TL;DR – A method to demonstrate what might happen to personal data once it falls into the hands of cyber criminals.

On 25th May 2018, the General Data Protection Regulation (GDPR) came into effect in the UK. The legislation was intended to heighten the security posture of companies and change attitudes towards the protection of personal data.

Businesses rushed to become compliant, under the looming threat of eye watering fines for data breaches. The previous maximum fines had been pocket change to most corporates – the dubious honours of a pre-GDPR maximum fine of £500k are shared by Facebook, Equifax, Cathay Pacific and Dixons CarPhone.

It took some time before the UK Information Commissioners Office (ICO) issued headline GDPR penalties. Two huge fines of £183m and £99m were dished out within 48 hours to British Airways and Marriott respectively in July 2019 – the airline penalty equating to 1.5% of turnover, and the ICO laying down a marker that it was prepared to push towards maximum enforcement levels of EUR 20m or 2% of global turnover, whichever is greater.

Despite the enormous potential financial impact of non-compliance to business, it can often be difficult to encourage employees to adhere to security principles, particularly when the only means to do so appears to be beating a big stick about how much it will cost the company and subjecting them to endless slides of text based GDPR legislation. In fact, common security faux pas within the remit of all employees are still easy prey for cyber criminals – phishing emails, password reuse and a lack of two factor authentication – these factors alone account for most of the cyber crime victims I’ve encountered.

I believe the key to security compliance lies in highlighting the personal benefits to the individual, and so I present a short journey through what might happen to a customers personal data once it has been breached – and then add a little twist….

Having trotted out the headline grabbing numbers above (after all, everyone loves a bit of schadenfreude) let’s explore where breach data might end up…. the dark web.

It’s incredible to see the glee on peoples faces when I ask them if they’d like to see a few screenshots from dark web sites. It all seems so taboo and exciting, and I imagine few of them are prepared for the reality of an eBay clone with a home page covered in counterfeit Viagra. It’s like the online equivalent of a shady character with cheap aftershave opening one side of their coat to reveal a row of watches.

So, this is the sort of place where breach data might end up for sale. Let’s run through what Mr (or Ms) Grimm has to offer in their data set: name, date of birth, social security number, driving licence number, address, phone number, income, income frequency… and so on. Seems a pretty rich data set, and it’s provided for as little as $2 per record.

One thing I always found fascinating is the customer feedback! The dark markets are based on reputation – and nothing screams with greater indignation and rage on a forum than a criminal who has been scammed online by another criminal. Who’d have thought? Karma can be a real joker.

I digress; this is where your customers breach data might end up – look what it can be used for: loans (maybe mortgages?), bank drops, bank accounts, ID verification.

One thing that I regularly see mishandled is company response to a data breach. Nothing irritates me more in these circumstances than a company that trots out the ” we have lost some personal data but no credit card information was compromised” line. It’s disingenuous and lazy, in my opinion – in most cases they probably never had the full credit card information so it would have been impossible to lose it. This line just provides them with a seemingly positive spin.

But is it actually that positive? If my credit card were compromised, I call the bank, they check my transactions, and if I didn’t make them, chances are they will refund me, cancel my card and the whole thing can be dealt with pretty quickly. But if my personal data goes missing, it can potentially be used to take out loans in my name; I’m possibly not going to find out about it until someone starts demanding payment, by which time it will be on my credit record. I’m now faced with contacting a lender to explain that I never took out a loan. Far trickier to sort out – and my credit rating will potentially be impacted for the duration. So which is worse, a breach of credit card data, or personal information? You decide.

OK, so you probably wouldn’t wish that upon your customers, but is that enough to encourage compliance? It’s not your employees data after all. Well let’s think on that for a moment. That data set on the Grimm Store was pretty rich. What’s the richest (in terms of diverse information rather than quantity) personal data set held by most companies? Is it the customer?

Arguably not. It’s more likely to be personnel data; after all, most companies tend to pay their employees, know their next of kin, name, address, tax information, medical (in some cases). Under what conditions is this data likely to be stored? Very probably under a similar, if not neighbouring environment to the customer data. If the criminals can get to one repository once they’ve breached the defences, they may very well be able to get to the other.

And therefore, if as an employee you are prepared to play fast and loose with cyber security, be prepared for your own information ending up for sale on the Grimm Store alongside that of your customers….

This is typically a great time to provide a reminder about phishing emails, password reuse and two factor authentication!