How GDPR Incentivised Threat Actors

GDPR was designed to protect people. To give individuals control over their personal data, to hold organisations accountable for how they handle it, and to impose meaningful consequences when things go wrong.

It did all of those things. It also, as a side effect, handed ransomware operators one of the most effective pieces of leverage they’ve ever had.

This isn’t a criticism of the regulation itself. Accountability for data breaches is reasonable and overdue. But the way GDPR’s enforcement mechanics interact with criminal extortion is worth understanding clearly because it shaped how ransomware attacks are structured today, and it explains why paying the ransom has become a calculation rather than a refusal for a disturbing number of organisations.

What GDPR Actually Requires

The key provisions, for context.

Under GDPR, organisations that experience a personal data breach must notify their relevant supervisory authority in the UK, the Information Commissioner’s Office within 72 hours of becoming aware of it. If the breach is likely to result in a high risk to individuals, those individuals must also be notified directly, without undue delay.

The fines for serious violations are significant: up to €20 million or 4% of global annual turnover, whichever is higher. For large organisations, 4% of global turnover is a very large number. British Airways was fined £20 million following a 2018 breach. Marriott received a £18.4 million fine. The ICO has demonstrated willingness to issue substantial penalties.

The intent is deterrence. Organisations that fail to protect data should face consequences proportionate to the harm caused. Reasonable enough.

The problem is what happens when criminals start treating those consequences as a tool.

The Birth of Double Extortion

Cast your mind back to ransomware before roughly 2019. The model was straightforward: encrypt the victim’s files, demand payment for the decryption key. The leverage was operational disruption you can’t run your business without access to your data.

The limitation of that model, from the attacker’s perspective, was that organisations with good backups had a way out. Restore from backup, rebuild, refuse to pay. As backup practices improved and more businesses understood that ransomware was a genuine risk, the pure encryption model started losing some of its teeth.

So attackers evolved.

The Maze ransomware group, around late 2019, pioneered what became known as double extortion. Before encrypting a victim’s files, they first exfiltrated a copy of them. They then threatened to publish that data on a dedicated leak site publicly, searchable, accessible to anyone unless the ransom was paid.

This changed the game entirely, and GDPR was a significant part of why.

Encryption alone creates an operational problem: you can’t access your data. Exfiltration creates a legal and regulatory problem: personal data belonging to your customers, employees, or patients is in the hands of criminals, and you have a mandatory disclosure obligation. Fail to disclose, and you compound the breach with a regulatory violation. Disclose, and you trigger ICO scrutiny, potential fines, customer notification requirements, and reputational damage that can last years.

The ransom demand now came with an implicit offer: pay us, we delete the data, you potentially avoid having to report a breach at all. The leverage stopped being purely operational. It became regulatory.

The Calculation Organisations Started Making

Here is the uncomfortable reality that GDPR’s fine structure created.

An organisation suffers a ransomware attack. Data has been exfiltrated customer records, employee data, financial information. The attackers are demanding, say, £500,000. The organisation’s security and legal teams start doing the maths.

Mandatory breach notification triggers ICO investigation. Depending on the scope of the breach and the organisation’s security posture, a fine of several million pounds is plausible. Add legal costs, customer notification costs, remediation costs, and the reputational impact of the story appearing in trade press. The total exposure starts looking very large.

Against that, the ransom. £500,000 for a promise and it is only a promise that the data will be deleted and not published.

Some organisations paid. Not all of them, and not because GDPR created the ransomware threat, but because GDPR’s fine structure made the cost-benefit analysis more complicated than a straightforward refusal.

This is not how regulators intended the regulation to work. It is nonetheless how criminal groups understood it would work, and they adjusted their operations accordingly.

Leak Sites as Pressure Infrastructure

The mechanics of double extortion are worth understanding in detail because they reveal how deliberately this is engineered.

Ransomware groups run dedicated leak sites websites hosted on Tor that list their current victims. When an organisation is attacked and doesn’t pay within the deadline, their name appears on the site with a countdown timer. When the timer expires, the data is published in tranches sometimes partially at first, as additional pressure, then fully.

These sites are not hidden. Journalists, researchers, and threat intelligence teams monitor them routinely. A victim’s appearance on a leak site is often how their breach becomes public, before they’ve had a chance to manage the disclosure themselves. The ICO has confirmed that it is aware of, and monitors, these sites.

This creates a second layer of pressure. It’s not just the threat of ICO notification it’s the threat of losing control of the narrative entirely. An organisation that is managing a quiet, orderly breach disclosure on its own terms is in a very different position to one that finds its data published on a criminal forum with a news story following the next morning.

The 72-hour notification clock under GDPR starts when an organisation becomes “aware” of a breach. A significant amount of legal energy has been spent trying to define exactly when awareness begins. But if your data appears on a public leak site before you’ve notified the ICO, the regulator’s view of your compliance timeline becomes considerably less sympathetic.

Triple Extortion

If double extortion weaponised GDPR against the breached organisation, triple extortion extended the pressure outward.

In triple extortion attacks, criminals don’t just threaten to publish the data they contact the victims whose data was stolen directly. Customers. Patients. Employees. They notify them that their personal data is in criminal hands and that their organisation hasn’t paid the ransom to protect them.

This does several things simultaneously. It creates direct pressure from individuals on the breached organisation people calling, emailing, demanding to know what happened to their data. It generates media attention. It demonstrates to the victim organisation that the criminals are not bluffing about what they have. And it triggers individual rights under GDPR people whose data has been breached have rights of access and complaint that the ICO takes seriously.

Some groups have also contacted regulators directly, reporting the breach on behalf of the victim and explicitly noting that a ransom demand was not paid. The intention is obvious: to accelerate the regulatory response and increase the cost of non-payment.

What Regulators Have Said About Paying

The official position from regulators is, understandably, not to pay. The ICO has stated that paying a ransom does not guarantee data deletion, does not fulfil an organisation’s compliance obligations, and funds further criminal activity. Organisations that pay still need to notify the ICO if a reportable breach has occurred.

That last point is important and often misunderstood. Paying the ransom and receiving a criminal’s assurance that the data has been deleted does not eliminate the mandatory disclosure obligation. The breach happened. The data was in criminal hands. The disclosure requirement is triggered by the breach, not by its resolution.

Some organisations have paid under the belief that doing so would allow them to avoid disclosure. This is not legally sound, and the ICO’s enforcement record suggests they are not sympathetic to that reasoning.

The ransomware operators, of course, know all of this. The leverage they’re selling avoid disclosure, avoid the fine, make this go away is not really something they can deliver. But the fear that it might work is enough to make the calculation feel more complicated than it should.

How This Changed Attacker Behaviour

The downstream effect on how ransomware operations are structured is significant.

Data exfiltration before encryption is now standard practice, not an optional add-on. Before any ransomware payload runs, attackers spend time identifying and exfiltrating the most sensitive data they can find personal records, financial data, anything that creates regulatory and legal exposure. The encryption is almost secondary. It’s the exfiltration that gives them the real leverage.

This means the profile of what counts as a high-value target has also shifted. An organisation doesn’t need to be large to be attractive. It needs to hold data whose exposure would be damaging which covers healthcare providers, legal firms, HR platforms, financial services businesses, and anyone else who handles significant personal data. A small GP surgery with 10,000 patient records can face regulatory and reputational exposure that makes even a modest ransom demand look like a difficult calculation.

Dwell time has also increased. Attackers who are looking to exfiltrate data before encrypting it need time inside the network to find, stage, and exfiltrate that data without triggering alerts. The patience of modern ransomware operations is in part driven by how valuable the data they’re stealing has become under a regulatory regime that punishes exposure.

What Organisations Should Take From This

Understanding this dynamic doesn’t change the basic answer, which is: don’t pay, report the breach, focus on containment and recovery. But it does change how organisations should think about their exposure before an attack happens.

Data minimisation matters. GDPR requires it, but many organisations treat it as a compliance checkbox rather than a genuine risk reduction exercise. If you don’t hold data you don’t need, it can’t be exfiltrated and used against you. Organisations that have aggressively applied data minimisation principles have a structurally smaller attack surface for this kind of extortion.

Know what data you hold and where. If you can’t tell your legal team within hours of a breach what categories of personal data were accessible in the compromised environment, you can’t make good decisions about notification obligations. A data inventory that exists only in theory is not a data inventory.

Exfiltration detection deserves attention. Many organisations invest heavily in preventing initial compromise and detecting lateral movement, but have limited visibility into large-scale data leaving the network. Monitoring for unusual outbound data transfers large volumes, unusual destinations, transfers occurring outside business hours is how you detect the exfiltration phase of a double extortion attack before it completes.

Breach response planning should include regulatory obligations. The 72-hour clock starts when you become aware of a breach. Having pre-agreed decision trees for what constitutes reportable awareness, what the notification should contain, and who is responsible for making the notification means you’re not working it out under pressure.

Takeaways

GDPR created meaningful accountability for data breaches. It also created a regulatory cost structure that sophisticated criminal groups understood and deliberately incorporated into their extortion models.

• Double extortion, encrypt and threaten to publish transformed ransomware from an operational problem into a regulatory and legal one
• GDPR’s fine structure made paying the ransom feel like a cost-benefit calculation for some organisations, which is exactly what attackers intended
• Paying the ransom does not eliminate mandatory disclosure obligations, despite what attackers imply
• Data exfiltration before encryption is now standard ransomware practice the breach often happens long before the ransom note appears
• Data minimisation, exfiltration detection, and pre-planned breach response are the practical controls that reduce exposure

The regulation didn’t create the threat. But it handed criminals a new lever, and they’ve pulled it hard. Understanding that is the first step to not being caught off guard by it.