VICTIM OF A CYBER ATTACK: UNDERSTAND AND REACT

cording to the Belgian SPF Economy, in 2022 more than a quarter (31.8%) of medium-sized Belgian SMEs (50+ employees) experienced an IT security incident or cyber attack resulting in the unavailability of IT services (29.7%), the destruction or corruption of data (3.6%) or the disclosure of confidential data (2.4%). Micro-businesses (with fewer than 10 employees) have not been spared: 11% of them have also suffered this type of incident ¹.

According to a Proximus survey conducted in 2022 ², almost half of all cyber security incidents have a negative financial impact. For 37% of companies, the impact is more than €10,000 and for 11% more than €100,000.

All businesses therefore need to take a number of preventive measures to protect themselves against potential cyber attacks. Some of these measures are even relatively simple to put in place, including ³ : updating your software and operating systems; making regular back-ups of your data; using two-factor authentication methods. However, despite all your precautions, your company may find itself the victim of a cyber attack. In this case, it may be difficult for you to understand what is happening to you and to know what to do.

What about it from a legal point of view?

• Identify the type of attack suffered.
• A closer look at phishing and ransomware
• How do you react to a cyber attack?
• File a complaint with the police

Identify the type of cyber attack suffered

The first step is to legally qualify the offence of which you are a victim. In order to achieve this, a number of legal clarifications need to be made.
In 2001, our legislator added a new law ⁴ to our legal arsenal to combat cybercrime effectively.

This fairly comprehensive law is intended to be technologically neutral. This notion implies that the terms used are sufficiently broad and neutral to enable it to survive technological change and to be applied to new situations without having to be amended.

On first reading, the vocabulary used in this law may appear complex. For example, the terms phishing, virus and ransomware are not used in the text. Don’t panic, their absence is not synonymous with impunity: these cyber attacks are simply covered up under “umbrella” terms.

Thus, four criminal offences are mainly used ⁵ to legally qualify a cyber attack and were specifically added by the 2001 law mentioned above.

What are they?

Computer forgery

Firstly, there is the offence of computer forgery ^6, although it is not strictly speaking an attack. Computer forgery involves altering the truth by falsifying (including introducing, modifying, deleting, etc.) data stored, processed or transmitted by a computer system. These data must have a legal scope and this scope must be altered by the action taken ⁷.

By way of example, computer forgery includes offences such as counterfeiting credit cards or altering provisions in a digital contract (e.g. the amount due for a service or the deletion of a penalty clause) ⁸.

Computer fraud

Secondly, there is computer fraud ⁹ which is the offence of manipulating computer data in order to obtain an illegal economic advantage for oneself or for others.

Unlike swindles ¹⁰ which refers to the deception of a person, computer fraud refers to the deception of a machine ¹¹. Cases of fraud committed during online sales (for example via a fake sales site or via a fake advert on a site such as Ebay, Immoweb, Autoscout, etc.) constitute cases of fraud and not computer fraud ¹².

What is meant by machine deception?

To clarify the situation, the following is a list of case law:

• illegal copying of data recorded on the magnetic strip of a payment card (skimming) ¹³ ;
• the use of a falsified bank card to make undue electronic withdrawals and payments ¹⁴ ;
• misuse of a business credit card for private purposes ¹⁵ ;
• the modification by a civil servant, thanks to his access to the computer system, of tax data in order to obtain a refund from the State ¹⁶.

Hacking

The third offence is probably the best known: the unauthorised access to a computer system ¹⁷ (hacking). Hacking can be defined as “the act of entering or remaining in a computer system without having the necessary authorisation to do so” ¹⁸.

Hacking can occur without causing any damage. Similarly, there is no requirement to break in or bypass the security system. Simply accessing the system, without authorisation and with full knowledge of the facts, is enough to be incriminated¹⁹. Nor does the target have to be a computer. A smartphone, a GPS, a smart card or an electronic diary are all computer systems within the meaning of the law²⁰.

To cite a few examples, case law considers hacking to be :

• hacking into an e-mail account and changing the associated password, as well as modifying the person’s CV on job search sites²¹ ;
• connecting to an unprotected wireless network belonging to someone else, without their authorisation²² ;
• breaking into an employee’s computer to place a key-logger and record the employee’s keyboard activity²³.

Computer sabotage

Finally, there is the computer sabotage²⁴ which is the offence that incriminates “anyone who, knowing that he/she is not authorised to do so, directly or indirectly, introduces into the system, modifies or deletes data, or who modifies by any technological means the normal use of data in a computer system”.²⁵. With this provision, the legislator wishes to protect intangible data contained on computer hardware.

In concrete terms, sabotage is aimed at deleting files ²⁶ or changing a password on a website ²⁷, but it is also aimed at both the designer of a virus and the person who distributes or markets it ²⁸. It should be noted, however, that special wilfulness is required, i.e. there must be the will of the result²⁹. It is this intentional nature that prevents anyone who shares a virus by e-mail without knowing it from being convicted³⁰.

A closer look at phishing and ransomware

Now that we’ve covered the main legal concepts relating to cyber-crimes, let’s take a look at two cyber-attacks mentioned earlier: phishing and ransomware.

Phishing

phishing consists of deceiving the Internet user “in order to obtain personal and confidential data (credit card number, identity card number or national register number, password, etc.), most often by sending an e-mail pretending to be a bank, an online service provider or merchant site”.³¹.

Phishing is the most widespread online attack and the leading source of successful cyberattacks worldwide³². During the first half of 2023, almost 4.4 million messages were reported to the Safeonweb.be agency via the suspect@safeonweb.be mailbox, resulting in the blocking of more than 320,000 suspicious links³³. While its size is impressive, so is its cost. In 2022, 39.8 million euros were stolen using this method³⁴.

Under criminal law, phishing is more closely related to fraud ³⁵ and breach of trust ³⁶ than to computer fraud.

As explained above, it is an individual who is the target of the deception, not a machine³⁷. And that’s what makes it so complicated. Despite awareness campaigns, no one is immune from a moment of credulity.

Ransomwares

Alongside phishing, we believe it is worth paying particular attention to ransomware. Although less frequent, their effects can be devastating. They can be defined as “a type of malware designed to hack into computers and force victims to pay a ransom to have their files decrypted”³⁸. Infection can take place via spear phishing, i.e. by downloading an infected e-mail attachment or even by visiting a contaminated web page, triggering an automatic download.³⁹.

We still remember the Wannacry ransomware which, in just a few days, contaminated more than 220,000 computers in 150 countries around the world in 2017. This ransomware blocked the files on infected devices and threatened to delete them if a bitcoin ransom was not paid within 7 days. Although few victims paid, the consequences were far-reaching, particularly in the UK. The government has estimated the losses caused by the contamination and the paralysis of a third of the UK’s NHS hospitals at £92 million. Worldwide, this figure rises to 4 billion dollars⁴⁰. To this day, the perpetrators remain unknown.

Under criminal law, ransomware falls within the scope of several offences ⁴¹ such as extortion ⁴² , computer fraud ⁴³, hacking ⁴⁴ and computer sabotage ⁴⁵.

How do you react to a cyber attack?

Imagine that, despite all your precautions, you fall victim to a cyber attack. You now need to act, but not too precipitately. Every cyber attack is different, and the practical responses to them are complex and varied. So don’t hesitate to consult both lawyers and IT experts for their valuable advice.

Nevertheless, there are some relatively simple steps that can and must be taken.

If you are a victim of phishing and have given out your bank details, the first thing to do is block your payment card by calling Card Stop on 078 170 170. You can also report the message received to suspect@safeonweb.be to help the authorities identify and block messages of the same type.

If you are a victim of ransomware, follow Europol’s advice: don’t pay the ransom! Apart from the fact that you have no certainty of actually recovering your data after payment, you are encouraging criminals to continue their activities and offering them more financial resources. Europol also advises you to disconnect your infected device from your network as soon as possible to prevent the virus from spreading⁴⁶. Finally, Europol has set up a library of decryption tools at www.nomoreransom.org. You might just find the ‘antidote’ you need.

File a complaint with the police

This is the first essential step to take. You should lodge a complaint with the local police where your company is based as soon as possible. The earlier you go, the greater your chances of a successful prosecution.

When filing a complaint, do not hesitate to declare yourself an injured party. This ensures that you know the status of your complaint, which is not automatic. For example, the opening of an investigation or a possible dismissal of the case. You may also attach to your file any document that you consider useful ⁴⁷, such as a document that provides proof of your injury or that may help to identify the perpetrator of the offence.

It is very important not to corrupt any evidence that the investigators may ask you for during the investigation. Try to keep as many traces of the attack as possible⁴⁸. To help them, you can, for example, take screenshots, save the infected e-mail, encrypted files, messages that have been communicated ⁴⁹, etc.

At the police station, a police inspector will hear you. Although the field of cybercrime may seem complex, don’t be alarmed. If you have any questions or concerns, contact a lawyer. He or she will be able to answer your questions and provide valuable support for the rest of the procedure. Secondly, for a number of years now, police officers have had access to a new tool, CyberAid, which helps them to respond effectively to this type of incident and provides practical advice⁵⁰.

For complex cases, they can even be assisted by two specialist units: the Federal Computer Crime Unit at national level and the regional Computer Crime Units⁵¹.

Compensation

If you are seeking financial compensation for financial loss, you need to bring a civil action. If the public prosecution has already been initiated, you can do so from the investigation phase until the close of the court proceedings ⁵².

If the public prosecution has not yet been initiated, i.e. an investigating judge has not yet been appointed, you may refer the matter to the judge yoursel⁵³. By suing as a civil party, you force the prosecution to take action. But this comes at a cost. You will be asked to pay a deposit, set by the examining magistrate. It is used to cover future legal costs (between €500 and €1,000 for a legal entity). It will be returned to you if the suspect is convicted, but if not, in addition to losing your deposit, you could be ordered to pay the costs incurred by the State⁵⁴.

Are there any organisations to contact?⁵⁵

In the event of a data breach, it is compulsory, in certain circumstances defined by the GDPR, to contact the data protection authority. This must be done within 72 hours of learning of the incident.. You can obtain the contact form at the following address:

https://www.autoriteprotectiondonnees.be/professionnel/actions/fuites-de-donnees-personnelles.

You can also contact the Cyber Emergency Response Team to report the incident and receive assistance from them. CERT is a department of the Center for Cybersecurity Belgium (CCB) which is “the federal administration under the authority of the Prime Minister and which is responsible for monitoring incidents relating to the security of networks and information systems”⁵⁶. Their role is to provide companies with technical and organisational advice on how to deal with cyber incidents. In practical terms, they can guide you through the steps you need to take at your level. They can liaise with the police in the event of a criminal offence and help you deal with the incident.
To contact the Cyber Emergency Response Team, visit https://cert.be/fr/signaler-un-incident or call +32 (0)2 501.05.60.

To sum up

• Belgian legislation provides a comprehensive framework for cybercrime incidents
• Phishing attacks are very common but can be prevented by adopting the right reflexes
• Report phishing attacks to: suspect@safeoneweb.be
• In the event of ransomware, do not pay the ransom and consult www.nomoreransom.be
• File a complaint at the nearest police station as soon as possible
• Surround yourself with IT experts and lawyers