Wave of data breach notifications could follow coronavirus crisis

Out-Law News | 04 May 2020 | 9:23 am | 2 min. read

Cyber criminals may have exploited the coronavirus crisis to access data held by businesses without their knowledge, a cyber risk expert has said.

David McIlwaine of Pinsent Masons, the law firm behind Out-Law, said a reduction in the notification of personal data breaches to data protection authorities (DPAs) in Europe could indicate that some breaches have still to be identified by the organisations affected. This could have a knock-on impact on the volume of data breach notifications made to the DPAs in the months ahead, he said.

"Whilst expert view is that there has been a significant increase in cyber attacks during the pandemic, exploiting the distributed IT estate and cyber protections of businesses, in fact we have seen a slight slow-down in the number of data protection authority notifications over the same period," McIlwaine said. "This would indicate a worrying trend that many of the attacks have not yet been detected by organisations, and there is risk that the attacker remains within IT systems, undetected, and undertaking nefarious activities.  If this is the case, we might expect a bow-wave of notifications in the near future."

"It is a timely reminder for businesses to ensure that their systems are logging and monitoring activity to the greatest extent they can – not only will this increase the likelihood of early detection, but it will also allow IT forensics to identify the footprint and activities of the attacker whilst in the systems," he said.

Europol is among the authorities that have warned about an increase in cyber attacks during the Covid-19 public health emergency. It found that the impact of the pandemic on cyber crime has been both tangible and striking compared to other criminal activities and that criminals active in the domain of cyber crime have been able to adapt quickly and capitalise on the anxieties and fears of their victims.

Specifically, Europol has highlighted the prevalence of phishing and ransomware campaigns designed to exploit the current crisis, and it warned that those attacks are expected to continue to increase in scope and scale.

Technology law expert Nadia Schaff of Pinsent Masons said particular cyber risks arise from the shift seen by many businesses during the pandemic to remote working.

"The huge number of people now working remotely can have serious unanticipated implications for IT and cybersecurity," Schaff said. "Businesses rely more on computer systems, mobile devices and the internet to communicate, share information and mitigate the impact of social distancing. The use of mobile devices to access company systems in particular, however, increases vulnerabilities."

"It is essential that businesses are adequately prepared for the changes in their cybersecurity risks. They should take suitable steps to safeguard their company IT systems and data, for example by offering practical training to make the newly remote workforce aware of the increased security risks, and by implementing technology measures – such as secured applications and devices for the remote workforce. Further measures might include embedding IT and cybersecurity into business continuity plans and crisis management," she said.