Enforcing GDPR – A New Era of Accountability and Fines
In September 2018, British Airways announced that a data breach had occurred on their website and app. It was initially estimated that the data related to around 380,000 card payments was compromised. However, recent estimates suggest that the breach affected around 500,000 users. The attack was carried out by hackers using a skimming attack, where traffic was diverted to a fraudulent website, tricking users into exposing their data as they made purchases through the British Airways website or app. The data stolen was not limited to just credit card transactions, however, but also included details like names, street and email addresses, phone numbers and more.
Why is British Airways facing fines of up to $229 million for this?
In July 2019, the British Information Commissioner’s Office (ICO) announced that it will fine British Airways around £183 million, or around $229 million.
The reason British Airways is being penalized with such high fines is because it was found to have infringed on the European Union’s (EU) General Data Protection Regulation (GDPR). This is, by far, the highest fine any company has been subjected to thus far under the GDPR.
GDPR – Defining and Enforcing Data Privacy
GDPR is considered the most important, and the biggest, change in privacy regulations in the last two decades. The regulation was enacted in May 2018, with the aim to protect EU citizens and their private data in the event of a data breach.
One of the key points of GDPR is to heavily fine companies that suffer data breaches due to noncompliance. This turns data breaches, which have, unfortunately, become common occurrences, into something more than just an embarrassing lapse in security for the companies involved. It is forcing companies to rethink and retool their security measures. Organizations that are not in compliance may face hefty penalties of up to 20 million euros, or 4 percent of their worldwide annual turnover, whichever is higher. Read more about GDPR in our blog.
Data Breaches are Common
Breaches are a very common in today’s data centric world. According to the Privacy Rights Clearinghouse, there have been over 11.5 billion data records stolen in over 9,000 data breaches across the globe since 2005. However, these are only the data breaches that have been made public.
According to Digital Guardian, such a large amount of data being stolen can be attributed to “the fact that the world’s volume of data has been growing exponentially year after year, giving cyber criminals a greater opportunity to expose massive volumes of data in a single breach.”
These statistics become more worrisome when we look at the multitude of ways in which data breaches can be carried out. One of the most common and easy mechanisms for stealing data is the use of spoofed websites, as was the case in the British Airways breach. Attackers also commonly use phishing and spear phishing attacks, leveraging social engineering tactics to trick users into handing over their data.
Recently, there has been a huge spike in ransomware and other malware attacks, which can be considered a type of data breach as user data is held for ransom by the attackers. The recent wave of ransomware attacks in Maryland and Florida serve as a reminder that hackers are always on a lookout for data to steal and vulnerabilities to exploit.
What about encryption?
Data breaches are a reality that cannot be ignored and compliance with standards like GDPR, that ensure user data remains protected from hackers, is essential to stop them.
As the number of internet users increases, there has been an increase in the trend to encrypt data so that user and data privacy can be preserved. This trend has led to over 94 percent of the internet being encrypted.
However, while such a rise in the use of encryption can be hailed as a triumph for data privacy, it also introduces a security “blind spot” that traditional network defenses cannot look in to. Hackers and other malicious actors have increasingly started to exploit this blind spot and have started using it for the delivery of their malware and other malicious content, as well as smuggling data out of the network. It is also important to know that data breaches can also be “initiated from within” by a malicious or disgruntled insider. To learn more about how encryption can be used for malicious activities and data theft, read our blog.
Avoiding Both Data Breaches and Heavy GDPR Fines
In order to protect yourself from data breaches, and the heavy fines that you can be subject to as a result, you need to invest in specialized security solutions.
As cyberattacks can vary in the way they are carried out, you need to have a diverse, multi-solution security stack that can protect against all types and phases of an attack. These solutions may include next-generation firewalls (NGFW), intrusion detection (IDS) and prevention (IPS) systems, sandboxing and malware protection as well as advanced threat protection (ATP) solutions to stop hackers from infiltrating your network. Data Loss Prevention (DLP) solutions have also become a necessity in order to stop attackers and insiders from smuggling data out of the network. Similarly, it is equally important to have data and network forensics devices to ensure visibility into network activities.
However, none of these devices will work unless they have access to network traffic in decrypted form, i.e., in clear text. Decrypting traffic on these devices themselves is one option but, as we discuss here in detail, it might not be the most effective way of inspecting traffic and therefore can lead to other problems like expensive upgrades, performance degradation and bottlenecks, bad user experience and network outages.
Organizations need to invest in a dedicated SSL decryption solution that can, not only provide them with the best performance, but also ensure all kinds of security devices in the security stack have access to decrypted traffic for inspection. Failure to inspect encrypted traffic can lead to encrypted attacks going undetected, resulting in data loss, which opens your organization up to GDPR fines. And as we have seen in the case of British Airways, these fines will only get bigger with the passage of time.