The adoption of a law on turnover penalties for data leakage in Russia could become an additional factor of pressure on Russian companies in the industrial sector for hackers, as well as a competitive tool for organizations. Vladimir Dashchenko, an expert in the Kaspersky ICS CERT unit at Kaspersky Lab, told socialbites.ca.
The law on turnover penalties for data leaks was submitted to the State Duma at the end of 2023. Companies are subject to fines of 0.1-3% of their annual revenue for repeated data leaks. The scale of sanctions will depend on the number of personal data subjects affected by the incident (from 1 thousand people to 100 thousand people). In this case, the fine cannot exceed 500 million rubles. In January 2024, the law was passed in the first reading.
According to Dashchenko, if the new regulatory norm is finally adopted, some organizations in the industrial sector may suffer. The expert noted that hackers could remain in a hacked company’s network for years and not show any signs of compromise. Turnover penalties legislation could be a chance for bad actors to make their presence known by blackmailing companies with early concessions and extorting money from them in exchange for not leaking data.
“Experience studying complex and specifically targeted attacks on the industry shows that well-trained attackers, including financially motivated groups, can remain in the infrastructure for a long time. Or the company may have been compromised a long time ago and access to the company was resold to another team of attackers on the black market some time after the moment of compromise,” Dashchenko said.
In addition, according to the expert, after the implementation of turnover penalties, hackers may become mercenaries in the hands of organizations. A company that has information about a competitor’s settlement can “turn it over” to the regulator. The regulator will impose a large fine on the competitor and the unscrupulous company will gain an advantage in the market.
After all, hackers could hypothetically use the new law to take down entire business groups. To do this, attackers using previously unknown backdoors in software, for example, can simultaneously publish stolen data from several structurally important companies. As a result, many large industrial enterprises in certain regions may suffer immediate financial and reputational losses.
“I think this initiative [о вводе оборотных штрафов] It requires additional discussion of all possible details and scenarios to avoid irreparable consequences for business in the industrial sector in the future,” Dashchenko said.
Formerly TheMoon botnet infected More than 46 thousand Wi-Fi routers in 88 countries.
What are you thinking?
Source: Gazeta
Jackson Ruhl is a tech and sci-fi expert, who writes for “Social Bites”. He brings his readers the latest news and developments from the world of technology and science fiction.