How can data processors optimise resources, minimise costs and protect consumers?
Long held fears about the growing threat posed by ransomware have proved well founded. As we predicted, ransomware has continued to increase and become the attack method of choice for cyber criminals today. In the first nine months of 2023, we have seen a sustained increase with ransomware gangs like CL0P becoming dominant in the space. This period saw a large number of simultaneous attacks, including the highly publicised MOVEit vulnerability– which is one of the most systemic exploitations we have seen to date.
What is ransomware?
Ransomware is a type of malware which prevents you from accessing your device and the data stored on it, usually by encrypting your files. A criminal group will then demand a ransom in exchange for decryption. The computer itself may become locked, or the data on it might be encrypted, stolen or deleted. The attackers may also threaten to leak the data they steal*.
View from the front line
The Experian Crisis & Data Breach Response team have been supporting companies and organisations of all types to deal with the fallout of these types of incident. We have seen an increase of over 200% from 2022 and we still have three months left in 2023. In this time, particularly with vulnerabilities like MOVEit, we have seen that data processors have really suffered. These organisations hold multiple clients’ data and need to understand how to traverse not only the consumer recovery but also manage their clients at the same time.
In this post I would like to share some of our experiences of working with companies on their consumer and employee recovery plans and how the increase of “data processor incidents” has added extra layers of complexity to the process.
What are data controllers and data processors?
Under UK GDPR, organisations responsible for handling personal data are categorised as either ‘controllers’ or ‘processors’. Controllers are organisations that determine the purpose and means of processing personal data. They have a direct relationship with the customer or end user.
Processors are organisations that process personal data on behalf of controllers. These are usually outsourced service providers, appointed to handle or manage data for a purpose defined by the controller. They could include payroll providers, marketing agencies, printing companies, pension management and HR providers, and other business process outsourcers.
Managing customer communication
We have seen that ransomware attacks on data processors provide additional challenges in managing the recovery. Data processors do not have a direct relationship with the consumer whose data has potentially been compromised. Ultimately, it is their client – the data controller – who has that relationship.
Therefore, the data controller often feels it is their responsibility to send out communications to the media, internal and external stakeholders, as well as the individuals affected. Their focus will be on providing reassurance, protecting their brand and reputation, and mitigating the financial impact of the event.
This situation can cause tension, since the outsource partner (the data processor) would like to use economies of scale across potentially multiple clients to provide a more cost-effective recovery solution. They may want to use recovery services from firms like Experian to provide reassurance and peace of mind to those employees and consumers impacted.
This can cause particular challenges when it comes to the timing of notifications sent out to customers and employees. Not only will the client want to communicate in a certain manner in line with their culture and values, but they will also want to control the timing of those communications. This can cause issues where call centres or monitoring services, are being mobilised for multiple clients rather than one.
One of the key areas for data controllers and processors to agree on is when notifications go out, and in what order. It’s important to understand that if all notification communications are sent at the same time, it will cause a huge demand spike from those customers who want further information. By agreeing to stagger communications over a defined timeline, call centre and other inbound communication resources can offer a faster and more efficient service, providing comfort and reassurance to those people impacted during this unsettling time.
Focus on consumers and employees
A co-ordinated response from all parties does provide the best results to the individuals impacted by a data breach. Being informed that your personal data may have been compromised is bad enough, but not being able to speak or communicate with someone to understand more and gain some comfort just compounds the issue. Greater coordination enables resources to be optimised, reduces the overall time to successful resolution, minimises costs through economies of scale – and reduces the financial and reputational damage caused to the affected parties.
How can we help?
Reducing the financial and reputational damage should always be the ultimate goal for any organisations impacted by a ransomware attack. Consumers need to be at the heart of any crisis response plan.
If you want to learn more about dealing with ransomware incidents and managing the people recovery process, please visit our website or contact the Experian Crisis & Data Breach Response team on 0844 4815 888 or via email.
Get in touch
Get in touch with our Experian Crisis & Data Breach Response teamGet in touch