42 million finance records lost in ransomware tsunami

UK companies have been hit by a tidal wave of ransomware attacks over the past 12 months, with more than 42 million financial data records compromised by hackers last year – a 1,777% rise on the previous 12 months.

That is the stark conclusion of an investigation by international law firm RPC, which reveals a huge spike in data breaches, up from 2.2 million in 2019/20, with significant quantities of data being copied at the same time as encrypting the target’s data.

Having taken financial and other information from the target’s system, criminal gangs will threaten to sell this data, or leak it on the dark web, should the target refuse to pay the ransom.

The gangs have found that blackmail threats over encryption alone are becoming less effective as businesses get better at backing up their systems but hackers have honed their tactics and added this additional form of blackmail.

The figure of 42.2 million may include people who have had their financial data compromised more than once in completely different and unrelated data breaches, the investigation shows.

RPC partner Richard Breavington said these attacks have become “very lucrative”. He added: “The surprisingly high number of people whose financial data was impacted in the last year shows how cyber attacks have become endemic.

“Hackers are continually refining their methods, employing ever more complex techniques to extort money in whatever way they can. Some businesses, fearing the potential reputational costs, not to mention other consequences, decide that they will take the last ditch approach of paying the ransom demands.

RPC says the financial cost to businesses posed by ransomware attacks can be dramatic. This includes not just the cost of the interruption to the business, but the various legal and regulatory ramifications of large amounts of personal data being taken.

Several large data breaches occurred in the past year, including one involving an unnamed airline, which saw 9 million customers impacted. In the attack, believed to be one of the largest in the UK, hackers stole data including names, email addresses, travel details and credit card details.

RPC says the figures show how important it is for businesses to take precautions when processing and storing personal data relating to customers and employees. In addition to investing in robust IT security software, businesses should be careful as to where they hold sensitive data and how these files and folders are organised.

Breavington concluded: “Before carrying out an attack, hackers are increasingly carrying out reconnaissance to scope out protections that are in place, as well as data held by the company. Businesses should not be making their jobs easier by signposting this information.”

Just last month, the Cyber Security Breaches Survey 2022 report from the Department for Digital, Culture, Media & Sport called on companies to boost their cyber standards following official data which also revealed a surge in online attacks, with nearly a third of firms being hit every week.

Although the number of organisations which experienced an attack or breach remained the same as 2021 levels, the frequency of cyber attacks is rising, suggesting most have still not done anything to tackle the issue. Almost a third of charities (30%) and two in five businesses (39%) reported cyber security breaches or attacks in the last 12 months.