The Group Claiming To Have Hacked Sony Is Using GDPR As A Weapon For Demanding Ransoms
from the unintended-consequences dept
We’ve spilled a great deal of ink discussing the GDPR and its failures and unintended consequences. The European data privacy law that was ostensibly built to protect the data of private citizens, but which was also expected to result in heavy fines for primarily American internet companies, has mostly failed to do either. While the larger American internet players have the money and resources to navigate GDPR just fine, smaller companies or innovative startups can’t. The end result has been to harm competition, harm innovation, and build a scenario rife with harmful unintended consequences. A bang up job all around, in other words.
And now we have yet another unintended consequence: hacking groups are beginning to use the GDPR as a weapon to threaten private companies in order to get ransom money. You may have heard that a hacking group calling itself Ransomed.vc is claiming to have compromised all of Sony. We don’t yet have proof that the hack is that widespread, but hacking groups generally both don’t lie about that sort of thing or it ruins their “business” plan, and Ransomed.vc has also claimed that if a buyer isn’t found for Sony’s data, it will simply release that data on September 28th. So, as to what they have, I guess we’ll just have to wait and see.
The hack was reported by Cyber Security Connect, which said that a group calling itself Ransomed.vc claimed to have breached Sony’s systems and accessed an unknown quantity of data. “We have successfully compromissed [sic] all of Sony systems,” Ransomed.vc wrote on its leak sites. “We won’t ransom them! we will sell the data. due to sony not wanting to pay. DATA IS FOR SALE … WE ARE SELLING IT.”
The site said the hackers posted some “proof-of-hack data” but described it as “not particularly compelling,” and also said that the file tree for the alleged hack looks small, given the group’s claim that it had compromised “all of Sony’s systems.” A price for the hacked data isn’t posted, but Ransomed.vc did list a “post date” of September 28, which is presumably when it will release the data publicly if no buyers are found.
But what really caught my attention was the description of how this particular group was going about issuing threats to its victims in order to collect ransoms. And part of the group’s reputation is that it compromises its victims and then hunts for GDPR violations, building ransom requests that are less consequential than what the GDPR violation fines would be.
While the hackers say they’re not going to ransom the data, Ransomed.vc apparently does have a history of doing so, with a unique twist: Cybersecurity site Flashpoint said in August that Ransomed takes “a novel approach to extortion” by using the threat of the European Union’s General Data Protection Regulation (GDPR) rules to convince companies to pony up. By threatening to release data that exposes companies to potentially massive GDPR fines, the group may hope to convince them that paying a little now is better than paying a whole lot later.
“The group has disclosed ransom demands for its victims, which span from €50,000 EUR to €200,000 EUR,” Flashpoint explained. “For comparison, GDPR fines can climb into the millions and beyond—the highest ever was over €1 billion EUR. It is likely that Ransomed’s strategy is to set ransom amounts lower than the price of a fine for a data security violation, which may allow them to exploit this discrepancy in order to increase the chance of payment.”
And so because of the mess that the GDPR is, combined with its remarkable level of fines, the end result is that in some respects the EU has empowered rogue hacking groups to act as its enforcement wing for GDPR. And that both sucks and certainly isn’t what the EU had in mind when it came up with this legislative plate of spaghetti.
Frankly, this has some parallels to other unintended boondoggles we’ve seen. What is making the hacking industry such a rich endeavor? Well, in part it’s the cyber-insurance industry and its habit of paying out the bad actors because it’s cheaper than helping their customers recover from ransomware and other attacks. All of which encourages more hacking groups to compromise more people and companies. GDPR appears to now operate in the same way for bad actors.
Well meaning or otherwise, when legislation purported to protect private data and interests instead proves to be a weapon in the hands of the very people most interested in compromising those private data and interests, it’s time to scrap the thing and send it back to the shop to be rebuilt, or discarded.
As to what this Sony hack actually is, for that we’ll have to wait and see.
Filed Under: eu, fines, gdpr, hack, ransomware, threats
Companies: sony
Comments on “The Group Claiming To Have Hacked Sony Is Using GDPR As A Weapon For Demanding Ransoms”
So.. Is this actually bad?
Let’s step back here and think about what’s going on.
A company chose to violate the law. Because they know this they are then willing to pay criminals to avoid law enforcement.
The result is still companies being punished for their behavior. Possibly twice if the government decides to check things over after a hack.
I agree that small companies getting hurt by this is wrong though.
Re:
Your support for the GDPR seems to hinge only on whether that law binds a person/company you dislike. That tells me the GDPR is probably a shitty law—and that you don’t mind it being shitty so long as the people/companies you dislike get whatever punishment you believe they deserve.
Re: Re:
If companies don’t want to get hit with fines, maybe they should stop trying to suck up everyone’s data and then failing to secure it. The one’s failing are the companies big and small who think they need all that damned data in the first place, and then whining about how expensive compliance is. “We want to devour all your data but don’t want to spend the time and money to properly secure it!” seems to be the battle cry of the money-grubbing companies. Don’t collect the data. Then you don’t have to pay for compliance. Nor do you have to pay for data breaches when you cut corners or doing shady shit with the data like companies do.
I’ve pointed it out before: If you have corporate stooges trying to dismantle your law, like the author of this anti-GDPR rant was trying to do only to get eviscerated by the commentariat, then maybe it’s a good law.
Re: Re:
??? Where and how did you come up with that idiotic conclusion?
Re: Re:
This is not what was said, and you know that. The distinction was made based on company size, highlighting the added difficulties for small businesses. This is a point that’s been touched on by likely every single one of the authors here at one point or another, as it relates to various regulations that have popped up over the years.
You’re better than this bad-faith strawman bullshit.
Sony violated GDPR, fucking over people’s privacy, and is facing consequences for it? Wow, such a failure of a law!
/s
I’m sorry Europe cares more about consumer rights than over here in America, Mike. I wish we had something like the GDPR or their antitrust stuff such as the Digital Markets Act.
Re:
Ah, but we do! See, we have §230, which says, “blame the speaker, not the platform”. Blame the criminals, not the victim.
Myself, I consider that even better than the GDPR.
Re: Re:
What are you talking about? Section 230 and the GDPR are nothing alike.
Re: Re:
Comparing the two is like comparing a Mackintosh to an iPhone.
Re: check the byline
This article was written by Tim Geigner, not Mike Masnick…
I’m sorry, this entire story is just weak as hell. Even the Flashpoint folks who described this are clear that they have no evidence that this has ever happened. At most, this is a novel variation of an old threat. Sure, it sounds scary: “the EU will fine you for data privacy violations for more than what it costs us to go away”, but that’s just a variation on old-fashioned threats they’ve used for years (like that the IRS will repossess your house). There’s literally no evidence presented here that a hack like this has ever resulted in a GDPR fine or that the fears of a fine are even vaguely warranted by the actual design or implementation of the law.
This comment has been flagged by the community. Click here to show it.
Re:
Mike has a personal axe to grind against the GDPR and he’ll scrape together whatever he can get to make it look bad.
Re: Re:
[Projects facts not in evidence]
Re: Re:
Cool story bro.
Unless I am really misreading this either the extortionists are bluffing hard and companies are falling for it or the law is so badly written that being the victim of a crime is itself a crime under the GDPR, and one that carries truly massive fines.
Either way it sure seems like the law was really poorly written if this extortion racket is actually working.
Re:
I’m not in the EU, so my understanding is limited.
As I understand it though, you are supposed to keep EU data isolated to EU servers, with an exception for in-use data, which must be destroyed once it’s no longer needed for current activities.
If Sony was hacked outside the EU, and all their EU data was accessible outside the EU, I think that’s the violation.
The only problem I have is the leaking of innocent customers’ data (which usually happens in these cases).
Sony though, is anti-consumer and deserves everything they get IMO.
Re: Re:
Not quite. You can transfer personal data outside of the EU subject to certain protections, such as having special contracts in place with the recpient. Global business would come to a halt otherwise.
Re: Re: Re:
Right, I forgot about that case.
Since don’t work for a global company anymore, I haven’t had training on it for a few years. 🙂
Re: Re: Don't let your spite lead you to siding with extortionists
Which would be incredibly stupid no matter how much you hate the company impacted.
‘Hey you got hacked and refused to pay the attempted extortion, here’s a massive fine to add insult to injury because the hackers decided to spite you and release the data they got. No we don’t particularly care that this makes extortion attempts like that more likely and more effective.’
Re: Re: Re:
They’re liable for a fine whether or not they pay the ransom, because the data still got breached due to their negligence.
Re:
Being the victim of a crime isn’t punishable under the GDPR. Having negligently weak security such that other people’s personal data gets breached is. Wikipedia has a list of instances where GDPR fines were issued, and you can see the reason for each one: generally, negligence.
https://en.wikipedia.org/wiki/GDPR_fines_and_notices
Also the idea that the company which was hacked (Sony in this case) is the victim is… kind of warped. The victims are the people whose personal data got breached. Like if someone went drunk-driving, hit a pedestrian and then crashed into a tree, the driver is not the victim in that situation.
They’re just bluffing
Re: Bluffing?
I’m surprised, then, that no-one has called their bluff.
Re:
Well that’s just the thing.
Are they bluffing?
I liken it to one group of crooks finding evidence on another group of crooks and asking for payment for the evidence.
Knowing SONY they most likely found the intrusion after the ransom demand, traced what was looked at, and erased all the evidence.
It would explain their smug reply.
Then again they did brick hundreds of PCs with their root kit loaded audio CDs and denied everything.
I don’t find this particularly compelling. The attackers have a clear incentive to overstate the size of the breach ─ the more data is at stake, the more they can get for ransom or sale to a third party. The data is their product so of course they would inflate its value. And they can always pretend to have found a buyer if the 28th comes and they don’t want to reveal that it’s not what they advertised.
GDRP allows companies to be fined for breaches, regardless of whether the attackers go on to sell the data to a third party. So the “pay us or face a GDPR fine” threat is empty; they will be liable for a GDPR fine whether or not they pay.