How Can Europe Do Better? GDPR and Data Protection Best Practice

Tim Bandos, CISO at Digital Guardian shares his tips for maintaining GDPR and data protection best practice, and how businesses can learn from the mistakes made by other corporations.

Regulators have issued £245mn (€272.5/$332m) in fines since the European Union’s General Data Protection Regulation (GDPR) first came into force in May 2018. According to a new report by the global law firm DLA Piper, a total of 281,000 data breach notifications stemming from GDPR have been issued since the legislation’s inception, with Germany (77,747), The Netherlands (66,527) and the UK (30,536) topping the table for the number of breaches notified to regulators. In total, the report records a worrying double-digit growth for breach notifications for the second year running – up 19% in 2020.

The UK regulator gets serious about enforcement

Many of the larger GDPR fines of late stem from organisations not having the appropriate security measures in place. Assessing the performance of European regulators concerning enforcement actions, the UK’s Information Commissioner’s Office (ICO) has adopted a steadfast stance regarding its willingness to use its powers with GDPR infringements.

Two of the most highly publicised cases include the ICO’s notice of intent to fine British Airways (BA) £183.39mn for breaches of data protection law. In the light of the global pandemic, the penalty finally imposed by the ICO on BA for failing to protect the personal and financial details of more than 400,000 of its customers was adjusted to £20mn in October 2020. Similarly, the ICO’s intention to fine Marriott Hotels more than £99mn for exposing over 339mn guest records was also reduced to £18.4mn.

What went wrong – learning from others

The DLA Piper report highlights how omitting to undertake a number of key measures potentially puts firms at risk of breaching Article 32 and the related Article 5(1)(f) of GDPR. These include:

  • Not monitoring privileged user accounts
  • Not monitoring access to and use of databases storing personal data
  • Not implementing server hardening techniques to prevent access to administrator accounts
  • Not encrypting personal data, especially more sensitive personal data
  • Not storing passwords in plain-text unencrypted files (known as hardcoding)
  • Failure to use multi-factor authentication to prevent unauthorised access to internet-facing applications
  • Not logging failed access attempts
  • Not applying strong access controls for applications on a needs basis, with prompt removal of access when no longer required
  • Not undertaking regular penetration testing
  • Not managing payments in a PCI DSS compliant way.

When British Airways’ systems were compromised, hackers got hold of login details, payment card information and personally sensitive data like passenger names and addresses. According to the ICO, this attack was preventable, but British Airways did not have sufficient security measures in place to protect its systems. For example, at the time of the breach it had not even implemented the basics like multi-factor authentication.

In the case of Marriott Hotels, the hack first originated in Starwood Group’s reservation system which Marriott acquired in 2016. Yet it took two years before the hack was discovered by Marriott, following a chance assessment of an unusual database query made by an administrator whose account had been taken control of by an external attacker.

The ICO found that, in addition to failing to perform adequate due diligence after acquiring Starwood, Marriott should have done more to protect its systems with a stronger data loss prevention (DLP) strategy. Worryingly, a key security failure on the part of Marriott was unveiled when it became clear that while it stored customer credit card numbers in an encrypted form, the encryption keys were stored on the same server. Similarly, most guest passport numbers were never encrypted before being stored.

Remote working opens up new avenues of attack

The global pandemic has forced many organisations to transition to work-from-home models that have compounded the need to protect sensitive data throughout its lifecycle across an extended enterprise that now features multiple networks, endpoints, and clouds.

Initiating measures like BYOD policies, monitoring data usage and transfers, and introducing multi-factor authentication, and email and storage encryption is just the start. Installing endpoint agents that can perform data protection and malware protection will also deliver greater assurance that endpoints are appropriately secured.

To add to this growing concern, the actions of remote employees also represent a growing risk. According to the industry analyst firm Forrester, insider data breaches are set to increase by 8% in 2021, with a third of all breaches being caused internally. This significant growth in insider incidents is triggered by employee fears around job loss, paired with the relative ease with which data can be moved (via the cloud, network-attached storage, e-mail or USB).

To protect themselves, organisations will need to pursue a robust operations security (OPSEC) strategy that enables them to dive deeply into their operations and identify where information can be most easily breached to implement the appropriate countermeasures to protect sensitive data.

What’s next for GDPR after Brexit?

There has been a lot of discussion around what will happen once the Brexit transition period ends. The ICO is clear that the Data Protection Act 2018 (DPA 2018) will continue to apply and that GDPR has been incorporated into UK protection law as the UK GDPR. So in practice, there will be little change to the core data protection principles, rights and obligations found in the UK GDPR going forward.

For organisations that operate in Europe, EU GDPR will still apply. Similarly, the EU GDPR will apply to any European organisation sending data to UK companies. In recent weeks, the European Commission has confirmed a draft decision to allow data to continue to flow from the EU into the UK, and plans to reassess these arrangements every four years to check that UK rules do not compromise the privacy of EU citizens.


Looking ahead

With hybrid working and more collaborative working models set to become a long term and permanent feature of the workforce strategy, the consequences of poor cybersecurity hygiene mean many more organisations may find themselves at risk without an appropriate data loss prevention (DLP) and managed detection and response (MDR) strategy in place.

With the UK committed to maintaining equivalence with EU GDPR, organisations will need to continue to ensure that all data processing activities remain safe and deploy data protection best practices. They will also need to address the growing risk of insider threat and evaluate their policies around privileged user access to resources like customer databases.

For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

Tim Bandos

Tim Bandos, CISSP, CISA, CEH is Vice President of Cybersecurity at Digital Guardian and an expert in incident response and threat hunting. He has over 15 years of experience in the cybersecurity world and has a wealth of practical knowledge gained from tracking and hunting advanced threats that targeted stealing highly sensitive data. A majority of his career was spent working at a Fortune 100 company where he built an Incident Response organisation and he now runs Digital Guardian’s global Security Operation Center for Managed Detection & Response.