Cryptojacking is the newest cyber threat that companies are facing. It involves hackers accessing company servers in order to steal processing power, which is then used to mine cryptocurrencies.
With the recent increase in value of digital assets such as bitcoin, Ether, and Monero, it is not surprising that criminal hackers and rogue states are looking for ways to acquire these currencies, which they can use anonymously for various legal and illegal purposes. One way to accomplish this is to steal them. In the Summer of 2017, for example, North Korean hackers breached a server at a South Korean company to steal 70 Monero tokens. Another way to acquire cyptocurrencies is to “mine” them, which happens when “miners” use a software program to engage in a set of prescribed, complex mathematical calculations, in order to confirm transactions on a distributed ledger called a “blockchain,” thereby creating new tokens. As more tokens are created and their value increases, it becomes increasingly difficult and expensive to generate the computational power and electricity needed to compete with other miners and earn new tokens. Through cryptojacking, hackers steal the processing power and electricity needed to effectively conduct their cryptomining operations.
Recent cryptojacking attacks have employed “WannaMine” malware, which the cybersecurity industry first identified in October 2017. WannaMine makes use of EternalBlue, a Widows exploit developed by the National Security Agency (NSA), which is the same exploit employed in the WannaCry ransomware attack that affected computers in 150 countries across the globe in May 2017. Once an attacker infects a computer system with WannaMine, the malware surreptitiously commandeers CPU power in order to mine cryptocurrencies and then transfers those assets to the attacker.
Cryptojacking is different from other cyber attacks because it does not involve accessing, altering, or destroying any company data or personal information. Therefore, cryptojacking generally does not trigger any of the usual statutory breach notification requirements. But that does not mean cryptojacking is harmless. The mining process deployed by the WannaMine malware can siphon away a substantial amount of computer power, and can take priority over legitimate activities performed by the system, both of which, in turn, can negatively affect the responsiveness, capacity, and stability of the system. This operation also engages processing power that would otherwise remain idle, resulting in higher energy costs, and shortening the life of system components. Moreover, in certain instances, the same exploit used by WannaMine can also be used to access and exfiltrate sensitive personal or business information, or to explore other vulnerabilities in a company’s technology infrastructure.
Cryptojacking is the latest example of how breach notification regulations lag behind real-world threats. When ransomware first surfaced as a significant threat around 2012, it was not covered by breach notification regulations because it didn’t involve access to sensitive data, it just rendered such data unavailable to the user. However, new rules followed that added notification obligations where data may not have been accessed, but was encrypted or rendered inaccessible. For example, in July 2016, the Department of Health and Human Services advised HIPAA-regulated entities that unless they can demonstrate that there is a “low probability that [personal health information] has been compromised” by a ransomware attack, “a breach of [personal health information] is presumed to have occurred.” Similarly, the forthcoming EU General Data Protection Regulation is expected to treat a ransomware attack that encrypts the only copy of a set of personal data as a loss of personal data for which breach notifications may arise.
Whether governments will amend their breach notification rules to cover cryptojacking attacks—perhaps by requiring notification to regulators where servers have been compromised by third parties, and likely are being misused for illegal purposes—remains to be seen. However, companies would be wise not to assume that just because cryptojacking does not currently trigger a breach notification obligation, this means it is not a serious threat that needs to be addressed. Cryptojackers gain unauthorized access to a company’s computer system, which may disrupt functionality, delay or prevent legitimate queries, force the system offline altogether, or introduce additional malware that does more than just mine for Monero.
 See Article 29 Working Party Guidelines on Personal Data Breach Notification under Regulation 2016/679, available at: http://ec.europa.eu/newsroom/document.cfm?doc_id=47741, at 5.