The Number Of Unreported Data Thefts Is High

Article filed under News


They stole sensitive data. To prevent publication, the taxi company has paid ransom. An isolated case?

This is probably a less common case. But the number of unreported cases is so high that we cannot say exactly how many cases there are. Not even in this order of magnitude.

Is it similar to kidnapping? You pay secretly and don’t talk about it.

That is quite comparable. In this case, however, Uber’s motivation was different. They didn’t want to talk about it to avoid damaging their image. It didn’t work, though. Because it became known after all.

In an ideal case of kidnapping, you get the person back, and that’s it. It’s harder with stolen data. There is no certainty that they were really destroyed and no copies exist.

The attackers would have to make it clear that they have no further commercial interest in this data and do not sell it on to third parties. But there is no guarantee. Therefore, the remaining risk cannot be reduced to zero by a ransom payment. Attackers with a criminal background must be expected to act accordingly.

What kind of attackers are they? Are these horrified employees, individual perpetrators, or is organised crime behind them? Can we even negotiate with them?
I think it’s quite negotiable with them. But here I would assume it’s organized crime. Because it also takes the courage to get out of cover, demand a ransom and set up a secure payment channel. This speaks for me for a criminal acting individual or rather an organization. One can almost certainly rule out that it was a dissatisfied employee. He probably wouldn’t have asked for a ransom, but would have chosen another form of repayment.

Is It Difficult To Get A Ransom?

Thanks to cryptocurrencies, this has now become easier. The attacker determines the battlefield and in which cryptocurrency he is paid. He will of course choose those where he assumes that little or no monitoring is possible.


“It would be right to call the police. The major cantons have cybercrime units.”

Experts Regularly Advise Against Paying Ransom. You Too?

I agree in principle. You shouldn’t cross-fund organized crime by paying ransom. However, there are justified exceptions. For example, if a hospital can no longer determine the blood group of an emergency patient in the short term, it may make more sense to pay a ransom in individual cases because there is a risk to life and limb. But these are special emergencies. We must also take into account the fact that attackers specifically cause such emergencies in order to increase the willingness to pay.

How Should A Company React When It Is Being Blackmailed?

The right reaction, in my view, is to involve the police. Cybercrime units already exist or are being set up in the large cantons. They’re perfectly capable of having a dialogue with the blackmailers. For example, on how to pay the ransom. This may provide them with additional information that may lead to the arrest of the perpetrators.

How High Is The Clearance Rate?

I don’t have exact numbers. However, I see in my advisory practice that whenever the police succeed in entering into a dialogue with the blackmailers, the awareness rate rises sharply. In virtual conversations, experienced detectives may be able to persuade the blackmailers to divulge more information. In addition, by reporting such cases more frequently, the police discover new methods and patterns. For example, which industries are in particular focus at the moment. But of course, it gets harder with offenders abroad. Then cooperation with other investigating authorities is necessary. This costs more and takes longer. Sometimes a case cannot be solved.

The image damage caused by a data theft that has become public is immense. It’s tempting to withhold information.

This is currently still possible. With the new European data protection directive this will no longer be an option. This calls for disclosure to be made within a short period of time. Then it’s against the law to keep a data theft a secret like Uber. In the USA, there is an obligation to inform people affected by data theft. That is why the public prosecutor’s office has already taken action in the Uber case.

“The number will increase. criminals see that they can make a profit with little risk.”

When companies are hacked, the extent usually comes to light in bits and pieces. First one million customers are affected, then two, and then suddenly everyone. Is it really that difficult to see the extent of data theft, or is it PR tactics?

It is actually very difficult to determine how long an attacker has had access to the internal systems. Uber’s database was apparently inadequately backed up. If you don’t know how long the attacker had to search the database for data and copy it, it is incredibly difficult to determine the extent of the theft. You may be able to set the upper limit because you know how much customer data was in this database, but you cannot tell which data was actually obtained.

Uber also reported that the data had not been misused.

That is, of course, a very weak guarantee. Maybe you haven’t seen it, or maybe the data will be used later. It’s really difficult for companies when they can’t accurately determine the timing and duration of the attack.

Data theft is felt more and more frequently. Is it time to just put up with it, or will the phenomenon disappear again?

I think the quota will rise. On the one hand, because criminals see that they can make a profit there with relatively little personal risk. On the other hand, we will have more cases because the awareness rate is still not good enough to keep up. We will also hear more frequently from affected companies about the new privacy policy. It is similar to recalls in the car industry. There was a time when cars were hardly recalled for fear of damage to their image. Then consumer protection has legally obliged the manufacturers to do so. Now the manufacturers accept the damage to their image and prefer to call back a defective model in order not to conflict with the law.

no comments


Comments are closed.