Public institutions are frequent targets of hacker attacks. The reason they are so sought after is that they handle sensitive and confidential information while serving a large portion of the population.
In short, cybercriminals seek valuable information that can be used to commit other crimes such as phishing, extortion, or to generate profit. Illegal buyers of such data often pay a high price, which is very attractive to digital attackers.
To address the problem, public bodies need to focus more on their cybersecurity. Therefore, it is important that public bodies invest in their security technology and raise awareness about cybersecurity.
Attacks on public institutions: recent cases in Brazil
In Brazil, we have had recent cases of cyberattacks involving ransomware. In 2021 alone, the Ministry of Health and the Ministry of Economy were attacked, among four other institutions. Other cases of attacks included the Superior Court of Justice (STJ) in 2020 and the Supreme Federal Court (STF) in 2021-2022.
In the case of Ministry of Health, On December 10, 2021, criminals gained access to the website and announced on the homepage that internal system data had been copied and deleted. A ransom was demanded for the government to recover the data. In total, more than 50 terabytes of data were deleted.
It was only on January 12, 2022, that the systems affected by the hacker attack were fully restored. As a result of the intrusion, it was not possible to issue vaccination certificates for a few days.
More security measures must have been implemented in their systems, as well as in other state agencies, which have also been victims of attacks in recent years.
However, cases like this will not end so quickly, and news of this type will continue to emerge around the world over time.
In Brazil, all public bodies are required to be 100% compliant with the General Data Protection Law. This includes adopting strategies to minimize the risk of security incidents, bearing in mind that these bodies can be subject to administrative sanctions.
Privacy solutions for public bodies
The LGPD establishes that public bodies must protect all personal data that possess and must also adopt security measures aimed at protecting them, as well as other companies. Furthermore, with the regulation of dosimetry, it will be easier to determine the degree of damage in incident situations from now on.
There are several consequences of violating the data protection rules established by the LGPD (Brazilian General Data Protection Law) and enforced by the ANPD (National Data Protection Authority), which can affect public bodies.
In short, privacy solutions are a set of measures, policies, and technologies aimed at ensuring the protection of personal data. Examples of privacy solutions include: data encryption, implementation of cybersecurity measures, adoption of transparent data policies, and others that regulate the proper use of personal data.
For their implementation, solutions can be offered by companies specializing in cybersecurity and privacy. The failure of public bodies to implement a privacy solution constitutes a serious violation of the law and regulations protecting personal data, as it keeps sensitive and personal information of citizens vulnerable and exposed.
According to the Guidance Guide for Public AuthoritiesPublic bodies “must verify whether the information collected is adequate and necessary to meet the purposes for which it will be used.” This information is found on page 22 and in item 90.
In item 53, which concerns the principle of necessity, public bodies must also verify whether the information usually collected from citizens is in fact necessary for the purposes for which it will be used, and the practice of indiscriminate collection of personal data is not permitted, particularly data for which a specific and legitimate purpose has not been identified.
Monitoring and testing are fundamental.
In conclusion: because they are targets sought by criminals, various tests should be carried out by professionals who understand the subject, thus seeking to assess the current level of effectiveness of their system against cyber intrusions.
Similarly, within the public sector, as in any other company, employees must be fully committed to the issue.
