GDPR as an Attack Surface: Mitigating the Risks

“Attached please find our DPA. Please have this document signed by an authorized signatory and send the completed agreement back to us at […]”

Those two sentences were part of a legitimate email directed at the Cylance privacy team, but something about them left me in an uncomfortably familiar situation. The sense of urgency, and presumed obligation to open the document, was a tactic I have seen employed many times before. So I posted a quick thought on LinkedIn about the use of the General Data Protection Regulation (GDPR) as a new medium for email-based attacks involving requests for companies to complete Data Processing Addendums (DPA). I wrote this so I would not context-switch it into oblivion and pin it as a question to the cosmos that deserved a bit more attention later.

As a Deputy CISO, I know that GDPR has been a work in progress for over a year. Working with my peers in our Compliance team and our Chief Privacy Officer, I have been aware of the obligation and the consequences for some time now.

Prior to the GDPR, we had the 1995 Data Protection Directive, which set the minimum standards for processing data in the EU and applied to organizations that collect, process or store the personal information of EU residents. The GDPR prescribes considerably greater penalties than before in the event of a breach – €20 million (approx. $23,983,800) or up to 4% of annual global turnover. UK businesses, and all overseas businesses offering goods or services to the EU, will be obligated to prepare for GDPR before this date.

It’s the consequences of non-compliance that make the GDPR an ideal conduit to use for those with malicious intent. If you look across the myriad of articles and largely vendor-driven FUD about the topic, (Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by Steve Mancini. Read the original post at: