• Resources
  • Blogs
  • GDPR and How It Affects a Data Breach Caused by Account Takeover

GDPR and How It Affects a Data Breach Caused by Account Takeover

Alex McConnell
Alex McConnell
3 Minute read
GDPR and How It Affects a Data Breach Caused by Account Takeover

Article Contents

    Before recent updates to GDPR legislation, some companies looked upon Account Takeover (ATO) merely as an annoyance. Access to the customer account itself often didn’t allow you to obtain the actual credit card details. Retailers, in particular, reasoned that ATO attacks were often focused on customer points, gift cards, vouchers or credit, often for small value items.

    Under new GDPR legislation, what may once have been a containable annoyance has become a very real business issue, with serious financial and reputational consequences for any company, regardless of whether any theft of data takes place. This means any company could be a potential target for attackers.

    What is a personal data breach under GDPR?

    A personal data breach describes any breach of security which leads to the access, destruction, change, illegal sharing or loss of personal data by anyone outside of the person the data belongs to and a pre-agreed party.

    Under GDPR legislation, any data breach carries serious legal implications for the company holding the data.

    What is account takeover under GDPR?

    Account takeover is any instance when a customer account is accessed, seized or used by anyone besides the account holder.

    How does GDPR legislation affect personal data breaches and account takeover?

    Under new GDPR legislation, hackers have even more motivation to commit and weaponize data breaches and account takeovers. This has led to an increase in situations where hackers are holding customer data for ransom, threatening to release customer data or report the data breach unless the company being targeted meet certain financial demands.

    We can see in the case of the Superdrug ATO breach how the effects of the GDPR legislation have had an immediate impact. After receiving the ransomware threat, Superdrug immediately informed their customers as well as the Information Commissioner’s Office (ICO) of the breach. The story made front-page news in the IT press and was covered by several of the nationals.

    No credit card details were compromised, but the fraudulent logins included access to customer personal data as well as the customer account points, which may have been compromised. The original payload of the attack seems to have been designed just to exploit the account points, so the attackers could use the stolen points in exchange for goods. The stolen personal data itself probably meant nothing to the attackers.

    Superdrug responded very quickly and did all the right things. Their IT systems were not breached, and they advised customers to change their passwords to fix the issue.

    How to prevent account takeover with Netacea

    At Netacea we’re continually looking at new ways to combat threats from ATO. One of the key ways is to use behavioural analysis to prevent these ATO attempts in the first place, as well as to help quickly identify potential breached accounts should an attack be successful.

    A successful ATO attack needs a large volume of accounts to succeed. For example, the hackers claimed to have access to 20,000 Superdrug accounts, although only a few hundred were actually verified as compromised. Our behavioural data can pick up these programmatic attacks, even if they are specifically programmed to go slow and low and workaround existing WAF thresholds.

    It turns out that nearly all the websites we’ve ever audited have some form of ATO attempts, and most owners are simply not aware of these attempts. If you don’t have some pro-active way of dealing with these attempts, there is always the possibility that the attackers can move from merely data harvesting credentials, to trying to commercially exploit the data in new and inventive ways.

    For further information on our behavioural-based learning, go here.

    Block Bots Effortlessly with Netacea

    Book a demo and see how Netacea autonomously prevents sophisticated automated attacks.

    Related Blogs

    Knight chess piece
    Alex McConnell

    What is a Sophisticated Bot Attack?

    Learn about the growing sophistication of bot attacks. Find out how to improve defenses and detect these attacks effectively.
    Alex McConnell

    Offensive AI Lowers the Barrier of Entry for Bot Attackers

    Explore the impact of offensive AI and automated attacks. Discover how AI is changing the landscape of cybersecurity.
    Worker helmet
    Alex McConnell

    What is Defensive AI and Why is it Essential in Bot Protection?

    Discover the potential of defensive AI in bot protection. Explore how machine learning can protect against automated attacks.

    Block Bots Effortlessly with Netacea

    Demo Netacea and see how our bot protection software autonomously prevents the most sophisticated and dynamic automated attacks across websites, apps and APIs.
    • Agentless, self managing spots up to 33x more threats
    • Automated, trusted defensive AI. Real-time detection and response
    • Invisible to attackers. Operates at the edge, deters persistent threats
    Book a Demo