Ransomware, virtual data hijacking: whose fault is it?

I doubt that anyone reading this article hasn’t had a device infected by at least one malicious file, what we call a virus. Whether it’s a computer or a smartphone, it doesn’t matter, it’s practically impossible that this hasn’t happened. Even more so in the beginning of the opening of the commercial internet signal in Brazil, in 1995, where there were many programs that were sent by e-mail and, after being executed, the lights flashed and the cd-rom opened, for example.

Something harmless compared to today. At that time, nobody cared about having access to our data, because there were very few transactions possible in internet banking and there were no marketplaces that today sell everything.

Over the years, with the advancement of technology and the internet, and especially of financial services and others that have market value, types of malware have become increasingly dangerous and sophisticated, as they started to collect information such as passwords, personal and sensitive data of both companies and users.

With the entry into force of the General Data Protection Law Personal (LGPD) in Brazil (attention, I will only refer to Brazil), companies that in any way use, store or process data of their customers or third parties have an obligation to protect this information and, if something happens, they may be held responsible for the leak. There are many types of attacks and with different intents, so let’s just focus on ransomware.

But what is a ransomware attack?

Quite simply, it is an attack in which the criminal uses a type of “virus”, which, once executed or opened on a computer or within a network, proliferates to all equipment connected to that network; as a result, users are prevented from accessing files and systems, which have been attacked through an encryption of stored data known as “virtual data hijacking”.

Source: Shutterstock

Simply put, data encryption is a way, through mathematical applications, to make all data encoded and cannot be read without a key that opens these files, through an activity called decrypt. The data is there, but scrambled.

This attack can also be done through a security breach in companies’ systems, where the attacker enters the network, collects this information and, after collecting all the data he wanted, launches the attack and charges a kind of “rescue” to provide the passkey to release this data. This type of information gathering can take months, as everything has to be collected in a way that does not arouse suspicion.

If the ransom is not paid, data may be erased or exposed on any network or sold to fraudsters. However, the truth is that there is no interest of criminals in deleting the files, but in charging to unlock them, since if you delete, they don’t earn anything. Only as a last resort, if there is no payment, then the data can be lost or published as a form of revenge, which can generate huge losses for those who suffer this type of attack.

But can’t you track where the payment will be made? Very difficult. These payments are made in the form of cryptoactives, such as Ethereum, Bitcoin, Cardano and hundreds of other “virtual currencies” that are practically impossible to track because they are deposited in a virtual wallet – which is represented by numbers and not linked to any financial institution — and then can be turned into cash and withdrawn without a trace.

Well, it is obvious that this is a crime and is provided for in article 154-A of the Penal Code, which was included by law No. 12,737/2012, the famous “Carolina Dieckmann Law”. Before that, it wasn’t a crime. The person who committed this act did not have any type of penalty because, as I have said in other articles, if there is no law that defines it as a crime, it is not a crime. However, the focus is not on who commits the attack, but on the consequences, which can be serious, for companies and people who are victims of this crime.

We know that no system is 100% failsafe. None. It’s no use coming here to say that this exists because it’s a lie. There are more or less secure systems, and it is in the flaws that criminals will exploit vulnerabilities for an invasion, but the biggest cause of attacks is and will always be “the little piece” that is in front of the computer. Who? You!

Yes, it’s you, who opens files without knowing where they come from, who falls for phishing scams, or insists on opening that email that has a huge and unbelievable offer of products. The human being is and will always be responsible for opening the doors of invasions. Of course, there are systems failures too, but in a much smaller number compared to our wrong attitudes.

PhishingSource: Shutterstock

The big problem today is that companies are not investing in training their own employees and service providers. Thus, these people are easy targets of this type of “digital hijacking”, with consequences so serious that they could be even better if the data were erased, because, if it leaks, the fines are high, according to the General Data Protection Law – Law No. 13.709/18.

Article 42 says that the controller (who commands the data) and the operator (the one who does what the controller commands) are jointly responsible for the damage that their activities cause to users; then, if the data is exposed, users who have released it can sue the companies jointly or individually and claim damages for it.

However, there is a need to prove whether damage has occurred, as it is not just because the data was exposed that the “owner” of the data necessarily suffered a loss. The leaked data must be important to the point that, if used by other people, they cause material or moral damage.

In this sense, there are cases in which the damage is presumed, that is, it does not need to be proved. An easy-to-understand example is when your bank details are exposed on the internet and someone uses it to open bank accounts, apply for a credit card and pay the bill. There is no need to prove that it did any harm to me, because it is obvious that this causes me problems, since my name is negative and the bank can charge me for these purchases; therefore, I have to prove that I didn’t make the transactions. Another possibility is being exposed that I have some incurable disease or something.

As a company, then you can be sued if you’re not careful, and we’re not just talking about big companies. Any and any size. From the one that uses computerized data storage systems to the ones that use the notebook to control the debts of customers.

Another problem is of an administrative nature, the penalties that can be applied by the National Data Protection Authority (ANPD) in the event of a leak, which are provided for in article 52 of the law and vary according to the seriousness and size of the leak.

Companies are required to notify these leaks, and Article 48 is straightforward to state. If this is not done, the penalties can be significantly increased, since in addition to the leak having occurred, the company did nothing to try to stop this event and did not give the information to its customers.

Do not do what happened in 2018, when a bank was invaded and, even with some data exposed (to prove that that invasion really had occurred), they denied the episode and tried to intimidate TecMundo to take the news off the air. Be responsible, accept the error and take steps to minimize or end users’ losses.

So is it better to pay?

This is a big problem: to pay or not to pay? If you pay, who guarantees the data won’t be exposed or the attacker won’t attack you again? Remember that it already knows its vulnerability and can once again use it to enter the system and re-hijack the data, so part of the solution is to reinstall everything from scratch.

And if you don’t pay, you may have to bear the losses that may be even greater than the “ransom” requested. Recently, JBS paid the ransom of more than US$ 11 million (equivalent to approximately R$ 55 million) so that its activities could be resumed, while Embraer decided not to give up. But there is no way to know who was right or wrong and what the exposed data would be.

Yes, my friend. The responsibility is always with the company. For now, staff training may be the best you can do, as well as being prepared for incidents by showing what the consequences are if they do and what can be done to reduce the odds.

In any case, your company must be prepared for the LGPD. What’s up? Is your company in?


Rofis Elias Filho, columnist for TechWorld, It’s geek and lawyer, passionate about technology since childhood. He was the first on the street to have internet at home, in 1994, and specialized in Computer Law in Brazil and Portugal. Today, he is a professor of the same subject at several institutions, having been the executive coordinator of the Post-Graduate Program at ESA/SP. He is a partner at Elias Filho Advogados, a lawyer for several technology companies in Brazil and abroad.

Leave a Comment