With the GDPR only three months away, there is a nervous sentiment running through the media. There are plenty of reasons to be worried, especially for those organisations that were still not fully compliant with the 1998 Data Protection Act. But the risk of extortion really should not be one of those reasons.

Has ransomware run its course? Probably not, as we expect to find out in the EPSRC multidisciplinary research project EMPHASIS. The volatility of bitcoin, the lack of financial gain and worm-like spreading of WannaCry and NotPetya, and the latter's likely destructive motivation, all indicate shifting patterns of behaviour. Security software is also emerging that prevents attacks or catches them early. But we also know that there is still plenty of potential for sophisticated targeted ransomware attacks around.

We do look at ransomware as the first potential method for high profit complex organised cybercrime. And following on from there, all of us need to think creatively of similar and similarly successful methods. Extortion based on threats or actual cyber attacks is a reality already - due to the reputational and business cost that an attack can cause. However, extortion via GDPR fines is not a realistic addition to the criminal repertoire.

Several recent headlines in this area can be traced back to the security vendor Trend Micro. It just released its 2017 round up report. Although there is only a single innocuous mention of GDPR in the 37 page report, the accompanying press release contains a throw-away line:

"...it's likely that some will try to extort money from enterprises by first determining the GDPR penalty that could result from an attack, and then demanding a ransom of slightly less than that fine, which CEOs might opt to pay."

Let us look first at "determining the GDPR penalty that could result". Too many GDPR discussions move all too quickly to the maximum fines - €20M (or 4 per cent of annual turnover) for one class of breaches, and half of that for another class. The GDPR itself does not say more than that. Maybe the blackmailer could determine the likely fine from past trend data?

Looking just at the UK, the ICO has had the power to fine up to half a million pounds since 2010. Thus far it has not fined anyone more than £400,000, ever. The ICO issued 54 fines in 2017, for a total of just over £4M. Around £3M of that was for unsolicited marketing in one form or another.

The most liberal interpretation of "security" applies to only nine of these monetary notices, for a total of just over £700,000. The highest fine was £200,000 for a hospital dealing insecurely with information about IVF treatment. The lowest was an almost symbolic £1,000 for a barrister making unencrypted sensitive customer information visible online.

[Turn to next page]