[p0llard]

> It depends on how important the company treated its security and how obvious the data leak is.

Indeed. Which allows an attacker who is familiar with previous regulatory action to estimate the fine based on the specific circumstances involved in their attack.

[luesterklemme]

Different sector, different country, different regulatory body, different regulator. Maybe the fines are comparable but I have my doubts that this could ever be a viable strategy.

But in any case that is not the problem of the regulations.

[p0llard]

I'm not convinced by this; if a company was approached by an attacker who threatened to

a) Release stolen data;

b) Anonymously supply the regulator with full details of the leak

unless a ransom was paid, I imagine that the threat of an audit and potential regulatory action would be enough to persuade the company to pay the ransom if it believed the cost of the ransom to be lower than the cost of an investigation by the regulator.

[luesterklemme]

The incentive of the GDPR is for the companies to place inherent value in their data safety. So either the companies can pay and not invest in future safety to come out cheaper in the short run with the added risk of future attacks. Or they could cooperate, proactively reach out to regulators with a plan to improve and pay the fine.

[opus132]

Yes, they could.

Or they could pay the ransom, which they deem to be less expensive than dealing with the regulator, and improve their data security to ensure they don't get caught out again.

I fully understand (and support) the reasoning behind GDPR; I just think that in this case there is a path which is easily open to abuse by attackers.