It is a little over three weeks now from the Apotheka and PetCity data leaks facilitated by Allium UPI. No one even remembers it anymore. The average person was not strongly affected by the leak. People were sent an email notification, while most reacted by shrugging their shoulders and asking, "so what someone got access to my address and information on a few things I bought." Still, what happened to the data?

Cybercrime as an industry

The IMF pointed out in 2018 that cybercrime has matured into an industrial sector. Since the 1990s, when cybercrime first reared its ugly head, carrying out cyberattacks has become simpler, thanks to continuously developing tools and better level of organization.

The complexity and therefore price of orchestrating attacks has fallen further with the advent of AI. Cyberattacks can now be carried out by unskilled workers, instead of high-paid IT specialists. That is why around 80 percent of attacks now come from major organizations specializing in the field.

An industry has formed worth around €7.9 billion. This is forecast to grow to almost €26 billion by 2027 (WEF). The Estonian GDP came to €37.7 billion in 2023.

Criminals took Estonians for at least €8.3 million last year. This covers reported cases. We do not know how many people are too ashamed or do not know how to report cyber incidents.

More popular types of online fraud around these parts are diverted parcel deliveries, the "police" asking people to do something or warning against something, business letter fraud, Facebook Marketplace schemes, vehicle purchase and sale schemes and, of course, offering people brilliant investment opportunities via online platforms.

Even though types of fraud can differ, the way people are manipulated is very similar in all cases. Criminals mainly take advantage of human weaknesses, such as greed, pride, fear, curiosity, inattentiveness and loneliness. Modern business culture and the breakneck pace of life also cause people to make mistakes.

To avoid falling victim to fraudsters, one should maintain a high level of IT hygiene by making sure IT systems are up to date and protected, regularly updating passwords and using multi-step verification. Also not allowing non-essential cookies when browsing the web and not clicking on suspicious links before making sure. This not only reduces the likelihood of falling victim to phishing schemes, but also works to improve overall IT security as politically motivated attacks are also taking off.

It is worth noticing the addresses used to send phishing messages, whether their content makes sense and links seem legitimate. The wrong email address, even though it can be similar to the original, often betrays an attempted attack.

That said, it needs to be realized that even well-trained professionals make mistakes considering the pace of modern life. We do not have to look far for an example. Prime Minister Kaja Kallas (Reform) was hit by a deepfake video call where Russian agents who had used authentic email addresses for phishing purposes and technology to mimic the appearance and voice of another person tried to get her to compromise herself on topics of security.

While our prime minister escaped unscathed, several deepfake team members, including a fake CFO, managed to convince a Hong Kong financial worker to transfer $25 million to criminals.

Public figures often cannot help posting information, images and videos of themselves, which makes faking their personalities that much easier. YouTube recently removed over a million deepfake videos of celebrities.

Estonian public figures have also been hit. If you happen to come across a Carmen Joller sporting a Finnish accent and an unnatural-looking face recommending Tonerin, you should stop and think whether that really is the Estonian family doctor. However, people who are not in the public eye have the luxury of safeguarding their privacy.

The aforementioned Carmen Joller differed from the real Karmen Joller in her use of language. Our small language has kept us safe until recently, while AI is also picking up Estonian at an alarming pace. Still, if a person's use of language is painstakingly polite, their sentence structure reminiscent of English and their declinations and persons all over the place, it pays to be cautious.

This begs the question of what should one publicly post about themselves. Your data can be picked up from consumer games, personality tests, online games and social media, especially if you have a public account. It all comes together for a lovely profile of a person's convictions, personal data, appearance and communication history.

So what, you ask. Well, imagine a situation when someone sounding exactly like you calls your grandmother to tell her that you need a large sum of money or something terrible will happen to you. Or if a similar call is placed by your child. Facebook video calls make such attempts look especially credible.

What happens to wayward data?

But what happens to data once it's swiped from Apotheka and PetCity? The classic dark web business model suggests data that leaked from Allium UPI can be bought in the form of a well-structured database for a few hundred euros.

New databases will be put together with existing data for an increasingly detailed profile on the individual. Whereas information on over the counter drugs and food supplements adds a lot. The existing profile is based on earlier data leaks that bots have scoured the web for and also includes data voluntarily shared with dubious websites and online shops.

It is interesting that the data of people who have already fallen victim to scams can also be bought. It turns out that quite a lot of people who are had fail to learn their lesson the first time, and conning them for a second time is easier than landing a new victim.

Lists of profiled persons make for more expensive items. These can be analyzed, turned into products and sold as a full fraud package that includes data, weaknesses, habits and the person's credit solvency. A scheme and different scenarios for orchestrating the fraud have also been included. Such ready-made campaigns are used by major organizations and small fish alike. The further removed one is from physically taking the money from the victim, the lower the risk of punishment.

Law lacks concrete implementing provisions

Because ensuring the normal functioning of everyday life requires data, our environment needs to be securely regulated. Only then can we trust businesses and organizations to which we surrender our data. That is why the government has provided in a regulation that our public sector needs to meet the Estonian Information Security Standard (E-ITS), with compliance monitored by the Information System Agency (RIA).

It's been years since the EU issued its General Data Protection Regulation (GDPR), according to which people should not be asked for unnecessary information and their data needs to be safeguarded. Monitoring the application of GDPR falls to the Data Protection Inspectorate (AKI).

When Estonia adopted the GDPR in 2018, many companies were fearful of what would happen as data policy had been very weak until then. People were afraid of colossal European fines and the rules seemed as strict as they were confusing.

Fives years down the line and nothing much has happened. There have been security breaches. There have also been injunctions and scandals. But what about those involved? At most they've gotten a slap on the wrist. That is because while we have the law, it lacks concrete implementing provisions.

When the GDPR landed, two EU member states, namely Estonia and Denmark, even lacked the concept of an administrative fine for the purposes of data protection. Fines must either be rooted in criminal procedure in the case of companies or administrative supervision in the case of public institutions.

In 2020, the Ministry of Justice attempted to establish an administrative fine as such and drafted a bill. Neither a study by the University of Tartu Law Faculty nor the chancellor of justice were particularly convinced of its necessity. In 2022, the bill even went to a reading in the Riigikogu, but failed. Estonia still lacks court decisions regarding GDPR violations, hence judicial clarity is absent.

Last November, following the data breach incident at East Tallinn Central Hospital, AKI gained a lever for implementing the GDPR. The Penal Code was amended to include a reference to special laws that allow for higher fines for misdemeanors compared to the general order. This reference enables the processing of violations arising from the Personal Data Protection Act in the prescribed misdemeanor procedure, allowing for fines reaching into the millions.

The assumptions of liability for legal entities were also expanded. Previously, intent had to be proven within the management; now, cases of negligence can also result in punishment. Responsible processors have a number of obligations under the GDPR, violations of which can lead to sanctions against the legal entity responsible.

Before, the presumption of liability only applied to actions committed in the interests of the legal entity by a designated group of individuals. With the change, a legal entity is also liable if the breach of data protection obligations is committed by any person due to inadequate work organization. These changes do not affect public sector institutions, which are still subject to administrative supervision under the Government of the Republic Act.

We must acknowledge that the situation is somewhat contradictory. The public sector likely has the largest database of information about citizens and others connected to Estonia, yet its accountability for mistakes is less stringent than in the private sector.

Thus, it is no surprise when the Estonian Information System Authority receives notifications about various cybersecurity incidents occurring in public sector institutions and AKI has to issue directives to the Ministry of the Interior. There simply are no effective and straightforward means to motivate the public sector to avoid violations of data protection laws.

As a society, our business culture has shifted from being cautious about GDPR to being negligent about data protection. As AKI stated following the Allium UPI breach, it took only minutes from system penetration to data download. It remains to be seen how the investigation of this latest breach will proceed, what will be discovered and whether anyone will be held accountable.

The damage is done. The profiles of many people, including myself, have certainly been enriched or exposed on the dark web. I urge everyone to protect their own data and advocate for reasonable data collection because no one else will do it for us. If you feel your data is being collected excessively or stored poorly, AKI can also help, although their budget, given the magnitude of the problem, is minuscule.

--

Follow ERR News on Facebook and Twitter and never miss an update!