With the upcoming General Data Protection Regulation (GDPR) on the horizon, some companies are actively thinking about and planning for how the new European Union-based regulation will affect data-handling practices. Extended jurisdiction for data requirements—regardless of companies’ geographic locations—means that any entity doing business with EU citizens must now consider how the company will the manage data of or about any person in the EU. From hiring data protection officers to ensuring “privacy by design” and abiding by the soon-to-be breach notification requirements, preparing for compliance with the regulation, set to take effect in less than 6 months, is no small undertaking. Which may be one reason many organizations haven’t started making requisite changes. Another stumbling block, according to the same survey, might be that healthy percentages of businesses believe GDPR will add “complexity” and “red tape,” which also may be true. The aim of the regulation, after all, isn’t to make businesses lives easier; it’s to protect EU citizens’ personal data.
With GDPR looming, it’s no surprise that as each fresh breach is publicly disclosed, the security community speculates what might have happened if breach identification had occurred after the deadline. Even more pertinently, go the rumblings, what would have happened—what fines would the company have paid—if it had failed to meet the 72-hour notification period and/or couldn’t prove the company took adequate precautions in protecting consumers’ data? In the most recent whopper of a breach—Uber—questions are especially bountiful because 1) the breach was discovered over a year prior to disclosure, 2) it was revealed that Uber execs paid off the attackers to cover up the incident, and 3) Uber seems to be intimating that the criminals used sophisticated technical controls to steal credentials for a cloud provider account when in reality the attackers simply found admin credentials on an Uber GitHub site.
To recap, had this breach occurred post-GDPR implementation, Uber would have severely missed the 72-hour notification deadline (maybe they misread and thought it was 72 weeks…), nor did it implement appropriate technical and organizational measures to ensure privacy by design. Further, Uber runs amok of GDPR’s “consent” requirements by making it difficult for users to consume the company’s privacy policy, making it near impossible for users to thoroughly alter privacy settings (certain data are required by default for use of the service and app), and making the withdrawal of consent very challenging (while users can uninstall the Uber app, the company provides no indication that it deletes or stops using previously-collected user data).
What’s important when looking at recent breaches isn’t to ogle and point out all the things the breached entity did wrong; organizations need to be using these incidents as lessons learned and applying that knowledge to their own processes and procedures. In the case of Uber, what can we learn in the aftermath?
Credential management
Though GitHub and other sharing sites can be excellent collaboration tools, highly sensitive information should never be stored anywhere in the clear, and certainly not on a site that can be found through public search (even though Uber’s developers were using a “private” site). Furthermore, login credentials should never be shared. It’s Security 101, and security teams need to be auditing and testing systems for password misuse and abuse. The good news is that a lot of this can be automated, which removes most excuses for allowing shared, weak, or default passwords throughout enterprise systems.
Finally, had two- or multi-factor authentication been turned on, all of the above could have been moot. Had cyber criminals phished active credentials out of an Uber employee (rather than finding them on GitHub), they would not have been able to progress the attack unless they had somehow also pilfered access to the second factor. This is possible, of course, but it would require a highly motivated and skilled attacker. Most attacks and breaches—even the big ones, even the “targeted” ones—are a product of easy-to-fix security vulnerabilities, like failing to implement 2FA on admin accounts.
Communication is king
As the saying goes, it’s easier for adversaries to find one vulnerability than it is for security practitioners to protect the organization’s entire ecosystem. In other words: all companies should be prepared to handle a breach. Doing so includes formulating internal and external communications plans. Especially when it comes to communicating with customers and other stakeholders, media, law enforcement, etc., lying is never OK, and should not be part of any plan. Uber tried to spin its breach by paying off attackers and calling it a bug bounty program. Expect to see more blowback from this “spin” than if the company had simply come clean.
Moreover, though investigating a possible security incident and confirming that, in fact, systems have been breached and data were stolen takes time (72 hours might not be adequate in some cases), covering up a breach for over a year is completely unacceptable. Doing so puts affected parties at greater risk. The longer a company waits to notify impacted individuals, the more time criminals have to cause irreparable damage.
Checking your compliance boxes
We all know that compliance doesn’t equal security. Adhering to rules and regulations hasn’t proven a thorough security control for preventing breaches, but that yearly or semi-annual compliance audit can serve as a reminder to check or double check basic security controls. Though most organizations look at audits as point-in-time assessments (as are pen tests), done right, audit findings can keep companies honest when it comes to attending to security basics. Under GDPR, companies will be required to pay more attention to data privacy protection than they have in the past. While this adds another layer of complexity to already-stretched security programs, adhering to privacy by design, for instance, will ultimately help organizations better secure data. This can’t be a once-per-year effort though. Breached organizations that can’t prove adequate technical controls and ongoing processes for securing personal data won’t be given the benefit of the doubt. Unless a continuous process can be demonstrated (i.e., not the annual audit report), the company will face fines of up to 4% annual global turnover or €20 million. This is no trivial sum.
Judging by global GDPR readiness, many companies are looking at the upcoming regulation as just another non-security hassle to deal manage. Governed correctly, though, security teams can use it as a rough guide for shoring up lax practices and controls that could help ward off an Uber-type breach.
Attend the Privacy and Risk Management Summit at InfoSec World 2018 to learn new strategies and techniques for managing your organization's data protection strategy.
