GDPR is here and the consequences are real

GDPR is here and the consequences are real

2019 may go down as the year in which GDPR really began as organizations who have fallen foul of protecting their customers personal information are now starting to realize the consequences through substantial fines. Activity began recently when British Airways was handed down a penalty of around $230M over a 2018 breach in which thousands of customer’s personal information was obtained by hackers.

The General Data Protection Regulation (GDPR) is an EU regulation slated to protect the data and privacy of citizens. The fundamental underlying principle behind GDPR is to give individuals control over what data an organization can obtain, store, and use when it pertains to their personal information.

GDPR, however, is not just limited to organizations within the EU, but any organization doing business (or collecting information from customers) there. In today’s online world, where international borders often don’t exist, GDPR has a truly global impact.

What British Airways teaches us about web skimming attacks and avoiding GDPR finesRelated Webinar

Personal identifiable information

For organizations with an online presence, the biggest area of consideration is personal identifiable information, or PII. Personal identifiable information is basically any data that can be associated with an individual. Information such as names, addresses, and dates of birth are obvious pieces of PII however, on the Internet, everything from an email address to credit card information to website cookies easily fall into this category.

Consider a website which wants to offer a personal experience to returning customers. The website, at some point, may ask for the visitor's name and email address. In turn, the website may then store the name within a cookie so that when the visitor returns, they can be greeted with a personalized message such as, “Hey, Christa! Welcome back.” The personal information stored within the cookie requires adequate protection under GDPR law as the leaking of this data to parties other than those given permission by the consumer would constitute a violation.

Visit any online presence from an EU based organization and you will now be faced with a banner asking you to give consent to the use of things like cookies. With this consent, you are often giving the website permission to collect and store certain pieces of information — however, under GDPR law, you are only giving it to them and they are required to safeguard it.

Theft of personal information has always been a problem, especially online, as issues such as identity fraud continue to plague people. However, with GDPR, there are now severe consequences for organizations which ultimately facilitate the theft through inadequate protection.

Attacked by Magecart? Receive a GDPR fine!

The fine handed to British Airways made news for a couple of reasons. The first is that it was record-breaking — being around 1.5 percent of their operating revenue. The second is the way they were hacked. If British Airways had simply stored customer information on USB sticks which were available to every BA employee, that would be one thing, but in this case, Magecart hackers exploited BA’s web server to install skimming malware to capture data directly from the customer rather than aiming to steal a full database.

Data theft attacks of the past usually revolve around an attacker breaking into a website's servers and copying all of the information from a database. In 2017, hackers were able to steal massive amounts of data from Equifax by breaking into their servers in what was one of a number of substantial data breaches

So what made the BA attack different? This attack was a Magecart attack, which focuses on collecting information entered into a browser. Typically, this type of attack injects malicious JavaScript into a website which then looks for personal data, such as credit card numbers, names, addresses, social security numbers, etc. which is being entered into a web form. This data is then copied in the background and sent to illicit groups. A Magecart attack against a website is unique in that instead of its rogue actions happening on the web server, the code goes down to the customer’s browser along with the regular site code and executes there — meaning, the rogue actions now take place in the browser. 

Magecart JavaScript is injected into a website either directly through a vulnerability in the site code, or by exploiting one of the millions of third party tags used by almost every website in the world today. While the attack is different, however, the objective is the same, to steal personal information.

In the BA example, customers’ personal data never actually left BA servers, or any form of BA owned presence, but the fact that BA’s website code was exploited and thus facilitated the theft from customers’ individual browsers means that in the eyes of GDPR, BA is culpable.

The anatomy of a Magecart attack and how Instart helpsRelated Infographic

GDPR protection is not just about securing databases, but applications and everything else

As a result of GDPR, many organizations have looked to evaluate their security practices and ensure they have adequate protections around things like databases. While this is certainly crucial, it only goes so far as to ensure that they don’t become the next Marriott.

Many sites still don’t encrypt cookies, for example, and while cookies in themselves are designed only to be used by the browser which created them, they are still the focus on many security attacks.

Websites today are vast and comprised of many elements from many different sources. Modern sites will include first-party HTML code, but a number of other pieces of functionality brought in using JavaScript tags such as chatbots, analytic trackers, and shopping carts, with each element introducing an area of risk.

An eCommerce site, for example, that makes use of a third-party credit card checkout service, may inadvertently introduce malicious code to their own application if the third party service provider is exploited. Ultimately, with all web code, whether first- or third-party, being equally delivered to and processed by the browser, even an exploit outside of the eCommerce website could prove responsible for GDPR violations.

Website owners should look at their entire stack when evaluating web security, beginning with protecting their key infrastructure such as servers and databases, but also down to the browser, where their application is rendered, to ensure that plugins or rogue scripts can’t perform illegitimate actions.

There really are no GDPR protection tools

There are many vendors who will use GDPR to market products, focusing them specifically on the law. As with most things in security, adequate protection is only achieved through a comprehensive and layered approach.

Organizations looking to protect themselves against GDPR violations should look not to a single technology component, but instead, to using multiple technologies together, mitigating risk at various points. By combining security tools along with common best practices, such as patching and code reviews, organizations are able to establish measures which will help them go a long way towards protecting customer data.

Focus on GDPR now and be ready for CCPA

In 2018, the California Consumer Privacy Act (CCPA) was signed into law, which in many ways, mirrors the restrictions found in GDPR. Like its European counterpart, CCPA aims to empower consumers with respect to the handling of their personal information.

CCPA goes into effect in January 2020 after which, regulations will be published followed by penalties. Organizations should closely watch GDPR related cases as they unfold so as to be able to understand what is likely develop as CCPA matures.

Businesses who focus on GDPR today will be able to use much of their efforts to ensure they are compliant with CCPA including efforts around protecting their web applications from data exfiltration and other areas of concern. 

Let Instart help you get started on your quest for compliance

GDPR will become a major challenge for organizations over the next few years, especially if the large penalties issued so far stand up against any impending legal appeals. With almost every aspect of technology impacted, businesses will need to make drastic changes to IT policy to accommodate it.

With data protection now firmly placed with the website owners, mitigating risk against all fronts in order to protect the company and its customers, while not easy — is essential. 

Instart provides comprehensive cloud application security with capabilities designed to protect web applications from data-exfiltration attacks which could result in GDPR violations. Instart brings technology which can protect against HTML form skimming attacks, prevent data breaches as a result of SQL injection attacks, prevent Magecart attacks, and more. 

By combining Instart security solutions along with an existing security stack, organizations can build substantial barriers helping to avoid GDPR (and soon CCPA) challenges.

Instart helps to fully protect your brand from the latest malicious threatsRequest a demo