Ransomware – Consumer response plans
How can data processors optimise resources, minimise costs and protect consumers?
Long held fears about the growing threat posed by ransomware have proved well founded. As we predicted, ransomware has continued to increase and become the attack method of choice for cyber criminals today. In the first nine months of 2023, we have seen a sustained increase with ransomware gangs like CL0P becoming dominant in the space. This period saw a large number of simultaneous attacks, including the highly publicised MOVEit vulnerability– which is one of the most systemic exploitations we have seen to date.
What is ransomware?
Ransomware is a type of malware which prevents you from accessing your device and the data stored on it, usually by encrypting your files. A criminal group will then demand a ransom in exchange for decryption. The computer itself may become locked, or the data on it might be encrypted, stolen or deleted. The attackers may also threaten to leak the data they steal*.
View from the front line
The Experian Crisis & Data Breach Response team have been supporting companies and organisations of all types to deal with the fallout of these types of incident. We have seen an increase of over 200% from 2022 and we still have three months left in 2023. In this time, particularly with vulnerabilities like MOVEit, we have seen that data processors have really suffered. These organisations hold multiple clients’ data and need to understand how to traverse not only the consumer recovery but also manage their clients at the same time.
In this post I would like to share some of our experiences of working with companies on their consumer and employee recovery plans and how the increase of “data processor incidents” has added extra layers of complexity to the process.
What are data controllers and data processors?
Under UK GDPR, organisations responsible for handling personal data are categorised as either ‘controllers’ or ‘processors’. Controllers are organisations that determine the purpose and means of processing personal data. They have a direct relationship with the customer or end user.
Processors are organisations that process personal data on behalf of controllers. These are usually outsourced service providers, appointed to handle or manage data for a purpose defined by the controller. They could include payroll providers, marketing agencies, printing companies, pension management and HR providers, and other business process outsourcers.
Managing customer communication
We have seen that ransomware attacks on data processors provide additional challenges in managing the recovery. Data processors do not have a direct relationship with the consumer whose data has potentially been compromised. Ultimately, it is their client – the data controller – who has that relationship.
Therefore, the data controller often feels it is their responsibility to send out communications to the media, internal and external stakeholders, as well as the individuals affected. Their focus will be on providing reassurance, protecting their brand and reputation, and mitigating the financial impact of the event.
This situation can cause tension, since the outsource partner (the data processor) would like to use economies of scale across potentially multiple clients to provide a more cost-effective recovery solution. They may want to use recovery services from firms like Experian to provide reassurance and peace of mind to those employees and consumers impacted.
This can cause particular challenges when it comes to the timing of notifications sent out to customers and employees. Not only will the client want to communicate in a certain manner in line with their culture and values, but they will also want to control the timing of those communications. This can cause issues where call centres or monitoring services, are being mobilised for multiple clients rather than one.
Marshalling resources
One of the key areas for data controllers and processors to agree on is when notifications go out, and in what order. It’s important to understand that if all notification communications are sent at the same time, it will cause a huge demand spike from those customers who want further information. By agreeing to stagger communications over a defined timeline, call centre and other inbound communication resources can offer a faster and more efficient service, providing comfort and reassurance to those people impacted during this unsettling time.
Focus on consumers and employees
A co-ordinated response from all parties does provide the best results to the individuals impacted by a data breach. Being informed that your personal data may have been compromised is bad enough, but not being able to speak or communicate with someone to understand more and gain some comfort just compounds the issue. Greater coordination enables resources to be optimised, reduces the overall time to successful resolution, minimises costs through economies of scale – and reduces the financial and reputational damage caused to the affected parties.
How can we help?
Reducing the financial and reputational damage should always be the ultimate goal for any organisations impacted by a ransomware attack. Consumers need to be at the heart of any crisis response plan.
If you want to learn more about dealing with ransomware incidents and managing the people recovery process, please visit our website or contact the Experian Crisis & Data Breach Response team on 0844 4815 888 or via email.
Further reading
Ransomware response for education providers and charities
Ransomware attacks have been sweeping the globe. Find out how to manage post-breach situations in the education and charity sectors.
Why consumers need to be central to crisis response plans
The impacts of a cyber-attack, health emergency or data breach can be devastating for the business. But the greatest impacts are often felt by consumers.
Plan your crisis response plan before it happens
The costs of dealing with a crisis are significantly higher for businesses that have not planned their response in advance - that is why it is so important to plan in advance.
Breaking down barriers when forming a crisis response plan
With the working environment changing faster than ever, adapting to a digitally led economy also brings increased data breach risks. Find out more.
Data breach readiness: where are your blind spots?
How to prepare thoroughly for any breach and have the right resources in place to react effectively if the worst happens.
6 key fraud, KYC and AML predictions for 2024
What fraud trends are we anticipating for 2024? Read our six predictions to explore the potential impact of growing fraud and identity threats.
Practical tips to adopt APP fraud reimbursement requirements
We address the challenges around the new APP fraud regulation and discussed practical tips for organisations to navigate through the changes.
6 fraud and identity predictions to help you protect your business and customers in 2023
Read our six key fraud and identity predictions to explore the potential impact of growing fraud threats and new identity trends in 2023.
Capturing the digital identity evolution through a layered approach
As digital adoption has increased, identities have become more complex. Read our whitepaper for insight into the future of digital identity.
Transforming financial crime prevention
In this paper, we share our insights around enabling Financial Crime automation to help strategically monitor commercial portfolios.
* A guide to ransomware, National Cyber Security Centre