The victims of this latest ransomware attack are among the most vulnerable in society — those who have lost their jobs or whose jobs have been furloughed.
Spain’s employment service (SEPE) was hit by a ransomware attack last Tuesday that paralysed all of its online processes. The attack forced the suspension of virtually all activities at the organisation’s 700+ offices, including telephone assistance. Employees were ordered to turn off their computers and revert to using pen and paper. For the last five working days they have been unable to process any request for personal information or manage new registrations of dismissed workers, job seekers or requests for benefits. Things are only just beginning to return to some semblance of normality today.
The Ryuk ransomware virus used in the attack is famed for targeting large, public-entity Microsoft Windows cybersystems. It encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. According to El País, the Ryuk strain used to target SEPE is more virulent than former strains. It can even infect computers that are switched off.
Prior victims of Ryuk attacks include US newspapers such as the LA Times and hospitals and schools in the US, Germany and the UK. In this case the victims are among the most vulnerable in society — those who have lost their jobs or whose jobs have been temporarily suspended. In Spain, home to the highest unemployment rate in the Euro Area, they are legion. In total, 2.73 million people depend on SEPE for funds, including my wife who is currently furloughed.
Stretched to Breaking Point
SEPE is responsible for processing unemployment and furlough claims and payments. Long before last week’s attack, it had already been stretched to breaking point by the sheer number of applications for furlough payments in the early months of the virus crisis. At the height of last year’s lockdown some 4.5 million people were on furlough or receiving self-employed assistance. That number steadily declined as many returned to their jobs, reaching just under a million in February.
But the dole queue has grown steadily, reaching a four-year high of 4.08 million in February. That’s the equivalent of 16.1% of the working population. It’s more than a million less than the historic peak registered in 2013, when the unemployment rate hit 26%. But almost a million people are currently furloughed and don’t count as “unemployed.” Many of their jobs will end up being destroyed.
The outlook is particularly bleak for Spain’s youth, who already bore the brunt of the last crisis. Many of the best and brightest have since left the country for greener pastures. Yet despite suffering one of the worst brain drains in Europe, the official jobless rate for those under 25 still remains above 40% — the highest level in Europe. The 30-39 age group also lost ground during the post-crisis years. Many of the young Spaniards that do have work aren’t earning enough money or don’t have enough job security to rent an apartment. This may partly explain why Spain has become a squatter’s paradise.
Another Jobs Crisis Beckons
Unemployment in Spain is almost certain to continue rising this year as many furloughed workers join the dole queue. According to the Bank of Spain, the unemployment rate could even cross the 20% threshold again. If so, it would be the fourth time it has happened since 1984.
Spain’s jobs market has been a sorry mess for a long time for a number of reasons, including:
- Its huge informal sector. Spain, like Greece and Italy, is home to a vast submerged economy. Hundreds of thousands of workers have no contracts and pay no taxes or social security. As such, the number of unemployed — while still painfully high — is almost certainly smaller than official figures suggest.
- The acute seasonality of its biggest jobs generator, tourism. After the decline of the construction sector during the housing crisis (2008-12), the tourism industry took its place as the biggest employment generator. It is now in the midst of its own crisis. But even before the pandemic, workers in the sector earned a miserly median wage of just €14,000 — 48% less than their counterparts in the construction industry before the housing crisis. And most of the work is more precarious due to the seasonal nature of tourism.
- Bipolar nature of Spain’s labor contracts. Employment contracts for permanent jobs in Spain are exceptionally rigid and generous when it comes to redundancies. For contracts signed before 2012 workers receive up to 45 days’ severance pay for each year worked. This makes it prohibitively costly for companies to lay off workers. To gain some degree of hiring flexibility and reduce fixed costs, companies often use temporary contracts. Many abuse them. The inevitable result is a two-track labor market that encourages employers to create precarious, short-term jobs and discourages them from hiring young people as permanent employees. At the end of last year, a quarter of all jobs in Spain had temporary contracts. In the public sector, the ratio reached 29%.
As Spain’s jobs crisis has deteriorated in the pandemic’s wake, SEPE has been pushed to the limit. At the start of the lockdown, the organization had to shift many of its processes online, but it has struggled to cope with the sheer volume of applications. Unions complained that the organization was understaffed. By late summer many new unemployment claimants were having to wait months before receiving their first check. This trend is likely to get even worse after the Ryuk ransomware attack.
An Easy Target
SEPE’s director, Gerardo Gutiérrez, has called for “calm” and assured the public that servers, personal data and the programs used to manage benefits have not been affected, and that payments would continue as normal. The same cannot be said for new applications, which will now take even longer to process. On Tuesday, a whole week after the attack, the system is only just beginning to come back on line. We’ll probably never know how much the government paid the hackers to end the siege.
One thing that is clear is that SEPE was an easy target due to its archaic IT infrastructure and system. Even before last year’s lockdown unions were demanding more investment to update equipment, which is on average 30 years old. Many SEPE officials have been working from home, sometimes on their own PCs, which makes the system an even easier target for hackers.
Some Spanish government institutions are better equipped when it comes to IT security, including the Tax Office and the Ministry of Defense. Others, such as the public health and education system are, like SEPE, using equipment, programs and systems that belong to a bygone age.
But it’s not just under-funded, poorly organized government bodies that are falling victim to cyber attacks. Many of the world’s biggest, most sophisticated companies have become targets. In 2018, a group of hackers pulled off a $20 million virtual bank heist by targeting Mexico’s inter-bank payments system (SPEI). Last April, the Financial Stability Board (FSB) warned that “a major cyber incident, if not properly contained, could seriously disrupt financial systems, including critical financial infrastructure, leading to broader financial stability implications.”
As more and more of our activities have shifted online, it is becoming increasingly clear that no one — not even tech giants like Google and Microsoft — can offer complete protection of the data they store. As we grow more and more dependent on the Internet for just about everything, our data has never been more fragile.
This is great news for hackers, whose ranks are burgeoning as more and more criminals get with the times and move online. But it’s bad news for the general public, especially given the haste with which governments and companies are trying to roll out digital vaccine passports that could end up including our most sensitive data of all: our biometric data.