Skip to main content

Cyberattacks based on the victim´s compliance


Information security compliance has become now a new exploit that cybercriminals are taking advantage from, prompting a need for clear regulatory guidance and proactive security measures.

1.    Corporate compliance as a new cyberattack strategy

The evolution of cybercrime is not only based on the development of technologies used by cybercriminals. Recent events show that cybercriminals are also incorporating, as an innovative element in their criminal strategies, certain analysis of the legal obligations of companies.

For example, the gang known as ransomed have begun to use, as a complementary threat to the traditional extortion derived from the ransomware attacks they usually carry out, that of the sanctions contemplated by the regulations applicable to those cases in which the breach of the obligations of diligence required from companies during the management of security incidents is proven. We are referring to the current General Data Protection Regulation, whose penalties for breaching security obligations can reach millions of dollars.

2.    Cases of compliance-based cyberattacks

This is what happened with the extortion of the company Meridianlink, which, after the last cyberattack caused by Ransomed, was reported to the US SEC for not having properly notified the incident, thus failing to comply with the applicable regulations. Such thing could imply, for the affected company, a penalty of an amount significantly higher than the amounts demanded by the cyberattackers for not reporting the incident.

In this case, the mechanics followed by the criminals consist of causing a security incident, as it has always been done, but the difference lies in the strategy used. Which means that the payment they request from their victims is calculated based on the eventual sanction that would be applied to the affected company for not having implemented the appropriate security measures and not having notified the incident, being obliged to do so. Indeed, in these cases, the cybercriminals themselves who caused the security breach report the affected company to the supervisory authority, providing evidence of the reality of the incident in question (who else if not the person responsible of the crime to prove that the incident has occurred and is real) and of the failure of the affected company to comply with the applicable regulations if the incident has not been reported to the authorities in a timely manner to the authorities.

In this way, the chance of the company considering the payment of the requested amounts increases significantly, instead of risking being sanctioned to pay the fines imposed by the regulator, especially in view of the complaint and evidence that the cybercriminals responsible for the incident may have provided. To this scenario can be added the possible reputational crisis that, for the company, such action would cause.

3.    Balancing compliance and resilience: clarifying company responses to Cybersegurity Incidents

That is why it seems advisable to develop a doctrine that clarifies to companies what the position of the control authorities will be when analysing possible complaints received from the organised gangs of criminals causing the cybersecurity incident, which they report and easily prove with evidence.It is true that companies must comply with the security and transparency obligations required of them by the applicable regulations. However, other mitigating factors must also be considered, such as the fact that the company refuses to submit to extortion, almost certainly facing a sanctioning procedure, but showing some diligence in its reactive management of the incident.


Article provided by INPLP members: Francisco Perez Bes and Esmeralda Saracibar (ECIX Group, Spain)



Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.