GDPR and credential stuffing attacks: yes, they are reportable
Credential stuffing and password spraying attacks are reportable data breaches in compliance with GDPR. Any organisation based in the EU or with EU citizens among its customers needs to comply with the EU’s General Data Protection Regulation (GDPR), which calls for protecting data with appropriate technical safeguards. Although the GDPR does not explicitly state what those technical safeguards should be, it does state that security controls should be considered alongside the risk of a personal data breach.
So, what constitutes personally identifiable information (PII) under the GDPR? The GDPR defines this as “data from which a living individual can be identified or identifiable (by anyone), whether directly or indirectly, by all means reasonably likely to be used”. Examples of identifiable data include names, location data and online identifiers such as email addresses. Although the GDPR does not explicitly mention password requirements, passwords present the easiest way to gain unauthorised access to PII.
Passwords are the weakest link
Verizon’s 2019 Data Breach report revealed that 29 per cent of breaches involve the use of stolen credentials. With billions of usernames and passwords available online from previous breaches, a high volume of attacks result from credential stuffing or password spraying.
Both attacks take advantage of password reuse via large-scale automated login attempts. The difference between the two is that credential stuffing uses a large number of username and password combinations while password spraying uses the most common passwords.
Once the attackers are in an account, they will either try to remain undetected or take over the account by resetting the account password. The primary objective of these attacks is often financial gain, but also includes the theft of PII, such as credit card details.
PII and credential stuffing
Given that these attacks do not use hacking techniques, there has been some debate as to whether they are considered a reportable breach. A personal data breach is defined in the GDPR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. Credential stuffing or password spraying attacks lead to the unauthorised disclosure of, or access to, personal data, which means reporting is required.
In fact, the Information Commissioner’s Office (ICO), the UK’s data protection body, fined Uber £385,000 in 2018 for exposing user and driver data. Uber was victim to a credential stuffing attack that exposed personal details of 2.7 million UK customers, including full names, email addresses and phone numbers. Initial sign-up location data was also exposed alongside the payment information of 82,000 drivers. Uber tried to cover the incident up by not disclosing the breach for more than one year and paying the attackers $100,000 to destroy the data they had downloaded.
Prevention and compliance
It is possible to safeguard against these types of attacks. Organisations need to start by removing weak passwords using a secure policy that prevents people from using passwords that are easy to guess or have been leaked.
The ICO has updated its guidance to provide password recommendations under GDPR. They explicitly state that passwords should be longer than 10 characters and strong enough to prevent brute force or guessing attacks. Passwords should not be stored in plain text and companies and organisations should allow for, but not force, the use of special characters. The ICO also states that organisations should use password blacklisting to eliminate the use of leaked or common passwords.
The focus is to ensure that the user is who they say they are before granting access. Since attackers often take over the account by resetting the account password, protecting the password-reset process is critical.