Data breach under GDPR: one year later

The European Union General Data Protection Regulation (GDPR) came into force on 25th May 2018. Just over a year later, European data protection regulators have reported nearly 90,000 data breach notifications so far, and notably these are only those which have been legally disclosed. Law firm DLA Piper recently suggested that the authorities are likely to take a much heavier-handed approach for late reporting of data breaches this coming year.

Under GDPR, data breach is among the most serious issues a company can face, especially with regard to personal data protection. Unfortunately, data breaches happen continuously and can have a negative financial, operational and reputational effect, often simultaneously. GDPR has added a further regulatory impact – but you can learn about how threat intelligence can reduce your liabilities with our whitepaper.

The cost of a data breach

There are many factors to consider when calculating the final cost of a data breach, some of which are obvious: the size of the breach, clean-up and post-breach costs. Other costs may be less clear, including the eventual penalties levied by the regulator. When deciding whether to impose an administrative fine, Data Protection Authorities (DPA) will consider the following criteria:

  • Gravity of the breach
  • Duration of exposure
  • Number of data subjects
  • Level of damage suffered

A single compromised record can be considered a data breach, and whether appropriate prevention and detection measures are in place (or not) will have an impact on the size of the potential penalty incurred. Even more importantly, the speed at which an organization reacts will also have a bearing on the fine.

How do data breaches happen?

Data breaches can occur for multiple reasons: disaffected staff members, careless employees who leave sensitive data available, and external attackers trying to obtain financial gain. For detail on some of these TTPs check out our recent Threat Landscape Report or Credential Theft Ecosystem report.

An external attacker, usually part of a cybercrime syndicate, steals personal information to sell it in on the black market for other cybercriminals to exploit the information, or to coerce ransom from stakeholders. The amount requested is proportional to the volume and importance of the leaked data and linked to the reputational impact on the affected organization. Now GDPR has been implemented, we have observed cybercriminals demand ever higher sums.

Cybercriminals leverage many techniques to penetrate corporate infrastructures and steal personal information and other valuable assets. Main attack vectors used by cybercriminals include compromised user credentials and malware infections. In fact, nearly a third of breaches last year used stolen credentials and 28% using malware.

What can you do about it?

It is crucial to use technology that helps you detect potential attacks and infections in as close to real-time as possible. Threat intelligence can help in the prevention, detection and remediation of data breaches under GDPR in three key ways:

  1. Reduce the chances of a personal data breach occurring
  2. Mitigate the effects of a breach
  3. Lower the costs incurred by a breach

Proactive threat monitoring helps to detect in real time external risks that have the potential to affect your organization. We advise helping improve your overall protection by detecting your weak points before they can be exploited. The more robust your attack surface, the more secure your perimeter, the less appealing you will be to attackers. If it is less demanding or cheaper to attack one organization over another, cybercriminals will choose the softer target.

In November 2018, for example, a German social media company called Knuddels reported a breach. Following an investigation, it was fined 20,000 euros for storing personal customer information insecurely. However, because Knuddles reported the security breach in a timely manner and took immediate action to remediate, the fine was comparatively lower than it would have been had they misstepped.

Reducing the risk of exposure using all tools available can seriously reduce an organization’s liabilities, as is demonstrated by this case.

A heavier-handed approach

When it comes to data intrusion, it is a simple fact that it is not if you get breached, but rather when. Organizations can mitigate their impact through rapid detection of breaches ‘as seen from the outside,’ so you can start to investigate its origin and close the potential gap to reduce its impact. After an attack improving incident response performance times will be a sure-fire way to minimize the impact of the GDPR on your organization if you suffer a data breach.

Overall, it is clear from the fines levied by authorities over the first year of GDPR that they mean business. It is enforceable and non-compliance is simply not an option. There are major business risks associated and therefore it is in every organization’s interest to meet its requirements.

Mitigating the impact

Our dedicated whitepaper is intended to guide organizations concerned about aspects of GDPR relating to data breach: what are the effects, what are organizational requirements and obligations, and what security measures are available to prevent and mitigate the impact of data breach under GDPR.

Download at the link:

Blueliv’s threat intelligence toolbox can help your organization detect potential attacks before they happen, discover stolen data, detect infections bypassing end-point solutions in real-time, improve your incident response performance, and empower your security operations team, saving time and resource.

Tailored intelligence modules are utilized on a pay-as-you-need basis. To understand which threat intelligence modules are the best fit for your organization, contact us today.

Read our free cyber security and cyber threat reports

Read now
Demo Free Trial MSSP