The ransom demanded for stolen or encrypted data is likely to rise after the General Data Protection Regulation compliance deadline in May 2018, according to a cyber security researcher
The sums demanded by cyber attackers in the past have been fairly arbitrary, he believes, because there has been no way to determine exactly what data is worth to a targeted organisation.
But Hypponen said this will change when the GDPR compliance deadline arrives on 25 May 2018, because after that, companies can be fined up to 4% of their global annual turnover or €20m, whichever is greater, if data is leaked and they are found to have not looked after personal data properly.
“So while GDPR is good for the consumer, it also gives a price point for criminals because now they know how much money they should be asking,” he said.
Because the attackers know exactly what the data is worth, Hypponen said they also know that companies are likely to be willing to pay anything less than that to avoid the full amount of the fine and to avoid damage to the organisation’s reputation by keeping the breach secret.
As a result, he said, demands could go up to 2% or 3% of the targeted organisation’s global annual turnover, which, depending on the organisation, could be tens or even hundreds of millions of dollars instead of the current levels of thousands and low millions of dollars.