Ransomware attacks are still on everyone’s lips and represent an acute threat. Increasingly, attack groups are also stealing sensitive data records from the affected organization before they begin to encrypt the systems. A prominent example from last year is the cyberattack on the DAX-listed company Continental ( read about it here ). In some cases, attack groups are now specifically targeting “only” data records . The attackers then use the stolen data to increase the pressure on the affected organization to pay the demanded ransom. They threaten to offer the data for sale, to contact the affected individuals directly, or to publish the data on the dark web. In some cases, the attack groups even threaten to inform the responsible data protection supervisory authorities and to point out vulnerabilities in the IT systems of the affected organization. From a data protection perspective. A leak of personal data and its publication is conside the absolute worst-case scenariocybersecurity and data protection.
If IT systems are compromis in a cyberattack, it is always necessary to check whether any data has been leak in this context. In the case of ransomware attacks, it can also be expect (nowadays) that the attackers are also targeting data records. Since the forensic analysis of the incident is usually extremely complex, italy business fax listthe support of specializ. IT forensics experts is often requir. The experts will attempt to use the available information exploit. Proving actual data leakage is often not easy and always depends on the specific design of the IT infrastructure and the available information.
Data analysis and data protection consequences
If a data leak is discover on the dark web, numerous tasks arise for the data protection officer, the data protection officer, the legal department, and the IT and public relations departments, which must be coordinat simultaneously. In order to meet the data protection requirements in this case, rapid and targeted action is requir. First, it is necessary to clarify which data categories and which categories of people are affect by the leak, unleashing the potential of whatsapp number in communication and what the approximate amount of data is. If the leaked data also contains personally identifiable information, a risk to the rights and freedoms of the data subjects can generally be assum. If the relevant information cannot be gather within the 72-hour period, the option of phased notification pursuant to Art. 33 (4) GDPR should be used.
Public notice
If it is not possible to identify the data subjects or if notifying them would involve disproportionate effort, the controller may make a public announcement instead of individual notification. However, the exception provided for in Art. 34 (3) (c) GDPR must be understood restrictively . Only applies if disproportionate effort, united states business directory e.g. due to. Avery large number of data subjects or contact details that are difficult to determine and should adequately document the reasons (accountability). In cases of doubt. It may be appropriate to ask the competent supervisory authority to issue a binding decision within the meaning of Art. 34 (4) 2nd Alt. GDPR.