A few years ago I wrote a blog for the company I work for, where I mulled the idea that the GDPR (General Data Protection Regulations) could be used by threat actors as a weapon to cause financial damage to a victim.
Under GDPR, companies can be fined upto 4% of their global turnover if they are found to be negligent after suffering a data breach.
That blog post is here if you want to have a quick read of it.
Well, it looks like my idea has now been realised…
LockBit wrangling
Back in January, I wrote about the LockBit ransomware which was affecting Royal Mail’s ability to process overseas post.
In an update to this story, it seems that the Lockbit gang have been shunned by Royal Mail and have not received the £66M ransom they were demanding.
The deadline for the ransom payment passed earlier this week and as a result of non-payment, the hackers dumped a hoarde of data to their website, including a series of chat-logs which detailed the conversation between the hacking gang, and the Royal Mail negotiators.
The GDPR threat
The chat logs uploaded to the LockBit blog site show the threat posed by the LockBit gang:
“$80m is 0.5pc of your revenue, $640m is 4pc of your revenue. We are asking 8 times less than your state. In addition to this price you get a decrypt of your data.”
The Royal Mail negotiators response was:
“Do you really think the government doesn’t already know about this? Even if they were to fine us, paying you or not does not change this.”
One of the LockBit administrators made an attempt to menace Royal Mail into paying the ransom by threatening to inform the authorities, saying: “0.5pc of annual global turnover is much less than a 4pc fine from your government.”
The Royal Mail negotiator was obviously steadfast in their responses as it appears that the LockBit gang spat their Dummy out, eventually posting that “Royal Mail need new negotiator” as they dumped the chat data on its dark web blog on Tuesday.