Cybercriminals stealing more data; Privacy watchdog concerned

Cybercriminals are more often stealing data when breaking into the computer system of an organization. The criminals then threaten to release the information unless the victim pays a ransom fee. The number of cases involving this type of ransomware (digital extortion) nearly doubled last year compared to the year before. The Dutch Data Protection Authority (AP), the government’s privacy watchdog, has expressed concern about this.

Ransomware practices have existed for a few years. Initially, cybercriminals would only lock the compromised computer systems. They would only release their hold on the systems after receiving a fee.

The potential victims often responded to this by making reserve copies, so that they could get their system online again quickly. This has led to criminals focusing more on internal data. This data often has confidential information. If the criminals are able to obtain this data and sell it, then that gives them a new way to extort organizations. On some occasions, the criminals don’t even lock the system anymore.

The authority is calling on companies, governments, and other organizations to be more reluctant when it comes to gathering data. “What you don’t have cannot be stolen.”

Data leaks can also occur by accident, for example, because a letter was sent to the wrong address. The AP received 37,839 reports of data leaks. That is an increase of almost 50 percent compared to the previous year. However, the watchdog claims that this statistic is misleading.

Last year, for instance, there was a cyberattack on AddComm, a company that helps businesses send letters and invoices to their customers. More than 5,400 organizations with over 1.5 million customers were affected and reported the breach to the AP. “We’re not seeing any particularly shocking fluctuations in the numbers,” said Nienke Kolthof, data breach coordinator at the regulator.

The AP has spoken to a share of the organizations involved in the ransomware incidents over the last year to get a better view of what went wrong. Two in five of the victimized groups thought that their security was in order. “We are surprised by this. “It’s good to put plans on paper and think them through, but you also have to follow through on them. Just making a plan and doing nothing creates a false sense of security.”

The regulator is also concerned about the rise in popularity of Artificial Intelligence (AI). “The attacks are getting more sophisticated, making it easier to trick people. If I get a phishing email now, it’s written in perfect Dutch, well-designed, and the email address looks trustworthy,” said inspector Anne Bergen.