[BreachExchange] Novi Sad cyber attack highlights need to take data security seriously

Tue Mar 17 10:09:00 EDT 2020

https://emerging-europe.com/business/novi-sad-cyber-attack-highlights-need-to-take-data-security-seriously/

As the countries of emerging Europe begin to introduce more digital
public services for their citizens, cyber security experts are warning
that data must be held securely or the consequences could be dire.

Data can be very enticing to hackers and cyber crime syndicates who
see it as an easy way to cash in by exploiting bugs, network
vulnerabilities, and – most frequently – human error.

In a recent report on cyber security, PwC warned that 2019 saw a
continuation of ransomware proliferation. This type of malware gets
its name from the fact it encrypts data on targeted computers and then
holds it for ransom.

Since the encryption used is very strong, the possibility of the
victims decrypting the files themselves is next to zero.

This is why the attackers will offer to decrypt the data. For a fee,
of course, usually paid out in the cryptocurrency Bitcoin.

“The diversification into ransomware operations was one of the main
cyber crime themes of 2019. The last 12 months, continuing from a
trend established in 2018, have seen a succession of high profile
ransomware attacks affecting a broad range of victims and sectors”,
the PwC report claims.

PwC has also observed a worrying trend of convergence between
espionage campaigns and financially-motivated cyber crime.

The city of Novi Sad in Serbia learnt all this the hard way last week
when it became the target of a virus known as PwndLocker. This
particular malware has been active since at least 2019 and has tended
to be used to attack municipal governments and enterprises.

Novi Sad chose not to pay the ransom, reported to be around 400,000
euros. Instead, they weathered the storm by assembling a crisis team
and attempting to restore some of the data themselves. According to
statements city officials gave to local media, things are set to
return to normal soon.

The capital of Serbia’s Vojvodina province was not the only target of
this malware, as there has been at least one confirmed case in the
United States of hackers using this particular variant of ransomware.

Attacks using different methods have also recently taken place around
the region. Late last year, Georgia reported a massive cyber attack
which was since shown to have been carried out by Russia. Many state
institutions and private media outlets were targeted.

While not the first cyber attack in Serbian history, the Novi Sad
incident is certainly the largest and it has raised fears about the
security of citizens’ personal data.

“The current case in Novi Sad points to a vulnerability of information
systems, that it’s not enough to simply invest in technical measures
and process digitalisation, but in organising and educating the
employees and that it is necessary to continually reassess the
existing protection measures,” Zlatko Petrović, a representative from
the Office of the Commissioner for Personal Data Protection, tells
Emerging Europe.

He adds that while the Serbia’s new data protection law incorporates
the EU’s GDPR guidelines, most actors in the public and private
sectors have yet to fulfill the actual obligations the law imposes.

Mladen Raonić, a security consultant at Belgrade-based Absolut Support
agrees that education is key.

“It’s obvious that most public sector employees do not perceive the
risks of potential cyber attacks nor have enough knowledge to
recognise the threats at the moment of their initiation. It’s exactly
the lack of adequate education that generates higher risks of
successful cyber attacks,” he says.

But it’s not just Serbia that needs to take cyber security seriously.

“Cyber security awareness is quite low in Hungary. Among mall and
medium-size enterprises, it is very low. In big domestic companies and
multinational companies, the awareness level goes up, but is not at
the right level,” Balazs Fazekas, legal and regulatory director at
Invitel Group said in a 2018 report on CEE cyber security.

Still, the situation around emerging Europe is, if slowly, getting
better, at least in EU member states who have adopted GDPR and the NIS
Directive.

In mid-2019 Bulgaria imposed two major GDPR fines.

The first was on the National Revenue Agency (NRA) after a data breach
by anonymous hackers affected about six million people and led to
unauthorised online disclosures. The NRA was fined because it was
found that its technical and organisational protection measures were
insufficient.

The second fine was issues to DSK Bank after third parties accessed
over 23.000 credit records including personal data like names,
addresses, and identification numbers.

In Romania, UniCredit Bank was fined for the disclosure of personal
data which resulted from a lack of proper technological and
organisational measures.

Similar fines have been levied on entities in Hungary and Poland, all
related to violations of GDPR provisions.

The World Economic Forum ranks cyber attacks among the top five global
risks. In 2017, the WannaCry and Notpetya attacks wreaked havoc across
the world and cost nearly four billion US dollars in economic damage.

While the European Union’s GDPR and NIS laws are clearly a step in the
right direction, there is still a long road ahead in much of emerging
Europe towards ensuring proper data and cyber security.