As the countries of emerging Europe begin to introduce more digital public services for their citizens, cyber security experts are warning that data must be held securely or the consequences could be dire.
Data can be very enticing to hackers and cyber crime syndicates who see it as an easy way to cash in by exploiting bugs, network vulnerabilities, and – most frequently – human error.
In a recent report on cyber security, PwC warned that 2019 saw a continuation of ransomware proliferation. This type of malware gets its name from the fact it encrypts data on targeted computers and then holds it for ransom.
Since the encryption used is very strong, the possibility of the victims decrypting the files themselves is next to zero.
This is why the attackers will offer to decrypt the data. For a fee, of course, usually paid out in the cryptocurrency Bitcoin.
“The diversification into ransomware operations was one of the main cyber crime themes of 2019. The last 12 months, continuing from a trend established in 2018, have seen a succession of high profile ransomware attacks affecting a broad range of victims and sectors”, the PwC report claims.
PwC has also observed a worrying trend of convergence between espionage campaigns and financially-motivated cyber crime.
The city of Novi Sad in Serbia learnt all this the hard way last week when it became the target of a virus known as PwndLocker. This particular malware has been active since at least 2019 and has tended to be used to attack municipal governments and enterprises.
Novi Sad chose not to pay the ransom, reported to be around 400,000 euros. Instead, they weathered the storm by assembling a crisis team and attempting to restore some of the data themselves. According to statements city officials gave to local media, things are set to return to normal soon.
The capital of Serbia’s Vojvodina province was not the only target of this malware, as there has been at least one confirmed case in the United States of hackers using this particular variant of ransomware.
Attacks using different methods have also recently taken place around the region. Late last year, Georgia reported a massive cyber attack which was since shown to have been carried out by Russia. Many state institutions and private media outlets were targeted.
While not the first cyber attack in Serbian history, the Novi Sad incident is certainly the largest and it has raised fears about the security of citizens’ personal data.
“The current case in Novi Sad points to a vulnerability of information systems, that it’s not enough to simply invest in technical measures and process digitalisation, but in organising and educating the employees and that it is necessary to continually reassess the existing protection measures,” Zlatko Petrović, a representative from the Office of the Commissioner for Personal Data Protection, tells Emerging Europe.
He adds that while the Serbia’s new data protection law incorporates the EU’s GDPR guidelines, most actors in the public and private sectors have yet to fulfill the actual obligations the law imposes.
Mladen Raonić, a security consultant at Belgrade-based Absolut Support agrees that education is key.
“It’s obvious that most public sector employees do not perceive the risks of potential cyber attacks nor have enough knowledge to recognise the threats at the moment of their initiation. It’s exactly the lack of adequate education that generates higher risks of successful cyber attacks,” he says.
But it’s not just Serbia that needs to take cyber security seriously.
“Cyber security awareness is quite low in Hungary. Among mall and medium-size enterprises, it is very low. In big domestic companies and multinational companies, the awareness level goes up, but is not at the right level,” Balazs Fazekas, legal and regulatory director at Invitel Group said in a 2018 report on CEE cyber security.
Still, the situation around emerging Europe is, if slowly, getting better, at least in EU member states who have adopted GDPR and the NIS Directive.
In mid-2019 Bulgaria imposed two major GDPR fines.
The first was on the National Revenue Agency (NRA) after a data breach by anonymous hackers affected about six million people and led to unauthorised online disclosures. The NRA was fined because it was found that its technical and organisational protection measures were insufficient.
The second fine was issues to DSK Bank after third parties accessed over 23.000 credit records including personal data like names, addresses, and identification numbers.
In Romania, UniCredit Bank was fined for the disclosure of personal data which resulted from a lack of proper technological and organisational measures.
Similar fines have been levied on entities in Hungary and Poland, all related to violations of GDPR provisions.
The World Economic Forum ranks cyber attacks among the top five global risks. In 2017, the WannaCry and Notpetya attacks wreaked havoc across the world and cost nearly four billion US dollars in economic damage.
While the European Union’s GDPR and NIS laws are clearly a step in the right direction, there is still a long road ahead in much of emerging Europe towards ensuring proper data and cyber security.