Is a ransomware attack a data breach?

Understanding if ransomware is a data breach is vital to determining what response your IT and Legal department needs to take.
Michael Buckbee
1 min read
Last updated October 14, 2022

Ransomware is a loss of control

Most IT people equate exfiltration of data from their network as the point at which control is lost and a data breach has occurred. They think of it like “where are the bits” and if your user database is being passed around the internet via bittorrent and sold off for a .0001 BTC an account you clearly have lost control.

What’s not so obvious is that ransomware (or any form of malware infection) represents a loss of control of the data within your network and that constitutes a data breach.

The proper way to consider it is if a malicious person wandered into your office, walked past the receptionist and security guard, got on the elevator down to the basement, unlocked the door to the server room, logged into your main file server with some stolen admin credentials, encrypted 10,000 random files that your users rely upon for their work and then walked out.

If someone were to perpetrate the above physical attack on your facility it would clearly represent a loss of data control. However, too many sysadmins wrongly consider a ransomware attack as purely internal and not a data breach.

A good conceptual way to think about it as a breach of your control systems, not a breach of the network itself.

Most of the per state data breach response guidelines clearly are modeled after HIPAA regulations which explicitly classify ransomware as a data breach:

The presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident under the HIPAA Security Rule. A security incident is defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

Source: https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf

A ransomware attack is a data breach and organizations should treat it as such.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

the-difference-between-ssl-and-tls
The Difference Between SSL and TLS
SSL and TLS are used interchangably in conversations as they are incredibly closely related. Knowing the subtle difference is key. 
dns-over-https-as-a-covert-command-and-control-channel
DNS over HTTPS as a covert Command and Control channel
Learn how DNS over HTTPS (DoH) is being actively used as a Command and Control (C2) channel by threat actors.
difference-between-organizational-units-and-active-directory-groups
Difference Between Organizational Units and Active Directory Groups
Active Directory loves hierarchy. Domains, Organizational Units, groups, users, etc. Sometimes it can be confusing—how do I best structure my AD? 
someone-deleted-my-file.-how-can-i-find-out-who?
Someone Deleted My File. How Can I Find Out Who?
If you’ve ever been tasked with recovering a lost file or folder and had to explain exactly what happened (Who moved or deleted it? When did it happen? Why?), you...