A recent study by Unit 42/Palo Alto Networks revealed record ransomware attacks in 2021. Criminal data leaks increased 85%, and there was also a 75% rise in the average amount of money being demanded for data release – altogether, over BRL 2.5 million. As we mentioned previously, these malicious software aim at encrypting, conditioning data release and secrecy to payment in money or cryptocurrencies. The study also pointed out that cybercriminals are perfecting their techniques, and have begun to combine hijacking and encryption of data with subsequent attacks such as DDoS (Distributed Denial of Service) as well as releasing data on sites that leak to the dark web.
In 2022 there have been no significant changes in the gross number of detected attacks, according to Brazilian newspaper Folha de S.Paulo. Attacks have become more sophisticated this year – now including “multi-extortion” techniques – and reach their targets more efficiently, revealing a change from indiscriminate attacks (through massive dissemination of ransomware) to careful selection of targeted companies. This has led to an increase in the values these criminals are having access to, although the total number of attacks has not risen. The combination of these techniques and their increased sophistication can make simple offline backups ineffective; they don’t eliminate the harmful potential of attacks, since taking down websites and data leaks can cause significant financial, reputational and intangible asset losses; service interruption; and sanctions by authorities.
Thus, studies reiterate that prevention is the only way to reduce risks. Crucial customized incident response plans must be constantly implemented, reviewed and tested to correctly identify bottlenecks and threats to operations. It is increasingly evident that an effective and resilient digital compliance structure is fundamental to align stakeholders’ expectations and to control damages. It should also be noted that Brazil’s General Data Protection Law (Lei Geral de Proteção de Dados Pessoais/LGPD) provides for the use of harm reduction mechanisms to reduce fines from personal data leaks – making good practices and governance worthwhile for several different reasons.
For more information about the legal handling of incidents involving personal data, and about governance strategies for data privacy and protection, please contact our specialized team.
