Expanding the GDPR Requirements to Better Protect PII

Sharon Lee,

The General Data Protection Regulation (GDPR) came into force across the European Union in May 2018 with the aim of increasing privacy and extending data rights for individuals in the EU, but it was never meant to keep us free from all forms of cyber threats. It only requires organizations that touch our personal data to use their best efforts to protect that data. In the case of data breaches, they must report to the authorities and inform the victims within the required time frame.

Personally, I very much welcomed the GDPR regulation. Service providers and product manufacturers should be required to handle our personal data carefully and ethically. When it was first introduced, I felt confident the GDPR would provide individuals with the protection they need. Until one day, my own personal information was leaked. The data breach soon led to a series of attacks on my personal bank account. While I would like to give credit to my bank for detecting and blocking some of the early fraudulent transactions, they were not able to identify them all, nor did they voluntarily notify me about the attacks. As a result, it took three weeks for me to discover that I had even been attacked.

If you look at the different factors at play in a data breach, the GDPR requirements do not go far enough to protect and inform users. The Ticketmaster breach is a good example. It illustrates the shortcomings in companies’ response and notification processes. In this blog, I’ll share my wish list of security protections that go beyond the GDPR to better address critical vulnerabilities based on my personal experiences as the victim of a data breach and bank fraud.

GDPR Requirements, the Ticketmaster Breach, and Slow Responses to Stolen Data

In the context of data breaches, the goal of an attack is to find just a single weak point in a system. Once found, the attacker can silently gain access to confidential information. Therefore, it is in an attacker’s interest to maximize their returns over the longest period of time possible, so they will disguise their scams and make them difficult to discover. It can take months, if not years, for a service provider to identify a breach.

One recent example is the Ticketmaster breach. The attacker managed to steal personal information from Ticketmaster, including customers’ names, addresses, emails, phone numbers, payment card details, and Ticketmaster login credentials. Though the attack itself took place in February 2018, Ticketmaster did not publicly disclose the data breach until late June — more than four months after the leak first began. This tells us that even under the protection of the GDPR, we as consumers are still the last to know when our personal data is stolen. By that time, the damage has already been done.

PSD2 Compliant Fraud Monitoring 3D cover

Enabling PSD2-Compliant Fraud Monitoring with OneSpan Risk Analytics

New PSD2 requirements demand that financial services organizations perform transaction monitoring. Learn the specific requirements and how OneSpan Risk Analytics can keep you compliant in this white paper.

Download Now

Financial Institutions Are Usually the First to Know

Fraudulent transactions happen every day and banks are targeted constantly by cybercriminals. Therefore, the bank is most likely the first party to detect and identify whether a customer is the victim of a data breach.

Before Ticketmaster publicly disclosed the incident in late June, the U.K.’s Monzo Bank spotted signs of the data breach as early as April 2, 2018. The bank received reports from approximately 50 customers and quickly replaced their cards. In the next few days, Monzo shared this finding with both Ticketmaster and the U.S. Secret Service. By mid-April, Monzo sent out 6,000 replacement cards to customers who had paid with their Monzo cards at Ticketmaster.

I am truly impressed by Monzo’s technology and their commitment to taking their customer protection to the next level. However, this story exposes the inadequacy of the current systems and regulations.

We Need a New Ecosystem: GDPR 2.0

In the Ticketmaster case, Monzo safeguarded their customers before anyone else. Other financial institutions have since taken similar steps. In October 2018, Lloyds Bank, Halifax, and Bank of Scotland announced they were issuing tens of thousands of new credit cards to customers after their payment information was compromised by the Ticketmaster data breach. Note, however, that it took over six months for these major U.K. banks to confirm and implement follow-up actions in response to the breach.

The market is ineffective at taking holistic action to remediate the damage caused by massive data breaches. Businesses always have their legal and financial concerns delaying any new action or measure – and reviewing and identifying all the security issues in their complex IT systems is not a trivial task. These systems are likely under heavy load, and there are always blind spots that developers might have overlooked.

We need new regulations and authority to motivate and assist businesses in doing a better job of protecting our personal data. A new ecosystem is needed so that every party works together to keep data breach damage to a minimum.

As an individual, I would like to be informed by my bank about any attempted fraudulent transactions in my personal bank account ASAP. Fraud, such as account takeover, is strong evidence of a breach of personal data, and once discovered, I would proactively act to protect myself as a consumer.

Wish List to Expand GDPR Requirements

  1. Implement new regulations to better motivate companies to actively and fully follow-up on a data breach and advise potential victims.
  2. Establish an authority with the power to follow up on suspected data breaches. Companies that are believed to have been breached should do a proper internal security audit. Then, an external security authority can perform a second audit to confirm their conclusions.
  3. Put a mechanism in place to ensure financial institutions share their findings as soon as a data breach is identified. This would allow all financial institutions to take precautions at the earliest time.
  4. Give consumers the ability to activate a notification function that will inform them if their financial institution blocks any payments or financial activities. This will encourage the customer to review their transaction history and flag fraudulent transactions in their account at the earliest possible time. It will also help financial institutions trace and recover the lost money.
  5. Recognize that consumers must have the right to request a new card for free if they suspect their personal or payment information has been compromised. Ideally, this would be a reprogrammable card that can be updated instantly.

With these protections added to the existing GDPR regulation, financial institutions and service providers would be able to identify data breaches in their systems more quickly. Customers would also benefit. They would learn of a breach or suspicious behavior faster and be better positioned to protect their finances with proactive measures. In the end, these steps would go a long way to mitigate the damage caused by a data breach.

Our lives and money are increasingly tied to the cyber world, and this will continue to attract highly skilled cybercriminals, staging more sophisticated data breaches. No one – not even a cybersecurity expert – is immune to a data breach. We now have the GDPR that punishes businesses for noncompliance, but what about organizations that continue to use static passwords? Static passwords make it easy for bad actors to take over people’s accounts because of all the personal information leaked from data breaches. Personal information and passwords are not secret anymore. Businesses, especially financial institutions, should review and upgrade their systems to bring their security to the next level. Instead of using passwords or personal information to secure an account, there are many other stronger authentication options like biometrics, 2FA tokens, and FIDO authentication. With multi factor authentication, if a user’s personal data is exposed in a breach, a malicious actor would not be able to easily acquire credentials to access their accounts.

GDPR is just a start, and I hope GDPR 2.0 and more regulations will one day be in place to protect everyone, so that consumers will no longer experience the anxiety and hassles that today’s data breach victims do.

Sharon is research & innovation manager at the OneSpan Innovation Centre, Cambridge UK. Sharon received her PhD degree in engineering at the University of Cambridge and M.Phil and B.Eng degrees in electronics engineering at the Chinese University of Hong Kong.