What can we learn from the biggest cyber-attacks of 2017 ahead of GDPR (General Data Protection Regulation)?
When it comes to IT, 2017 will no doubt be remembered for the proliferation of cyber-attacks making the news almost daily. So common were cyber-attacks, 2017 was even dubbed 'year of the cyber-attack'.
Ransomware and data breaches in particular stole the headlines, and these types of cyber-attacks will only increase under GDPR. Heimdal Security researchers have concluded that GDPR (General Data Protection Regulation) will drive hackers to target your data with more ferocity than ever, holding you to ransom and using the potentially eye-watering GDPR fines as leverage.
With all of the scaremongering around fines of up to 4% of global turnover or ?¬20m (whichever is higher), it's easy to see why paying hackers to return or decrypt your data would be tempting. Hackers will demand a ransom significantly lower than the headline GDPR fines to incentivise you to pay up.
Here, we look at two of the biggest cyber-attacks that hit mainstream media headlines and analyse how the business could have been impacted were GDPR in place.
A worldwide headline-grabber, the Equifax hack saw the data of over 145 million consumers compromised. The majority of victims are US residents, but the data of some Canadian and UK citizens was also affected. In its original report of the breach, Equifax said that the compromised data included names, dates of birth, social security numbers and, for some, credit card and driver's license numbers.
It has been revealed recently that more customer data was exposed than first thought, with email addresses, tax ID numbers and critical identifying driver's license and credit card information, including expiry date, were also breached. Equifax has been heavily criticised by Senator Elizabeth Warren, who argues the company covered up the extent of the breach.
Equifax waited months to disclose the data breach to US authorities, where there is no timeframe in place required by law. Under GDPR, Equifax would have breached the notification requirements, where businesses must report any data breach within 72 hours of discovering it. The business learned of the attack in July 2017, but didn't disclose it until September; way past the 72-hour deadline. Severe notification breaches could incur fines of ? 10m or 2% of global turnover, whichever is higher.
The hack occurred thanks to a flaw in Apache Struts, a tool Equifax utilised to build web applications; Equifax used it as an online ticket-logging system for customers who disputed their credit reports. What's even worse is that Equifax was aware of the vulnerability months before the attack. GDPR breach notification requires you to provide evidence of mitigations - i.e. cyber security measures - you put in place to prevent a breach, and this fact won't help Equifax's case.
Technically this hack occurred in 2016, but it hit the news last October when Uber finally disclosed the leak, a full year after it occurred. The company has come under fire for covering up the hack that saw 57 million customers' data breached and paying the hackers $100,000 to keep it a secret too. The hacked information included names, email addresses and phone numbers but didn't include financial information, according to Uber. 600,000 drivers' names and license plate numbers were also hacked.
This breach occurred because the hackers gained access to Uber's GitHub account - a website coding repository. In the GitHub account, the cyber criminals gained access to the username and password to Uber's Amazon Web Services account where all of the Personally Identifiable Information (PII) was stored.
It's likely that Uber would be hit with the severest fines under GDPR for a number of reasons. The cyber-attack happened through carelessness on Uber's part, and the number of customers and drivers who have been affected is substantial.
Under the GDPR, Uber would be likely be punished severely. The breach compromised huge amounts of PII data in the tens of millions and occurred in a way that could be seen as lax. Uber had stored its Amazon Web Services credentials in a Github repository; the customer and driver data was held in Amazon Web Services. Senior Security Engineer James Maude said it was "the digital equivalent of writing the password down on a bit of paper."
Uber will likely face even harsher punishments for the cover-up of the hack. Not only did Uber fail to inform authorities and those affected by the breach, it paid $100,000 to the hackers to delete the data and keep the hack a secret. Whilst GDPR isn't in force yet, the cover-up of a data breach is illegal in many of the countries in which Uber operates. Under the GDPR, Uber would have been required to report the hack within 72 hours of discovery.
What can we learn?
In both of these cases, the companies evaded laws by failing to disclose the breaches in adequate time. Although the Equifax breach overwhelmingly affects US consumers, GDPR will apply to any businesses operating in the EU or dealing with customers in Europe.
The somewhat unique case of Uber's cover-up and payment to its hackers has raised concerns that this could become common practice under GDPR. Heimdal Security researchers have concluded that hackers will likely use the eye-watering headline fines of ? 20m or 4% of global turnover, whichever figure is higher, as leverage to extort businesses out of thousands or even millions of pounds.
It's easy to see why paying a hacker, or group of hackers, to return your data (or delete data they've stolen) and keep any breach a secret would be tempting. Not only is there the risk of financial punishment from the ICO, but there's severe reputational damage attached to a data breach. However, as these two hacks prove, the truth will eventually come out.
It's key to remember that the ICO won't be out to make examples of businesses. Failing to disclose a hack can have more severe repercussions than the hack itself, and if your business can prove you put in place adequate cyber-security measures, you won't bear the brunt of the higher fines.