Security expert Colin Larkin asks if GDPR can be used as a cybercrime tool.
Many businesses aren’t yet serious about GDPR. But this will change when the Data Protection Commissioner (DPC) starts issuing penalty notices later this year. When that happens, businesses could flip to the other extreme, suspending services at the first hint of an attack rather than risking GDPR penalties.
Under the new rules, organisations must respond to access requests within 30 days and suspend customer processing if customers object. While this will challenge most organisations, it will cripple any business that hasn’t properly structured its data and way of working.
But what if someone deliberately floods your business with GDPR requests? Traditional Denial of Service (DoS) attacks flood your systems. But a GDPR Denial of Service (GDoS) attack could bury your staff for months answering GDPR requests.
An ideal weapon
In 2017, Constantine Karbaliotis, director and leader of managed privacy services at PwC Canada, suggested just what such an access might look like. And it’s all perfectly legal – making it the ideal protest weapon for hackers and anarchists alike.
But GDoS doesn’t stop there. For example, a state-sponsored hacker seeking to cause as much disruption as possible, could try and use a country’s infrastructure against itself.
First the hacker could create a large target list of vulnerable businesses (hotels, schools, gyms, restaurants, lawyers, etc.). Next, they would hack these systems, steal and publish their data as widely as possible forcing the DPC to audit and penalise the organisations. Finally, they’d go back and do it all over again. Like a Food Safety Authority inspector closing an unsafe restaurant, the DPC would have little choice but to suspend processing if a business is repeatedly hacked. If an attack is properly targeted it’s possible an entire geographic region could be shut down as effectively as with traditional weapons.
Sadly, this isn’t so unrealistic. In an unprecedented move last April, the UK’s National Cyber Security Centre, the FBI and the US Department of Homeland Security issued a joint security warning that Russia was gathering intelligence to “potentially lay a foundation for future offensive operations”.
Ireland is front and centre
So far, 2018 has been relatively quiet on the cyberattack front, but this will change now that GDPR is here. If indications are correct, the most likely targets are EU and US businesses operating within the EU. As Ireland is the crossroads for many EU and US businesses, this places the country front and centre in this new cold war.
But a GDPR Denial of Service attack isn’t limited to state-sponsored hackers. Protesters, hacktivists, trade unionists and civil disobedience of any colour have a new, legal and very powerful tool at their disposal. While organisations can ignore an individual who submits 1,000 GDPR access requests, they cannot ignore 1,000 individuals each submitting an access request, or those who object to the organisation processing their data. It could take an organisation months to clear the backlog while costing a small fortune and completely disrupting day-to-day operations.
Disgruntled employees on social media could orchestrate wildcat GDoS protests as a powerful alternative to striking, all without losing a single day’s pay. Animal rights movements famous for creative protests could launch costly and disruptive campaigns targeting businesses with a single click of a mouse. Similar for human rights activists.
With massive GDPR fines and penalties driving compliance, businesses must comply. Let’s face it, that’s what really got Mark Zuckerberg in front of the EU Parliament this week.
But even without interference from hackers or disgruntled employees, if a business isn’t prepared for GDPR it could be very disruptive. In a GDPR world, it’s essential every organisation has smooth, efficient processes and technology in place to react to events.
By Colin Larkin
Colin Larkin is chief security officer at cybersecurity and GDPR software solutions provider ThorsNet.