Data Breach Notifications: Will there be a “butterfly effect” increase in phishing and cyber crime?
Much has been written about the processes, technologies and overheads of handling data breach notifications from the point of view of the organisations that may suffer breaches. Less has been mentioned on effects of these notifications on data subjects or on other, seemingly unaffected organisations.
The introduction of data breach reporting/notification is one of the big leaps in GDPR and is echoed in other parts of the world that are tightening privacy rules, like Australia.
Data Breach Notifications – Your obligations to the Authorities and the Data (breach) Subject
There are really two aspects to this. The first is notifying the Regulator or the Authority. In GDPR speak, Article 33 requires:
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
However, for data subjects, Article 34 requires:
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay … in clear and plain language the nature of the personal data breach and contain at least the information and the recommendations.
So if you follow the logic, an organisation suffers a data breach howsoever caused, they tell the Authority (in the UK for example this is the ICO) and then (very soon afterwards) they send a communication out to the affected people to inform them and tell them what to do.
What could possibly go wrong?
Put simply, there could be unintended consequences that are, at present, hard to quantify or measure – much like the so called butterfly effect; where the flapping wings of a butterfly cause changes to the weather somewhere else due to chaotic effects.
Breach communications: The citizen view
If you consider the result of a data breach notification from the data subject’s point of view, the person whose data or account has been breached, there are two possible effects.
Data breach notifications: The phishing risk
One is that they get a notification, most likely by email, saying there has been a problem and what they should do about it. This could range from ‘contact a call centre’, or ‘log into your account and reset your password’, or await a recreated set of account credentials, or a link to register for credit/identity theft insurance etc. Something out of the ordinary and (depending on the media coverage) possibly unexpected.
The challenge here is that there is a massive phishing exposure, particularly when breaches have been widely publicised or if data breach notifications start to become very commonplace (see the issues around this here).
So let’s assume a bank customer gets an email today saying:
“Your account has been compromised, please fill in the details below to reset your credentials and unlock your account”
They would probably be suspicious and ignore it – as we are told to disregard those when they arrive out of the blue.
However, if there has been a widely publicised breach, or even if the frequency of breach notifications is quite high (people are getting them all the time), there is a potentially greater risk. Imagine the following headline/news story saying:
“Bank A suffers major security issue… customers told they will be contacted”
Followed by an email saying:
As you may have heard in the media we have suffered a security breach. We are very sorry and are working hard to make things right.
We have suspended accounts for your protection, please fill in the details below to reset your credentials and unlock your account”
There is a problem here. The content/process behind the phishing email is identical – however given a real situation and a plausible story to link the message to it, the credibility of the request is elevated and the chances of it working made much higher.
Potentially, to the point where more people will believe it and cause themselves even more problems by following what they believe are genuine instructions.
There are several potential attack scenarios:
- An attacker could pretend there has been a breach when there hasn’t;
- An attacker could wait until there is one and send out a pre-emptive email;
- An attacker could wait until the organisation sends out breach correspondence, copy the look/feel format and then send what appears to be a follow up.
So one prediction is that a rising frequency of data breaches being publicised and communicated to the public will make phishing emails harder to spot (hence more successful), or more common (hence more lucrative).
Data breach notifications: The cyber crime risk
We see this already when data breaches occur – a database of email addresses, personal details and/or passwords is leaked from a site or company A – and sure enough the same credentials are either used to log into company B or they contain sufficient information to enable accounts on company B’s systems to be reset or unlocked.
If you are company B your customer accounts are accessed and money is transferred, data is stolen, purchases are made using stolen credentials.
How does the rise in publicised data breaches expand this risk? In short, if your customer details become more widely known through more frequent and more widely publicised breaches in other organisations, there is a greater risk that individual details will be available somewhere; that people will choose weaker passwords (if they have to change them much more often) or that facts they can’t change – like data of birth or mother’s maiden name – suddenly become less useful as identify validation; leaving companies with scant choices for asking security questions or verifying identity.
Data breach notifications: The ransomware risk
Ransomware is increasingly common, in some circles it is the cyber security threat that many fear most. Past cases have been geared around encrypting data and holding the key for a bitcoin ransom – often one that is modest enough that paying up is by far the best strategy (why pay thousands for expensive consultancy or data recovery if you can get your data back for $300?).
However with the increased pressure of larger regulatory fines and the need to disclose the nature of the breach, will ransomware demands get higher or will their focus be not on encrypting data but on avoiding a small breach becoming a large one?
“We have 1m records, but pay us $300 and we will only leak 1000 of them.”
Certainly there is an economic driver around minimising fines, and ransomware authors might look to exploit that through the creation of tiered-impacts where the size/severity/scale of a breach is reduced (and hence attracts a lesser fine) if a ransom is paid.
The challenge for the public and for organisations
There are several factors compounding this – an increase in the number of publicised breaches is good to raise awareness and increase transparency. However the improvements in organisational security that we have sought for years are not going to come over-night.
We also don’t have an effective mechanism to replace passwords. Yes two-factor authentication solves a lot of the problems, and it is expected to become more widespread in its use – but for some systems, applications or businesses, challenges will remain in how to authenticate individuals and verify identity if there is a wider market for stolen credentials and personal data resulting from phishing attacks etc.
For us as data subjects, we may see our security answers being less useful as the data is known to be exposed and hence less reliable (it is almost surprising that security questions are still in use even now) and a growing overhead in logging into systems, that until now was relatively easy, in order to lessen the reliance on password protection alone for accounts.
We may also see a reduction in companies allowing us (or in some cases forcing or encouraging us) to create accounts at the point of checkout “to store our details” as the risk of that data being exposed is perceived to grow. For some people, that loss of convenience when they are buying running shoes, or books, or gifts might become a nuisance.
Mandatory Data Breach Notifications – the consequences
Mandatory data breach notifications are undoubtedly a good thing, but they could also have unintended consequences, akin to the chaotic effects of a flapping butterfly wing, as they change the dynamics of how breaches are reported and handled.
It is unlikely there will be a flood of notifications, but as transparency increases there could appear to be a higher number than are currently reported; and this could lead to more account resets, more reuse of passwords and reliance on security information being increasingly difficult. Also, the heightened fines might mean ransomware becomes more focused on fine avoidance or reduction; rather than just getting data decrypted as at present.