Organizations are increasingly facing cyber attacks resulting in data breaches, and part of their post-incident responsibilities includes adhering to mandatory reporting requirements.
Notably, the infamous BlackCat ransomware group has been exploiting these requirements for their benefit. They apply pressure on victims by threatening to inform the Securities and Exchange Commission (SEC) about the company’s supposed failure to report significant data breaches. The validity of the breach claim becomes inconsequential in the face of such extortion tactics, as the mere suggestion of regulatory non-compliance can be damaging enough.
Cybercriminals are using new tools like deepfakes and voice-fakes to their advantage, exploiting even the small gaps in knowledge and awareness amongst their targets. Advancements in artificial intelligence are escalating the difficulty in distinguishing between authentic and manipulated information. Deepfakes and voice-fakes are becoming so convincing that they can easily mislead the public, complicating the fight against the spread of misinformation and disinformation.
Ransomware groups are evolving their methodologies, moving away from encrypting data to simply threatening to leak stolen data on the dark web. This shift emphasizes the significance of the data breach itself over the disruption of operations. Some groups are even contemplating fabricating data breaches altogether. While claiming false breaches is not new, profiting from such deception is a relatively untapped strategy.
A case involving Europcar illustrates this emerging threat. A data set was published by an individual claiming to have hacked the car rental company, but Europcar was quick to refute the claim, stating that the data did not match their records. Despite the inaccuracy, such synthetic data sets can still cause harm by appearing credible, forcing organizations to invest resources in unnecessary investigations and dealing with potential reputational damage.
This situation underscores the need for organizations to prioritize their ability to manage what has become more of a public relations challenge than a technical one. Public disinformation and compliance with reporting obligations require a joint effort between public relations (PR) departments and cybersecurity teams. Organizations must therefore cultivate security awareness not only internally but also among their customers and other stakeholders. In response to these emerging threats, it’s essential that PR experts and security professionals combine their expertise to present a unified front.