GDPR and How It Affects a Data Breach Caused by Account Takeover

Before recent updates to GDPR legislation, some companies looked upon Account Takeover (ATO) merely as an annoyance. Access to the customer account itself often didn’t allow you to obtain the actual credit card details. Retailers, in particular, reasoned that ATO attacks were often focused on customer points, gift cards, vouchers or credit, often for small value items.

Under new GDPR legislation, what may once have been a containable annoyance has become a very real business issue, with serious financial and reputational consequences for any company, regardless of whether any theft of data takes place. This means any company could be a potential target for attackers.

What is a personal data breach under GDPR?

A personal data breach describes any breach of security which leads to the access, destruction, change, illegal sharing or loss of personal data by anyone outside of the person the data belongs to and a pre-agreed party.

Under GDPR legislation, any data breach carries serious legal implications for the company holding the data.

What is account takeover under GDPR?

Account takeover is any instance when a customer account is accessed, seized or used by anyone besides the account holder.

How does GDPR legislation affect personal data breaches and account takeover?

Under new GDPR legislation, hackers have even more motivation to commit and weaponize data breaches and account takeovers. This has led to an increase in situations where hackers are holding customer data for ransom, threatening to release customer data or report the data breach unless the company being targeted meet certain financial demands.

We can see in the case of the Superdrug ATO breach how the effects of the GDPR legislation have had an immediate impact. After receiving the ransomware threat, Superdrug immediately informed their customers as well as the Information Commissioner’s Office (ICO) of the breach. The story made front-page news in the IT press and was covered by several of the nationals.

No credit card details were compromised, but the fraudulent logins included access to customer personal data as well as the customer account points, which may have been compromised. The original payload of the attack seems to have been designed just to exploit the account points, so the attackers could use the stolen points in exchange for goods. The stolen personal data itself probably meant nothing to the attackers.

Superdrug responded very quickly and did all the right things. Their IT systems were not breached, and they advised customers to change their passwords to fix the issue.

How to prevent account takeover with Netacea

At Netacea we’re continually looking at new ways to combat threats from ATO. One of the key ways is to use behavioural analysis to prevent these ATO attempts in the first place, as well as to help quickly identify potential breached accounts should an attack be successful.

A successful ATO attack needs a large volume of accounts to succeed. For example, the hackers claimed to have access to 20,000 Superdrug accounts, although only a few hundred were actually verified as compromised. Our behavioural data can pick up these programmatic attacks, even if they are specifically programmed to go slow and low and workaround existing WAF thresholds.

It turns out that nearly all the websites we’ve ever audited have some form of ATO attempts, and most owners are simply not aware of these attempts. If you don’t have some pro-active way of dealing with these attempts, there is always the possibility that the attackers can move from merely data harvesting credentials, to trying to commercially exploit the data in new and inventive ways.

For further information on our behavioural-based learning, go here.