![[UK] Ransomware attacks reached record level in 2022](http://gpa.net/cdn/shop/articles/bigstock-Ransomware-Alert--d-Illustrat-464408779_1200x.jpg?v=1694626014)
Reported ransomware attacks on organisations in the UK reached record levels in 2022 when criminals compromised data on potentially more than 5.3 million people from over 700 organisations, The Record reports.
The figures were taken from a neglected dataset published by the Information Commissioner’s Office (ICO).
The true count of ransomware incidents is reportedly a known unknown for officials trying to determine the best way to tackle the problem. Victims are not obliged to report attacks to law enforcement, and darknet extortion sites only provide a partial count of victims who refused to pay.
Despite frustrations around what the true figure is, few seem to know about the ICO’s security incident trends data, which records the number of ransomware incidents reported to the data protection regulator.
Recorded Future News was unable to find any instances of this data being publicly cited by officials in British government departments.
Jamie MacColl - a research fellow at the Royal United Services Institute (RUSI) - told the publication he was “surprised that this dataset exists publicly and that it’s not more widely used in cyber policy discussions about ransomware attacks in the UK, particularly given it’s been available for two years.”
A better-known attempt to establish a figure for the number of ransomware incidents in the UK is conducted by the government’s Department for Science, Innovation and Technology (DSIT). It has been compiling an annual cyber breaches survey for several years. However, officials outside of DSIT say the survey is not considered particularly useful by policymakers.
They complained the survey is completely self-reported, meaning its data is biased against hacked organisations that prefer not to openly admit to an incident. The statistics it features are also produced from questions asked a year prior. Therefore the ecosystem is likely to have substantially changed by the time it has been published.
Such criticisms are reportedly supported by the differences between the ICO’s data and DSIT’s self-reported survey. Where DSIT stated there had been a fall in ransomware attacks from 17 per cent of all incidents in 2020 to just 4 per cent in 2021, the ICO’s data instead found ransomware incidents accounted for 20 per cent of all incidents in 2020 before rising to 28 per cent the next year. They then continued to increase to 34 per cent in 2022.
Unlike the voluntary DSIT survey, Britain’s data protection laws require companies to report data breaches to the ICO under the threat of being fined up to 4 per cent of the organisation’s global turnover should they fail to make a report. To date, no company has ever received such a fine.
This regulatory regime also has its limitations. Earlier this year, the National Cyber Security Centre (NCSC) and the ICO published a joint blog post saying they were “increasingly concerned” that ransomware victims were keeping incidents hidden from both law enforcement and regulators.
“As with all statistics, you need to see the ICO data through the lens in which it has been collected,” Hans Allnutt - a partner at DAC Beachcroft who leads the law firm’s cyber risk practice - said.
“The specific definition of what needs to be reported to the ICO is a personal data breach, defined as ‘unauthorized disclosure, loss, or access to personal data.’ It’s not absolutely clear whether an encryption-only ransomware attack causes a risk to personal data, because you can encrypt at a server level and not have access to personal data.”
Essentially, not every single ransomware incident would necessarily need to be reported to the regulator. The ICO’s data also does not include incidents that should have been reported but were not. Despite this, Mr Allnutt said, the data “is - in the absence of any other ransomware frequency metric or any other source of reporting - a good resource."
Acknowledging these limitations, Mr MacColl said it was “likely the most comprehensive public dataset about the frequency of ransomware attacks in the UK.”
The ICO has not yet published data showing the scale of the increase in 2023 but it reveals that 706 ransomware incidents were reported in 2022. Despite some speculation that the Russian invasion of Ukraine in February had slowed the ransomware ecosystem, the official figures reportedly reveal a marginal increase on the 694 reported in 2021, a significant rise on the 440 in 2020 and a massive spike from the 100 that were reported in 2019.
In a statement on September 12, Tom Tugendhat - the UK security minister - said, “The UK is a top target for cybercriminals. Their attempts to shut down hospitals, schools and businesses have played havoc with people’s lives and cost the taxpayer millions. Sadly, we’ve seen an increase in attacks.”
Along with the statement, the NCSC and the National Crime Agency (NCA) published a white paper explaining the entire ransomware system. But rather than citing the ICO data on ransomware attacks, the agencies provided a global count of the number of victims listed on the ransomware gangs’ extortion sites as collected by a cybersecurity company.
Source: The Record
(Links and quotes via original reporting)
Reported ransomware attacks on organisations in the UK reached record levels in 2022 when criminals compromised data on potentially more than 5.3 million people from over 700 organisations, The Record reports.
The figures were taken from a neglected dataset published by the Information Commissioner’s Office (ICO).
The true count of ransomware incidents is reportedly a known unknown for officials trying to determine the best way to tackle the problem. Victims are not obliged to report attacks to law enforcement, and darknet extortion sites only provide a partial count of victims who refused to pay.
Despite frustrations around what the true figure is, few seem to know about the ICO’s security incident trends data, which records the number of ransomware incidents reported to the data protection regulator.
Recorded Future News was unable to find any instances of this data being publicly cited by officials in British government departments.
Jamie MacColl - a research fellow at the Royal United Services Institute (RUSI) - told the publication he was “surprised that this dataset exists publicly and that it’s not more widely used in cyber policy discussions about ransomware attacks in the UK, particularly given it’s been available for two years.”
A better-known attempt to establish a figure for the number of ransomware incidents in the UK is conducted by the government’s Department for Science, Innovation and Technology (DSIT). It has been compiling an annual cyber breaches survey for several years. However, officials outside of DSIT say the survey is not considered particularly useful by policymakers.
They complained the survey is completely self-reported, meaning its data is biased against hacked organisations that prefer not to openly admit to an incident. The statistics it features are also produced from questions asked a year prior. Therefore the ecosystem is likely to have substantially changed by the time it has been published.
Such criticisms are reportedly supported by the differences between the ICO’s data and DSIT’s self-reported survey. Where DSIT stated there had been a fall in ransomware attacks from 17 per cent of all incidents in 2020 to just 4 per cent in 2021, the ICO’s data instead found ransomware incidents accounted for 20 per cent of all incidents in 2020 before rising to 28 per cent the next year. They then continued to increase to 34 per cent in 2022.
Unlike the voluntary DSIT survey, Britain’s data protection laws require companies to report data breaches to the ICO under the threat of being fined up to 4 per cent of the organisation’s global turnover should they fail to make a report. To date, no company has ever received such a fine.
This regulatory regime also has its limitations. Earlier this year, the National Cyber Security Centre (NCSC) and the ICO published a joint blog post saying they were “increasingly concerned” that ransomware victims were keeping incidents hidden from both law enforcement and regulators.
“As with all statistics, you need to see the ICO data through the lens in which it has been collected,” Hans Allnutt - a partner at DAC Beachcroft who leads the law firm’s cyber risk practice - said.
“The specific definition of what needs to be reported to the ICO is a personal data breach, defined as ‘unauthorized disclosure, loss, or access to personal data.’ It’s not absolutely clear whether an encryption-only ransomware attack causes a risk to personal data, because you can encrypt at a server level and not have access to personal data.”
Essentially, not every single ransomware incident would necessarily need to be reported to the regulator. The ICO’s data also does not include incidents that should have been reported but were not. Despite this, Mr Allnutt said, the data “is - in the absence of any other ransomware frequency metric or any other source of reporting - a good resource."
Acknowledging these limitations, Mr MacColl said it was “likely the most comprehensive public dataset about the frequency of ransomware attacks in the UK.”
The ICO has not yet published data showing the scale of the increase in 2023 but it reveals that 706 ransomware incidents were reported in 2022. Despite some speculation that the Russian invasion of Ukraine in February had slowed the ransomware ecosystem, the official figures reportedly reveal a marginal increase on the 694 reported in 2021, a significant rise on the 440 in 2020 and a massive spike from the 100 that were reported in 2019.
In a statement on September 12, Tom Tugendhat - the UK security minister - said, “The UK is a top target for cybercriminals. Their attempts to shut down hospitals, schools and businesses have played havoc with people’s lives and cost the taxpayer millions. Sadly, we’ve seen an increase in attacks.”
Along with the statement, the NCSC and the National Crime Agency (NCA) published a white paper explaining the entire ransomware system. But rather than citing the ICO data on ransomware attacks, the agencies provided a global count of the number of victims listed on the ransomware gangs’ extortion sites as collected by a cybersecurity company.
Source: The Record
(Links and quotes via original reporting)