The European Union’s General Data Protection Regulation (GDPR) came into force on 25 May 2018. Here we look at ten early GDPR-related incidents to see if there are any signs of how it will be enforced in the future.

GDPR is providing a template for a new approach to personal data protection around the world. It includes three areas that demand a fresh look at data protection compliance.

Firstly, it reverses the risk ratio between low fines and the high cost of security. In the past, companies have been tempted to say it is cheaper to risk sanctions than to pay for security. GDPR has reversed this equation. By giving regulators the option of delivering very high sanctions, risk management equations now argue strongly in favor of promoting compliance and avoiding fines.

Secondly, GDPR has also changed other aspects of data protection regulation. With earlier regulations, companies were effectively in compliance provided they weren't known to have lost personal data. This argued in favor of keeping quiet about breaches - but now companies are in breach of the regulation if they do not rapidly disclose a loss.

Thirdly, and in a similar vein, earlier regulations concentrated on protecting personal data from hackers. GDPR now puts the user first by also providing strict regulations on when personal data can be collected, and how and by whom it can be used.

With such a dramatic shift in data protection regulation, companies around the world have been watching and waiting to see how and to what extent the European regulators will enforce GDPR. It is still too early to know, but already GDPR-related incidents are beginning to occur. Here we look at ten such incidents over the course of 2018.

10. GDPR Compliance Plugin Exploited

In November, Wordfence discovered a privilege escalation vulnerability in a WordPress plugin. The vulnerability would allow attackers to manipulate the site, add new admin accounts or even shut out the original owner. The plugin had approximately 100,000 active installations, and although the vulnerability was fixed all users need to update the plugin to close the security flaw.

WordPress plugin vulnerabilities are frequent occurrences, and often found and promptly patched. Noteworthy about this incident, however, is the plugin in question is designed to assist site owners with GDPR compliance. It’s likely that any website using the plugin will be processing user data in some way; so, this could very well lead to a GDPR compliance tool directly leading to a GDPR violation if it had been left unfixed, or remains unpatched by users.

9. Twitter Probed over Right of Access

GDPR guarantees an individual the ‘right of access’. If an individual contacts a data handler and asks for the data held on them by that organization, the handler is obligated to provide a copy within one month. The only circumstance under which the request can be refused is if it is ‘manifestly unfounded or excessive’.

When University College London researcher Michael Veale contacted Twitter with a data request aiming to find out exactly what data was gathered by Twitter’s link shortening service, it was refused. Twitter’s justification was that providing the data would take ‘disproportionate effort’. This prompted a complaint from Veale which led to an investigation by the Irish Data Protection Commission over whether Twitter was in breach of GDPR with this refusal. We have yet to see results, but if Veale’s complaint is upheld, it will show the power of GDPR to enforce data transparency as well as protection.

8. Data, Credit and Ad-Tech Companies Investigated

GDPR imposes restrictions on an organization’s right to gather personal data without explicit consent from the individual concerned. Without user consent, there must be a separate lawful basis – such as a contract with the user, a legal obligation, or a life-threatening vital interest. Once collected, that personal data must also be protected and handled responsibly.

In November, Privacy International made complaints to the regulatory bodies in Britain, Ireland and France about seven different financial and marketing companies, claiming they were flouting these regulations. Not all complaints have been investigated yet, but the UK ICO has already issued notices of assessment to three of the accused companies; Axicom, Experian and Equifax. If any of Privacy International’s complaints see further action, it will show that GDPR is not just there to penalize data breaches, but that the regulations for gathering, storage and handling of data are to be taken seriously.

7. British Airways Data Breach

While the August data breach of payment information from British Airways is being talked about as ‘the first’ potential UK fine under GDPR, this is not strictly accurate. Financial and other sanctions have already been issued under GDPR, in the UK and other EU countries. Any question of a BA fine remains up in the air. However, the British Airways breach does represent the first high-profile data incident in the UK to occur entirely under GDPR, without any ambiguity from when the regulation came into effect.

The maximum fine BA could face – 4% of annual turnover – has been estimated at a little shy of £500 million. Thanks to the prominence of the breach in public consciousness, the ICO’s eventual decision will set a benchmark for future GDPR enforcements. While not the first ever fine, British Airways’ case will likely form the precedent for how harshly breaches are penalized, and how much an organization’s response can mitigate penalties.

6. Germany’s First GDPR Fine

Germany issued its first ever fine for breach of GDPR in November 2018. Social and dating website Knuddels.de reported a data breach of 1.87 million username and password combinations and 800,000 users’ email addresses in September. The regional data protection authority for Baden-Württemberg determined that the site had been storing the passwords in plaintext, which violates GDPR’s mandate for “the pseudonymisation and encryption of personal data”.

However, the regulator showed significant leniency to Knuddels because of their promptness in reporting the breach. The social website had also acted quickly to inform affected users. The fine itself is much smaller than anything else on this list, but Germany’s first fine levied for a GDPR breach is a noteworthy landmark for the regulation.

5. Portuguese Hospital Fined €400,000

In July 2018, a Portuguese hospital was inspected by Portugal’s data regulatory body, the Comissão Nacional de Protecção de Dados. After determining that the hospital was allowing patients’ medical data to be accessed by non-medical staff, two fines were imposed for a total of €400,000. The hospital contested the fines in November, though the appeal had not been resolved at the time of writing.

This incident stands apart from other GDPR-related events this year, as the fine levied against the hospital is not the result of a data breach. The CNPD levied the fine against the hospital because staff were given access to unnecessary and excessive amounts of patient data. It was a failure of least privilege rather than a breach of data storage. GDPR stipulations for security and privacy by design often go overlooked, but this incident highlights that they’re just as important as any other aspect of GDPR.

4. Google’s Location Tracking

In August 2018, an investigation by the Associated Press revealed that disabling the ‘Location Tracking’ feature on an Android smartphone would not stop the device tracking the user’s location. This was despite Google’s support page stating “You can turn off Location History at any time. With Location History off, the places you go are no longer stored”. Google has since revised its support page to explicitly say that some location data may still be saved with the setting turned off.

While there was no immediate significant fallout from this revelation, it raised concerns over the transparency with which Google collects user data – transparency which is mandated by GDPR. In November 2018, the Norwegian Consumer Council took this even further. Their report, Every Step You Take, ascribed a deliberate, deceptive design to Google’s method of explaining its data gathering to customers. Consumer protection groups in seven different EU nations have filed complaints against Google with their data regulators.

3. AggregateIQ; Enforcement Notice, Appeal, Second Enforcement Notice, Appeal

The timing of the Facebook-Cambridge Analytica scandal prompted much speculation over GDPR. The UK Information Commissioner’s Office issued Facebook the maximum fine of £500,000 at the time possible under the prevailing EU Data Protection Directive regime. Had the data misuse occurred just a few months after it did, GDPR would most likely have led to a vastly larger fine.

However, AggregateIQ (AIQ), another data analytics firm that has been linked with Cambridge Analytica, did not enjoy the same narrow escape. The firm was accused of mishandling people’s data; while this misuse was also prior to GDPR, the ICO believed that AIQ continued to process and handle the data after May 25, making the new regulation applicable.

In July 2018, the ICO served the UK’s first ever formal notice under GDPR to AIQ. The notice stated that AIQ had breached GDPR’s terms, and instructed it to cease processing EU or UK citizens’ data for political, analytical or advertising purposes. AIQ appealed against the notice, saying that the ICO does not have jurisdiction over the company and that data processing did not occur after GDPR came into force.

With that appeal still pending, the ICO subsequently issued a ‘clarifying’ enforcement notice, but without diluting the first notice. This has also been appealed by AIQ. The clear implication is that a financial sanction will be levied if the second appeal fails. It will be interesting to see whether the ICO considers a failed appeal grounds for an increased sanction. Most commentators believe the AIQ appeal will indeed fail.

2. Facebook’s Fines and Lawsuits

2018 was a difficult year for Facebook, with controversies, data breaches and scandals becoming a semi-regular occurrence. The Cambridge Analytica scandal managed to narrowly dodge GDPR, although Facebook is still appealing against the comparatively modest fine issued under the UK’s Data Protection Act 1998 (now supplanted by the GDPR-based Data Protection Act 2018).

In September, Facebook experienced a data breach affecting nearly 50 million users, which prompted an investigation by the Irish Data Protection Commission. If found to be in breach of GDPR, Facebook could face a fine of up to $1.63 billion. On top of this, in November, the Internet Society of France, a non-governmental organization, filed a class action lawsuit against Facebook for €100 million. The NGO cites GDPR breaches and irresponsible data practices in its complaints.

1. The Question of Marriott

A data breach affecting up to 500 million Starwood hotel customers has been one of the biggest breaches in a year of very big breaches. Marriott, the parent company of Starwood discovered the breach of customers’ personal data in September, long after GDPR came into effect. Complicating matters somewhat, however, is that it appears to have been an open, ongoing breach since 2014. This not only predates GDPR, but predates Marriott’s acquisition of Starwood. The questions of culpability and which regulations under which jurisdictions should be used to pursue any action are still undecided.

Private class actions have already been started, and there may be further actions from state and national regulatory bodies.

But even if there’s a question over whether GDPR is applicable to the breach itself, Marriott is certainly in violation of the regulations in at least one regard: the breach was discovered in September 2018, but was not disclosed until late November. This is far outside the 72-hour window for disclosure set by GDPR, and perhaps the strongest case for regulators to treat it as a GDPR violation.

Application Security Series

Latest news and insights on AI and Machine Learning for application security testing, web, mobile and IoT security vulnerabilities, and application penetration testing.

Recent Blog Posts:

Top Ten Bug Bounty Payouts of 2018