GDPR: How right of access is being exploited by criminals


Written by Mark Belgrove, Head of Cyber Consultancy, Exponential-e.

The EU General Data Protection Regulation (GDPR) came into force in May 2018 and has since been widely heralded as a force for good. With people and their privacy at its heart, the regulation has forced organisations into a new way of thinking about data, and many of its themes have subsequently been repeated within regulations across the world.

A mighty beast; The GDPR is made up of 11 chapters split into 99 articles. Each article focuses on a different aspect, including how data should be managed, the power citizens – or ‘subjects’ – have over data, and the appropriate response times to data loss.

Chapter Three is where things get really interesting: it details the subject’s rights, one of them being a ‘right of access’. This right empowers individuals to discover what data an organisation holds on them; including the purpose behind holding the information, who it has been disclosed to and how long it will be held for. They are also able to request for any errors to be corrected.

On receiving a correction request, organisations have 30 days to respond. In cases where this timescale isn’t adhered to, subjects can complain to the local data regulator – the Information Commissioner’s Office (ICO) for the UK. As such, companies need to have processes in place to not only handle and action requests, but to also quickly collate any relevant information. The problem is many companies simply don’t – and cybercriminals are frequently taking advantage.


Traditional cyberattack is taking a new path

Distributed Denial‐of‐Service (DDoS) attacks typically see services taken offline through an inundation of traffic. Similarly to how websites cannot always cope with a sudden deluge of visitors – anyone who’s ever tried to purchase Glastonbury tickets will understand this all too well – network servers are often unable to handle unexpected surges in traffic.

Such attacks often see cybercriminals using malware to gain control of corporate devices, before tasking them to send traffic against their own networks. This overflows capacity and denies them the ability to respond to genuine traffic. However, GDPR has created another DDoS attack avenue.

There is a growing number of incidences where cybercriminals are overwhelming businesses through access requests. Many organisations – particularly those in the tax industry – typically dedicate one or two employees to handle them. Already facing the challenge of resolving requests within the timeframe, a targeted campaign could see hundreds or thousands of ‘requests’ suddenly flooding in.

Furthermore, cybercriminals don’t simply request the same information on each individual appeal. Instead, they use different combinations, ensuring employees have to access multiple databases to resolve said requests – making it even more time‐consuming.

The risk to businesses is that, while employees are stretched thin, they are unable to complete other everyday tasks, resulting in parts of the enterprise coming to a standstill. In addition, this added employee strain makes it more likely that they will be caught out by phishing attacks or make other small but costly mistakes, which in turn could provide cybercriminals with network access.


The need for streamlined data collation and response

Preventing these attacks, relies on adopting tools, enabling employees to pull data from various sources and displaying them on a single pane of glass. If workers can quickly find the required data and transform it into the presentable electronic format required by GDPR, the pressure on them is significantly eased. This capability requires tools that are compatible, meaning that adoption decisions must consider the full enterprise and not simply one function.

Another important measure is for firms to have the relevant data procedures and policies in place.

It’s no longer enough to collect data and then treat it as one homogeneous lump. Each strand of data needs to be respected and stored with its kin. This ensures that all information – even if it doesn’t tangibly add value to the business – isn’t forgotten about and is secured to the standard that GDPR dictates. It also helps with right of access requests, as businesses know exactly where they can find information.

Ultimately, the introduction of GDPR has given citizens more power over their personal data and placed the onus onto organisations to better protect it. Unfortunately, however, cybercriminals have found a vulnerability in the compliance processes many have adopted, and are exploiting it. In order to prevent employees from becoming overwhelmed by DDoS attacks and to protect networks, companies must adopt tools and policies that streamline data discovery and collation. By doing so, they will be able to safeguard both their staff and their bottom line.


Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.