Last month signified the six-month anniversary of GDPR which promised to increase transparency and culpability for all international organisations that handle any EU citizens’ data, writes Bharat Mistry, Principle Security Architect at Trend Micro.
The possibility of large fines has forced organisations to think about the way they handle compliance and adapt where necessary.
However, there is a school of thought that threat actors are leveraging the regulation to their advantage. The concerns surrounding GDPR readiness distracted us from some of the negative ramifications on cybersecurity and law enforcement.
So, as we look towards 2019, we should reflect on some of the less discussed challenges it has presented.
The WHOIS database of domain registrants’ personal information presents the first challenge. WHOIS is a vital tool for law enforcers, security researchers and IP holders looking to identify exploitations of GDPR linked to fraud or large-scale cyber-attack campaigns.
It allows them to find those behind malicious and counterfeit domains which abuse brands’ IP and act as a platform for malware-laden websites or phishing. Even if a registrant uses a pseudonym for WHOIS, which is highly likely if the individual knows what they’re doing is illegal, the same fake name is often used to register multiple domains and can be very useful to law enforcers.
The US government believes that this data should still be accessible to police and IP holders, and the internet oversight body ICANN is also aware of the value of WHOIS in these cases.
However, according to a new study from the Anti Phishing Working Group, an ICANN Temporary Specification on WHOIS data was established in May in order to conform with GDPR, and this is disrupting these investigations.
It claimed WHOIS information, that was previously publicly available, is now heavily redacted, and “requests to access non-public WHOIS by legitimate investigators for legitimate purposes under the provisions of the Temp Spec are routinely refused.” This is compounded by an apparent reluctance of many registries and registrars to gather too much registrant information in case they fall foul of GDPR.
Phishing in the Deep End
Phishing remains a major threat to enterprise and consumer security. It’s a key component in identity theft, ransomware and other malware downloads, and was associated with 93% of all corporate data breaches in 2017.
If GDPR has inadvertently emboldened the black hats, then regulators must identify a compromise which enables vetted access to WHOIS for special interest groups. The least they could do is replace restricted personal data with unique hashes so that legislators, regulators and investigators are able to discern patterns of ownership.
Over the past few months, GDPR has proven increasingly beneficial for phishers. Cyber-criminals have always looked for ways to exploit the latest news trends and encourage recipients to click on phishing or other malicious links. In fact, GDPR provided a perfect opportunity for phishers as they were able to share scam emails supposedly from ‘companies’ requesting that customers update their credentials.
Scammers may continue to use GDPR as a disguise to lure unsuspecting users into sharing sensitive financial or personal information. Phishing attacks urge individuals to update their preferences or risk having their accounts frozen or deleted. These scams inundated inboxes when GDPR came into force, while legitimate organisations were sending their own marketing emails. For this reason, it’s likely that any new development in the legislation that raises GDPR awareness again could initiate a fresh wave of scams.
Six Months of Silence?
The ICANN Temp Spec will last 12 months, and the body is currently working on a replacement. However, industry groups remain pessimistic of a solution that’s able to reconcile the interests of the regulators; registries and registrars; and brand and law enforcement representatives.
Since the introduction of GDPR we’ve heard little from customers around data compliance. Other than rogue stories of companies preferring to pay cyber-criminals instead of facing these fines, the post-GDPR landscape is a huge contrast from the almost constant chatter leading up to 25 May. We hope the silence is due to regulatory control rather than because they’ve ticked the box and moved on to the next project.
Compliance is an ongoing journey which companies will have to continuously adapt and evolve to. There are additional regulations that are set to be implemented going into 2019, including the introduction of The EU’s ePrivacy Regulation (ePR), which will safeguard the confidentiality of any data involved in electronic communications – as well as the devices it came from. It has the same territorial scope as GDPR and carries an identical penalty regime for non-compliance.
Going into the new year, with data breaches continuing to hit headlines on an almost weekly basis, we predict that regulators will soon make an example out of a large non-compliant company, levying the first major GDPR fine at the full penalty of 4 percent of global annual turnover. Regardless, GDPR should be a constant reminder for organisations to remain vigilant and agile enough to adapt their compliance processes as required.