected. 

Special personal data

Have special personal data been affected? Then you have to assume that the risk for the victims is high. And that you have to report the data breach to the Dutch DPA and to the victims. 

Sensitive personal data

Have sensitive personal data been affected, such as copies of identity documents or credit card details? Then you also have to take a high risk for the victims into consideration because these data may be abused for fraud or identity fraud.  You have to report the data breach to the Dutch DPA and to the victims.

'Ordinary' personal data

Have personal data been affected that at first glance seem innocent, such as email addresses and telephone numbers? There may nevertheless be a high risk for the victims. For example when a large set of email addresses and supplementary personal data have been affected by the ransomware attack. And when you cannot rule out that these data have been copied based on (technical) research. 

Criminals may abuse these data for sending spam, carrying out targeted phishing attacks and/or disseminating malware or ransomware. In addition, they may add these personal data to existing data sets that, for example, are sold on the Internet or the dark web. 

That is why you always have to report the data breach to the Dutch DPA and to the victims in such case.

Exception to the obligation to inform victims

Did you make the (possibly) leaked personal data incomprehensible or inaccessible for unauthorised persons by means of encryption? Then you do not have to inform the victims. This is a strict norm that you have to apply on a case-by-case basis, based on the state of the art. Besides, this exception only applies if you meet all 3 of the following conditions:

1. The data are still fully intact.
2. You still have full control over the data. This means that you have a recent backup.
3. The key used for the encryption or hashtag has not been at risk because of the breach. And it can also not be found by unauthorised persons with the technological means available.

Note: in these situations you do have to inform the victims about the data breach:

• You doubt whether the technical measures taken by you are good enough.
• Due to the ransomware, the data are no longer accessible to you and to the victims. And you do not have a backup. In this case, there is loss of personal data. Even if you had encrypted the data.

Note: The Dutch DPA does not regard paying a ransom to the attacker as a measure taken in hindsight, as a result of which it is no longer necessary to inform the victims of a ransomware attack. Paying a ransom to criminals does not offer any guarantee that they will delete the personal data or that they will not publish the data and/or offer them on the Internet or the dark web at a later time.

This is how you inform the victims

If you have been affected by a ransomware attack, you may have to inform a large number of victims about it. Do you have contact details, such as email addresses? Then the Dutch DPA expects you to use them for sending information about the data breach. A public announcement on your website or on social media is not enough in that case.

Always state clearly in your announcement to the victims what has happened. Always indicate in any case:

• What type(s) of personal data (may) have been affected by the data breach.
• Whether you can or cannot rule out the these personal data have been copied and/or accessed by the attacker.
• What the possible consequences of the data breach are. Are the victims, for example, at the risk of becoming the target of (identity) fraud, spam and/or phishing attacks?
• Which measures you take or have taken to mitigate the consequences of the data breach.
• The contact details of the person in your organisation to whom victims can turn if they want more information about the incident. 

Read more: This is how you inform victims about a data breach.

Mitigating the risk of a data breach caused by ransomware

You can mitigate the risk of a data breach caused by ransomware. Or in any case, limit the scale of any breach caused by ransomware. You do this by:
 

• Installing software updates in time.
• Not using outdated encryption algorithms or (network) protocols.
• Segmenting (separating) computer networks and systems. This will limit any breach to the network directly affected.
• Applying multifactor authentication to admin accounts and internal systems and processes. This prevents unauthorised persons from having direct access to systems and prevents or restricts their free movement between different servers within the network.
• Storing data offline, including backups.
• Properly logging and monitoring data. As a result, the duration of a beach may be limited and you will be able to take swift action.