Publications

The pandemic of Cyber Attacks

The pandemic of Cyber Attacks

12/2/2020

 

The great adherence to remote work caused by the COVID-19 pandemic has considerably changed human relations and the style of work. In this context, the high usage of digital platforms from personal devices, including in professional activities, has become the rule. As a result, there is an increase in cyber attacks exploiting vulnerabilities in the use of these devices, such as computers, smartphones and tablets.

It is observed that, in addition to corporate platforms, companies should also be concerned with the use of social networks by their employees and service providers to carry out their professional duties and daily tasks.

Attacks can occur in different ways. One of these happens when the hacker takes advantage of a flaw or vulnerability of the application or platform itself to send a false contact to the user or even a message containing malicious programs that install themselves on the personal device. Another type of very frequent attack is the so-called “social engineering”, that is, through persuasion, someone obtains the improper access to sensitive data or information. From an account already hacked or through SMS messages, the hacker has access to all contacts of the person hacked.

Another form of attack that has been growing in this period is called “phishing”. The tactic consists of dispersing emails or designs that require the user to click on a link or confirm a registration. With this, hackers are able to steal data that gives access to credit card numbers, personal tokens, bank accounts with their respective passwords and other personal and sensitive data.  In addition, there is a considerable increase in system and data hijackings (called “ransomware”).

These failures and attacks can result in security incidents established in the LGPD such as unauthorized access to personal data – as in phishing attacks -, the destruction and loss of personal data – as in ransomware attacks – and alteration and illegal communication of personal data that can result from both attacks.

Although the administrative sanctions provided for in the LGPD – which include fines of up to R $ 50,000,000.00 – are not applicable until August 1st, 2021, these incidents may result in fines by consumer protection authorities and in legal proceedings of great repercussion. These are fines whose object is the damage suffered by data subjects.

Recently, the country experienced a halt in the activities of the Superior Court of Justice (“STJ”) due to a ransomware attack during the judgment sessions of the six class collegiate bodies, which affected not only the systems, but also the data backups of the Court. As a result, the STJ’s computer systems were unavailable for a week and the procedural deadlines could only be resumed after this period. Also, as reported until the closing of this note, the Federal Regional Court of the First Region (TRF-1) was attacked by hackers, who would have accessed files in more than 40 internal databases. As a consequence, the Court’s website was unavailable for the adoption of preventive measures, in addition to restrictions on agency services.

In the corporate environment, this concern is also present. So much so that, in order to prevent and mitigate the incidence of these attacks, companies have invested in awareness campaigns and training for employees. They address the main threats and ways to avoid them, as well as how to act in case of being the victim of an attack.

Above all, the aforementioned efforts need to be supported by internal policies that consider the structure and culture of the company to ensure greater effectiveness of security measures around data and programs for prevention and responses in cases of incidents and cyber attacks.

 

Coauthors: Esther Jerussalmy Cunha, Fabricio Bertini Polido e Ricardo Luis Fernandes da Silva

Related Posts
Tags