GDPR and How It Affects a Data Breach Caused by Account Takeover

Before the new GDPR legislation, some companies looked upon Account Takeover (ATO) merely as an annoyance. Like retail shrinkage, it was viewed by a minority as just the inevitable cost of doing business.

After all, it wasn’t really a data breach, was it?

Access to the customer account itself often didn’t allow you to obtain the actual credit card details. Retailers, in particular, reasoned that ATO attacks were often focused on customer points, gift cards, vouchers or credit, often for small value items.

Adopting robust multi-factor authentication would stop ATO in its tracks but would also dramatically cut the number of valid logins, causing an instant drop in sales, that would dwarf the size of the ATO problem. So, an annoyance for retailers, but where is the real harm?

The hackers now have a new weapon in their arsenal – exploiting the new GDPR reporting environment for the first time to demand a ransom.

The new GDPR legislation has turned what may have been previously a containable annoyance, to a very real business issue, which can have serious financial and reputational consequences for any company, regardless of the theft of the actual credit card data, and now makes potentially any company a target.

We can see in the case of the Superdrug ATO breach how the effects of the GDPR legislation have had an immediate impact. After receiving the ransomware threat, Superdrug immediately informed their customers as well as the Information Commissioner’s Office (ICO) of the breach. The story made front-page news in the IT press and was covered by several of the nationals.

No credit card details were compromised, but the fraudulent logins included access to customer personal data as well as the customer account points, which may have been compromised. The original payload of the attack seems to have been designed just to exploit the account points, so the attackers could use the stolen points in exchange for goods. The stolen personal data itself probably meant nothing to the attackers.

Superdrug responded very quickly and did all the right things. Their IT systems were not breached, and they advised customers to change their passwords to fix the issue.

To understand what is happening here it’s vital to understand the attacker mindset. Account takeover abuse often has two elements, the IT hackers, and a second often criminal organisation.

First, the target site is attacked to harvest the credentials and a list of valid usernames and passwords is created. Second, these credentials are then sold to a criminal organisation who then seeks to exploit these compromised account logins for commercial gain. In this case the commercial gain has transitioned from toiletries to ransom and changed the game.

At Netacea we’re continually looking at new ways to combat the threat from ATO. One of the key ways is to use behavioural analysis to prevent these ATO attempts in the first place, as well as to help quickly identify potential breached accounts should an attack be successful.

A successful ATO attack needs a large volume of accounts to succeed. For example, the hackers claimed to have access to 20,000 Superdrug accounts, although only a few hundred were actually verified as compromised. Our behavioural data can pick up these programmatic attacks, even if they are specifically programmed to go slow and low and workaround existing WAF thresholds.

It turns out that nearly all the websites we’ve ever audited have some form of ATO attempts, and most owners are simply not aware of these attempts. If you don’t have some pro-active way of dealing with these attempts, there is always the possibility that the attackers can move from merely data harvesting credentials, to trying to commercially exploit the data in new and inventive ways.

For further information on our behavioural based learning, go here.