Companies in Germany are increasingly falling victim to so-called hackers and their attacks. But not all hackers are the same, and the factors to be considered in data protection differ from attack to attack.
Personal data and hackers
Hackers are people who penetrate computer systems (usually illegally). In such a hacker attack, the attackers do not attach great importance to data protection. On the other hand, the targeted tapping of personal data is rarely their main goal. Rather, data privacy violations are usually "collateral damage" in hacker attacks. Nevertheless, a data privacy violation has occurred.
To make it more difficult for a potential attacker to gain access, a secure procedure should be carried out by implementing the IT-Grundschutz procedure in accordance with the BSI standards for increasing information security in the company. The goal must be to process data under the highest standards to make a successful hacker attack less likely.
As a customer of a company you have no influence on these factors and the processing of your own data, you mostly blindly entrust your data to companies, that's why data protection laws automatically enforce secure processing of data in EU companies according to Article 32 GDPR of the security of processing.
Even though the colloquial term hacker is immediately equated with illegal access to other people's computer systems, this is not always true.
Basically, a distinction can be made between the "white hat hacker", "gray hat hacker" and "black hat hacker". The color gradation from white to gray to black symbolizes the extent to which the hacker is still within the law. While a white hat hacker is normally hired by a company to find security vulnerabilities, a black hat hacker acts with malicious and selfish intent. The "white hat hacker" works with the company and, in consultation with the company, conducts penetration tests that serve to increase and harden IT security. The "black hat hacker" looks for vulnerabilities in the same way, but wants to exploit them for his own financial motives or simply harm the company by doing so.
Between these extremes, there is the "gray hat hacker". This hacker operates in a legal gray area. He penetrates other people's computer systems without permission in order to find security holes. As a rule, however, he does not exploit them for his own benefit, but publishes them. The damage to a company is nevertheless very high, since not only economic damage is caused, but also the image suffers permanently. In some cases, the "grey hat hackers" also inform the affected company that they have found a security vulnerability and subsequently receive financial compensation for their efforts (bug bounty program).
In addition to these gradations, there are also groups like hacktivists who act out of political or social motives. They want to embody a message with their actions. They also act illegally, but are often not convicted because the damage to the affected companies is too small.
Consequences in the event of an attack
As soon as a data protection breach occurs (e.g. illegal hacker attack), a data protection notification (72h deadline) of the incident must be made. This is usually the case with "black hat" or "grey hat hackers". In order to keep the data protection risks as low as possible, professional advice is essential.
You should also seek professional advice and support from us in advance regarding specific protective measures.