An interesting point about ransomware was made to me after my most recent quarterly breach webinar. Essentially, the statement noted that ransomware is a not the same as a data breach. While this is technically true for the most part, there is enough relevant overlap in the implications of other “not quite breaches” to justify discussing them during my quarterly reviews.
First and foremost, let’s talk about what a data breach is. At the highest level, a breach occurs when personal information is accessed by individuals who do not have permission or access to that information. This could be a malicious group gaining access to the information by hacking or other means as well as an employee accidently sending the information in an email. In other words, if people who should not have the information gain access to it, you have a breach.
Of course, the specific definition will vary depending on the jurisdiction in which you operate or where data subjects are located. The loose definition cited above covers why I discuss ransomware. Individuals aren’t just encrypting files without access to them. It stands to reason that when ransomware is involved, unauthorized access is occurring.
Additionally, many recent incidents involving ransomware aren’t just a simple case of a group calling for bitcoins to get some information unencrypted. In one case, Electronic Arts, the maker of several video games, had ransomware placed on their systems, but the perpetrators behind this action took the source code for the popular FIFA series and tried to sell that online instead. Clearly, if they can get this kind of information, they can get at employee files, or customer accounts.
Overall, while not every instance of ransomware includes a breach, most can and will. So while ransomware is not itself a breach, it is important for privacy programs to discuss and understand what to do in the same way they need to respond to any unauthorized access of personal information.