Since the implementation of the EU’s General Data Protection Regulation (GDPR) in May, media reports of data breaches have skyrocketed. British Airways, Facebook, Ticketmaster, and Cathay Pacific are all organisations that have made headlines over the last months showing the breadth of sectors affected worldwide by data compromises.
Compliance-driven pieces have been a relatively common occurrence in the media since the application of GDPR. We however aim to look in this blog post at GDPR from a threat actors’ perspective. With GDPR bringing in major changes on the management and transfer of data, threat actors are likely to find innovative ways to exploit and benefit from these changes.
Although it would seem that breaches have increased since May, it is more likely that breaches have always been prevalent, and that compliance-driven reporting is the reason for this perception. Companies holding a significant amount of personally identifiable information (PII) will remain attractive targets for cybercriminals engaging in fraud, for cyber activists seeking to advertise an operation, or for nation-state groups conducting espionage campaigns and/or information operations.
Other countries have also increasingly adopted similar data protection regulations, China with the 2017 Cybersecurity law (CSL) and Russia with its New Data Protection Law amending the Personal Data Protection Act in 2015, have implemented tighter government controls over data transfers, using a broad definition of personal data. Taking effect in February 2020, The Brazilian General Data Protection Law (LGDP) has established a regulatory framework for the usage and processing of personal data modelled on GDPR.
Despite the many sectoral data protection laws governing the wider US, New York and California are two states that have recently implemented regulatory frameworks also influenced by GDPR. The 25 NYCRR 500 applies to the financial sector, forcing companies to adhere to “minimum security standards”, while the California Consumer Privacy Act (CCPA) gives consumers basic rights over the handling of their personal data. Like New York, Singapore has also proposed mandatory cybersecurity frameworks for financial services organisations, highlighting the increase of sector-specific data regulations as well as overall ones.
With increased media scrutiny, mandatory reporting of data breaches has posed reputational threats for companies, with breaches often resulting in consumers losing trust in the organisation’s ability to provide a “reasonable level of security” for personal data. Following the British Airways data breach, the airline’s impression score, quantified by YouGov’s BrandIndex data tool, lost 10 points. An analysis conducted by Comparitech also showed that stocks usually suffer an immediate decline following a data breach, with large-scale breaches usually having a greater impact on share price than low-level ones.
Instead of focusing on the compliance aspect of GDPR, this blog post looks at how GDPR affects organisations’ threat landscape. The changes brought on by GDPR and other data regulations are likely to have moved beyond the realms of compliance, including influencing threat actor motivations and intent. Firstly, the 72-hour window following discovery of a breach during which organisations must inform affected customers is likely to provide an opportunity for threat actors to target the organisation in question, before it has been able to put proper mitigation procedures in place.
As well as providing attackers with a window of opportunity, mandatory reporting can also influence other threat actors in the tactics, techniques, and procedures (TTPs) they decide to deploy. Following the British Airways breach, which was associated with the cybercriminal group Magecart, extensive reporting explained the techniques and tools employed by the group who performed malicious code injection. Detailed reporting of incidents is likely to provide inspiration for threat actors who could use similar methods against organisations before they can modify their security controls accordingly.
On 28 September 2018, Facebook reported that hackers had compromised details of over 50 million users exploiting a vulnerability in Facebook’s View As and video posting features. Deep web monitoring discovered that the vulnerability had been discussed on a Russian cybercriminal underground forum two weeks prior to the hack.
With cybercriminals discussing and sharing tools on the internet’s underground, organisations should monitor the deep and dark web to remain aware of relevant threats and understand how their personal data could be targeted. We also assess that tool sharing will allow for more threat actors, especially low-level ones, to benefit from sophisticated tools capable of large-scale data breaches.
Figure 1: Forum member discussing a Facebook vulnerability on the Russian deep webPush notification service Feedify was, like British Airways, a victim of the cybercriminal group Magecart. Feedify provides a third-party service to many other organisations’ websites and therefore represented an attractive target as the basis for a supply chain attack. Third parties are likely to remain key targets for a range of threat actors, providing an easier avenue to their primary target. Following GDPR, organisations will thus have to conduct enhanced due diligence of third-parties to mitigate the risks associated with outsourcing data.
Finally, GDPR is also likely to be used as part of extortive campaigns. Threat actors could use GDPR to their advantage by engaging in extortive data breach campaigns with the mindset that companies would be more likely to pay a ransom than face the significant regulatory and reputational repercussions. Low-level cybercriminals could also conduct fake extortive campaigns making a company believe they have been breached.
Ultimately, GDPR will not only change how organisations process and handle data but will also have a large impact on the rationale of some threat actors. Mandatory reporting provides opportunities to threat actors to quickly adopt similar TTPs and pressures associated with non-compliance will likely benefit extortion campaigns.