The Information Commissioner’s Office (ICO) is the UK authority that upholds information rights and promotes openness from public entities and data privacy for individuals. UK businesses should inform the ICO when they experience a data breach.
The ICO helps to guide organisations and individuals regarding ransomware and data protection compliance and provides steps businesses can take to comply with the UK Data Protection Act.
- What Is Ransomware?
- The Data Protection Act
- How Ransomware Affects Data Protection
- Ransomware and Data Protection: 8 of Your Responsibilities
- Further Technology Articles
This article contains a high-level overview of the ICO’s guiding principles, a general explanation of ransomware, and how the Data Protection Act guards against it.
What Is Ransomware?
Ransomware is an attack that compromises a user’s device using malware, whether a mobile device, laptop, or desktop. The attack encrypts the device’s data so that the user can no longer access it. Such ransomware can spread to other computers on the network, repeating the damage on each device, eventually moving to servers and data backup storage systems.
The individual user or company is usually guided to a web page to make a ransom payment. In return, the malicious agent promises to provide the digital key to unencrypt the data.
Often, the demand payment is an untraceable cryptocurrency like Bitcoin. Companies often elect to pay the ransom, even though there’s no guarantee they will recover the encrypted files. Most often, these encrypted files are never recovered.
The Data Protection Act
The UK Data Protection Act of 2018 regulates how businesses, governments, or other organisations use personal information. It is the UK’s implementation of the General Data Protection Regulation (GDPR).
As per the Data Protection Act, businesses are responsible for using personal data and must follow strict rules; called data protection principles. Those principles include ensuring that information is:
- Used lawfully, fairly, and transparently
- Used for specified purposes
- Used in a way that limits only what is necessary
- Accurate and up to date
- Kept for only as long as necessary
- handled with appropriate security and protected against unauthorised processing, access, loss, or damage
How Ransomware Affects Data Protection
Ransomware attacks are among the most common cyber incidents that affect personal data. Such an attack leads to the temporary loss of access, theft, or even permanent data loss. The National Cyber Security Centre (NCSC) has named ransomware the most significant cyber threat in the UK.
Cybercriminal gangs continuously find new ways to pressure organisations to pay the ransom. In addition to encrypting the data, they may threaten to publish it on the dark web, thus exposing the private data of hundreds to thousands of clients.
While sectors such as health, education, legal services, and business are all targets, any company that processes personal data is at risk. Part of the reason is the lowered barrier to system entry, especially now that ransomware-as-a-service packages are available on the dark web.
Ransomware and Data Protection: 8 of Your Responsibilities
Next are eight scenarios presented by the ICO that describe the most common compliance issues. Reviewing these scenarios provides businesses with examples for understanding the importance of proper data protection compliance and reporting.
1. Every Size Business Must Take Responsibility
Businesses of all sizes, no matter how large or small, must be responsible for data protection. Those responsibilities include the following:
– Data Security Policies and Classification
Even small businesses must establish, communicate, and enforce a defined set of security policies that provide direction to employees and designate the appropriate levels of security.
Furthermore, these policies should identify and classify the types of personal data the organisation processes. For example, large volumes of data, children’s data, and other special categories require higher classification.
– Technical Control Selection
All organisations should document appropriate controls to protect personal data. They should review and apply the National Cyber Security Centre (SCSC) Mitigating Malware and Ransomware guidance to define the practical controls implemented to prevent ransomware.
– Access Controls and Vulnerability Management
Businesses should establish strong access controls for the systems processing personal data with Multi-factor authentication as an example of a robust access control protocol.
The same principle applies to patch management, especially ones relating to critical patches and internet-facing services. See the NCSC Vulnerability management guidance for additional detail.
– Staff Awareness and Education
All staff should receive training on ransomware and other cyberattacks, including phishing and malware. IT teams should receive more specific security training.
– Detection, Incident Response, and Disaster Recovery
With proper controls and processes in place, organisations can detect and respond to an attack before it has a chance to damage personal data. Smaller organisations can implement these controls using the NCSC Logging Made Easy solution.
If a ransomware attack makes it through, an incident response plan guides the organisation through the event to minimise damage. Thus, the response plan should be tested regularly, following the example provided in the NCSC Exercise in a Box.
Testing enables organisations to assess and evaluate within a controlled environment using vulnerability scanning, audits, penetration testing, and accreditation against security standards like NCSC Cyber Essentials and other notable standards.
Disaster recovery plans support businesses in restoring personal data as quickly as possible. Online backups and other measures that restore personal data are described in the NCSC “Offline backups in an online world.”
2. Determining A Personal Data Breach
Your first step is to determine whether there was a data breach and whether you need to notify the ICO.
The UK GDPR defines a personal data breach as a security breach that leads to “the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
In a ransomware attack, you may lose timely access to personal data when the hacker encrypts the files. Temporary loss of access is also a data breach. For example, access is lost while security teams restore data from a secure backup.
Once you have determined a security breach occurred, you must decide whether to notify the ICO.
3. Data Breach Notification
Businesses must notify the ICO of a personal data breach no later than 72 hours after becoming aware of it unless the breach is deemed a low risk to the rights and freedoms of individuals. To determine this, the organisation must conduct a formal risk assessment.
You don’t have to report if the assessment shows an unlikely risk. Though, do keep a record of the incident and subsequent investigation. Without adequate logs, you do not have the evidence you need to make an informed decision.
The ICO may ask you to present your logs to verify your determination that no data was compromised. For more logging information, refer to the NCSC blog post, “What Exactly Should we be Logging?”
The ICO offers guidance and a self-assessment tool to assist organisations in reporting a breach. In addition to the self-assessment tool, the ICO operates a personal data breach helpline, and staff can advise you regarding the next steps.
4. Contact UK Law Enforcement
In the event your organisation experiences a ransomware attack that has breached personal data, you are advised to inform UK law enforcement via Action Fraud.
You also need to notify the individuals impacted; however, law enforcement may advise you to delay notification while collecting evidence. The challenge is how to comply with the criminal investigation and your GDPR obligations.
First, you are correct in notifying UK law enforcement, and the ICO works closely with them to provide a multi-agency response to ransomware attacks. Recitals 86 and 88 of the UK GDPR provide guidance related to delaying data subject notification:
- Recital 86 stipulates that data subjects should be made aware as soon as reasonably practicable, and the business should cooperate with the law enforcement agency leading the investigation.
- Recital 88 further states that any procedures should consider that early disclosure may hamper the investigation into the personal data breach.
If UK law enforcement asks you to delay public notification, continue to work closely with the ICO. This allows them to work with you and law enforcement to assess the individuals’ risk under the respective legislation.
5. Understanding Common Attack Methods
The ICO sees patterns in common malware attacks that your IT security team can use to fortify your organisation’s security systems. The ICO documents the Tactics, Techniques, and Procedures (TTPs) that describe how attackers can compromise data.
The ICO has identified four of the most common TTPs from their ransomware casework and has made them available to organisations as support for implementing appropriate security measures. They are as follows:
– Phishing & Social Engineering
Attackers use phishing to trick victims into providing sensitive information, and it is also a standard method of delivering ransomware by email. Your business’s security strategy should include staff training on phishing and social engineering. In addition, you should consider tailoring the measures in the NCSC Phishing Attack guidance to your organisation.
– Remote Endpoints
The most common network entry point is through remote endpoint devices such as laptops, mobile phones and tablets with inadequate or outdated security. Attackers will use these devices as the entry point, and from there, they can capture user login credentials via keylogging to gain further access deeper into the network.
Your security teams should perform a risk assessment and document your remote access solution to ensure you have a strong access control policy to respond to risks.
– Privileged Account Compromise
Once an attacker gains access to the network, they often target a privileged account, like a domain administrator account. Once they elevate their privileges to the domain administrative level account, they can deploy their malware with its ransomware payload through the entire network, including cloud storage/backup solutions.
Thus, security for privileged accounts must be a priority for your organisation. Your IT teams can better support these accounts by regularly reviewing permissions, following the principle of least privilege, and performing a risk assessment of privileged group memberships and approvals.
– Known Software or Application Vulnerabilities
Hackers often exploit the known vulnerabilities present where patches are available to fix issues. Attackers can deploy attacks during a brief period just before the patches are made available, especially with zero-day exploits.
Your IT teams should consider the following when managing known vulnerabilities:
- Identify organisation assets, including the software and applications.
- Define your approach to the patch management lifecycle, including how your teams identify, assess, acquire, test, deploy, and validate patches.
- Maintain vendor software and applications.
- Perform vulnerability scanning to identify internal and external hardware and software vulnerabilities.
6. Disaster Recovery
A ransomware attack can be devastating, so planning for one is essential to ensure proper measurements are in place. This includes a disaster recovery plan.
For small to medium organisations, the NCSC Small Business Guide Response and Recovery have practical advice to assist in developing a ransomware defence plan. Refer to the NCSC Incident Management guidance if yours is a larger organisation.
Regardless of the size of your organisation, backing up your data is one of the most effective controls in mitigating risks. In addition, you should also perform a threat analysis against your backup solution.
At Securus Communications, we highly recommend a cloud-based backup solution that uses a combination of immutable backups and air-gap technology to ensure your archived data is safe.
7. Ransomware Payment
The ICO and UK law enforcement do not condone paying ransom demands. Before paying any ransom, businesses should remember they are dealing with criminals. Paying the ransom doesn’t guarantee that you will receive the decryption key.
In addition, the attacker will often take the money for the decryption key and then demand a second payment, or they will publish the data. If you pay the ransom to avoid the data being published, the data remains compromised, and you must act accordingly. You must be prepared to mitigate the risks even though you paid the ransom.
Furthermore, the UK GDPR requires “appropriate measures” to restore the data in the event of a ransomware attack. The ICO does not recognise a ransom payment as an “appropriate measure.” Appropriate measures are risk assessments, threat assessments, and offline and segregated backups.
8. Security Testing Obligations
The UK GDPR requires that businesses regularly test, assess, and evaluate their technical controls. The ICO suggests some methods that can support you in developing appropriate testing measures. These include the following:
- Breach notification: Test your incident response plan regularly to be ready for an actual incident.
- Account management: Audit your user accounts to ensure they are still necessary and have the correct privileges. Implement controls that identify weak passwords.
- Patch management: Implement a vulnerability scan protocol to identify weak network spots like missing patches.
- Attack tactics, procedure, and techniques: Perform risk assessment and document your security controls. Doing so ensures they are fortified enough to resist TTPs.
- Audit: Perform regular audits against a proven security standard like Cyber Essentials, which is ideal for smaller organisations or ISO27001 for larger organisations.
- Disaster recovery: Perform regular tests of your disaster recovery plan to ensure it remains effective.
More often than not, victims of a ransomware attack find that their data backups have also been encrypted and thus unusable. If there were only one thing we could recommend to all businesses, that would be to invest in a secure cloud-based air-gap immutable backup storage solution.
This article presented a condensed overview of the data breach guidance provided by the ICO to aid organisations of all sizes. We strongly recommend that you visit the ICO website for a more detailed guide on data breach prevention and processes if you find yourself compromised.