In a threat landscape riddled with data breaches, phishing scams and cyber-threats, GDPR has been viewed, by consumers and businesses alike, as a data ‘fix-all’ legislation. Businesses, having adapted their day-to-day processes and operations (generally at great cost) are now learning how to tread carefully – and correctly – with customers in the post-enforcement landscape.
However, though these new data laws offer enhanced data protection for consumers, some unexpected consequences of the legislation have now also started to rise to the surface, which could spell trouble for authorities and companies.
Holding back the police from justice
One unforeseen consequence relates to the WHOIS protocol, and the role this plays in law enforcement. Police forces internationally have traditionally relied on WHOIS – a query and response protocol – to obtain information on who owns a particular internet resource, such as a website. This information has proved useful to law enforcement agencies and researchers, as a way of verifying the legitimacy of a website.
However, the new GDPR legislation effectively killed off the current service, noting that it would break the law after 25th May. German domain registrar, EPGA, ruled that gathering the information breaks GDPR’s regulations – which would expose the service to legal challenges and potentially ruinous fines if it continued to operate in the same way.
ICANN – which oversees the WHOIS protocol – has subsequently filed a lawsuit, asking permission to keep gathering private information on people who buy web addresses whilst it develops a new version of its contract to fit with the GDPR legislation. The decision will be critical to the future of ICANN's authority over the global internet – as well as law enforcement. If registrars stop providing access to this information, it will place an obstacle in the path of the police.
Another unintended ‘side-effect’ of GDPR is a potential rise in cyber-extortion – should cyber-criminals be able to identify which companies aren’t compliant with the new GDPR regulations.
The fear is that any companies, suspected of non-compliance, could be held to ransom by cyber-criminals – with the threat of making this non-compliance public, or being reported to its local non-departmental public body – like the UK’s Information Commissioner's Office.
The potential fine a business can face for being guilty of non-compliance is up to 20 million euros. Paying even a quarter of this amount for the information to remain private, whilst the organisation work towards compliance, may prove the cheaper option for over-stretched companies. It is also the far better option while the heat is on for regulators to find (and fine) those in breach of the new legislation.
Such a ransom fee could be much lower than the potential fine from the enforcing bodies – offering a financial saving for the company, but posing a sizeable and attractive financial gain for the hackers.
This is reminiscent of when hackers breached Uber and were paid $100,000 by the organisation to keep it quiet. Though this wasn’t specific to GDPR, the scenario is the same: Uber thought it was worth paying off the hackers to avoid public backlash.
Much like a kidnapper putting a victim on the phone to their family and friends, to prove that they’ve been captured, a hacker would need to demonstrate that a company’s protocols and processes aren’t strong enough to withstand attack. They could breach the systems and provide an example of the data that have stolen as evidence that they’ve exploited a vulnerability in the system, and thus demonstrate that the right measures haven’t put in place by that company to stop breaches happening.
If a threat by a hacker, having obtained this information, was to happen, the company in question would be required to report this. If they tried to financially supress the hacker and were then revealed to have done so, they might be penalised twice by the ICO – receiving one fine for being breached and another for trying to cover it up. It’s always going to come down to the differential value, for a company to either risk an ICO fine or pay the hush money that the criminal demands.
In addition, there’s always a risk whenever you pay a scammer – like paying in the event of a ransomware attack, where you might not get your data back – as the news could still be leaked even after paying. What happened at Uber demonstrates the plausibility of this.
The risk would be bigger with a large company, which theoretically has more to lose –which could make it ideal for cybercriminals. However, it may be easier for hackers to target an SMB – as a smaller company might not have the right tools in place to defend themselves. A company that isn’t big but is well known stands to lose the most.
Swings and roundabouts
GDPR enforcement marks an opportunity for positive change for customers, who should take this opportunity to find out exactly what data is being held on them – and what it’s being used for. This will also reduce the likelihood of it falling into the wrong hands.
It also represents positive change for businesses across all sectors, who can and should use the new legislation to improve data hygiene and create targeted customer databases that, although smaller, are likely to result in higher hit rates and improved responses due to the increased level of personalisation. However, there is a risk that the legislation will have unforeseen and unpleasant side effects, helping to both line the pocket of cybercriminals and to stop them getting caught.
In the wake of large-scale threats like WannaCry and ExPetr, businesses are now more aware than ever about the constant threat of cyber-attacks – but these potential side effects of the GDPR legislation, now it’s been enforced, serve as a reminder of how vital a robust IT security posture is. Organisations need to ensure that they’re doing everything in their power to protect themselves against hacks and breaches – especially as a cyber-attack could cause them a lot more than operating costs, recovery fees and loss of customer trust.
David Emm, Principal Security Researcher, Kaspersky Lab
Image source: Shutterstock/Wright Studio