As the European Union’s General Data Protection Regulation (GDPR) swings into action, there has been little focus on how it will be exploited by cyber criminals.
The new regulation went live on May 25th and rightly generated a mountain of publicity about compliance and the potential penalties for breach with fines up to €20 million or four per cent of global turnover, whichever is greater.
Yet GDPR may also open the door to new forms of cyberattack, given that all EU citizens now have the right to request from any organisation a full account of all the personal data it holds on them. That will potentially generate a huge flow of requests, which is only set to grow as awareness of the citizens’ rights under the legislation increases.
GDPR compliance goes far deeper than is perceived; it means organisations will have the additional responsibility for data handled by third parties such as partners and contractors. It means organisations must increasingly focus on cybersecurity protection at every touchpoint with the supply chain, using only the best practices and technology available.
Data requests could be a major attack vector
It is entirely feasible for cybercriminals or rogue nation states to use these data requests to orchestrate a new type of denial-of-service (DDoS) attack by flooding websites and customer support centres with thousands of simultaneous requests on prescribed forms – in most cases, PDFs.
This type of attack is relatively straightforward, since it does not require any validation of the sender’s identity. If more than a million connected devices – most of them web cameras – could be employed as a botnet to take down a security website, as was the case with the DDoS attack on KrebsOnSecurity in 2016, then similar bot-driven assaults on any organisation can be accomplished under the guise of GDPR data requests.
Emailed requests will be hugely attractive to cybercriminals
Large organisations will seek to reduce their exposure to this risk by requiring data requests to be submitted in emails. This only opens them up to the greatest danger of all – malicious file attachments.
We already know from a 2017 Verizon survey that 70% of successful malware attacks are launched from malicious email attachments. This year’s Verizon Data Breach Investigations Report confirms the growing extent of the danger. It reveals that companies are almost three times more likely to be breached in social attacks than through technological vulnerabilities and that in 96% of these attacks, emails were employed to lure employees into clicking on malicious attachments or links. Phishing emails were also used to initiate breaches in 70% of attacks perpetrated by nation states or their affiliated groups.
Asking about personal data under GDPR is easier for criminals than social engineering
Unlike “normal” phishing attacks that require significant research on a target, criminals using this method will hardly have to conduct any of the social engineering. It’s a worst-case scenario with organisations legally obliged to respond and under time pressure to do so. However, they have no control over the endpoints, people, devices and electronic documents. Add to this the scale of the problem in a DDoS scenario and it amounts to a significant challenge.
In this flood of data, GDPR may well give criminals an excellent pretext to send disguised email attachments that hide malware triggers in either the file’s functional elements or in its structure. A recent article in the Financial Times highlighted how email-borne threats are commonplace in the financial sector, a favourite target of cybercriminals. However, the extent to which hacking attempts have been successful is still little known, since reporting of “minor” incidents prior to GDPR was not necessary. The new regulation has changed this, requiring companies to notify the relevant authority – the ICO in the UK – within 72 hours of a personal data breach.
Although large organisations such as banks and fund supermarkets could face substantial volumes of email-borne requests, SMEs are also vulnerable. Smaller businesses also have responsibility for data handled by third parties, including contractors and partners. Should personal data be stolen from third parties, SMEs will similarly find themselves in the firing-line.
Devil in the detail
Chris Wright, chief executive of GDPRi believes that a clause hidden away in Article 82 of the EU regulation could be particularly problematic. It reads: “Any person who has suffered material or non-material damage as a result of an infringement of this regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”
The liability of both ‘controller and processor’ means the organisation handling the data can also be sued as well the company whose data has been stolen and the fact that companies can be sued for non-material damages potentially opens the floodgates to US-style lawsuits.
According to UK law firm Hugh James, it seems that claimants could bring compensation claims even if the damage suffered is very minor or if they have not suffered a financial loss arising from a GDPR infringement. This could include a claim for, but is not limited to: distress; anxiety and/or reputational damage.
Organisations need innovative security to protect themselves from GDPR-related threats
Faced with these burgeoning threats, organisations need to focus on upgrading their defences with innovative technologies that counter the principal source of danger – email attachments. For example, file-regeneration and sanitisation techniques have been proven as a highly effective defence against even unknown or zero-day malware. This technology rebuilds a file that perfectly matches its manufacturer’s standard, excluding any rogue code or imperfections, all in fractions of a second. The regenerated file, whether it is a Word document or PDF, is free of malicious code, since file-regeneration solutions recreate the document to a standard of “known good”, making it safe to use inside the organisation.
GDPR may have caused a flurry of activity around compliance which may die down now that the regulation is in force. But if organisations are to protect themselves against the most likely source of breaches – malicious code in email attachments – they will need to increase investment in more innovative technologies such as file-regeneration.