The GDPR is coming. Are you ready?
The GDPR is coming. Are you ready?

With less than six months before the GDPR takes effect, many organizations are still poorly prepared.

On November 21, 2017, the CEO of Uber disclosed that 57 million Uber users' personal information was stolen during a targeted breach back in October 2016. This estimate also includes 2.7 million UK citizens, meaning if this breach had happened after May 25, 2018, Uber could have ended up paying the GDPR's whopping penalty: 4 percent of their total revenue or €20 million, whichever is higher.

How hackers gained access to Uber's customer data.

The hackers leveraged a security loophole to access Uber's private GitHub site. That site held login credentials for one of Uber's Amazon Web Services servers, which contained an archive file with a list of rider and driver information.

GDPR measures that could have helped prevent the attack.

The General Data Protection Regulation (GDPR) is all about data protection; specifically, securing EU citizens' personal data. That said, here are a few ways the upcoming regulation's requirements could have prevented the breach:

GDPR compliance begins with privileged access management.

  • Enhanced security around users' personal data: Often, organizations draw the line at a minimally allowable security perimeter to protect their customers' personal data, while their architecture could in fact be stronger. Under the GDPR, organizations will have to come to terms with the reality that infrastructure upgrades are critical and that lax security arrangements can harm customers.
  • Encryption of data in transit and at rest: Data, in either state, is vulnerable. Based on the risk of data leaks, Article 32 of the GDPR emphasizes using data encryption and other data protection best practices to keep personal data secure. Using several layers of data encryption and multi-factor authentication methods for access to data systems are a few steps that can help organizations comply with the GDPR. In the case of the Uber breach, the company's statement made it clear that their users' personal information such as names, email addresses, and mobile phone numbers was accessed. The implication here is that the user data was not encrypted, otherwise, the hackers wouldn't have been able to view all this information.
  • Notifications about breaches: Articles 33 and 34 of the GDPR are titled "Notification of a personal data breach to the supervisory authority" and "Communication of a personal data breach to the data subject" respectively. Upon becoming aware of a breach, the GDPR gives organizations 72 hours to inform regulatory authorities.
  • Reduced user negligence: In the face of recent cyber threats like identity theft and privilege misuse, user negligence regarding privileged credential security can often lead to disastrous results for an entire organization. For instance, development teams frequently embed credentials within source code files to allow automated access to critical servers, and then limitlessly share their files across mediums. The GDPR will ensure organizations focus harder on making employees aware of these careless types of practices, and hold all departments accountable for their actions.
  • Restricted access to sensitive credentials: Unrestricted access is a subtle security threat that's often overlooked. Entrusting employees with complete access to sensitive credentials or embedding access into source codes and app configuration files are dangerous practices because the credentials are stored in plain text in both cases. These risks can be quickly handled with a robust privileged access management solution that allows IT staff to share passwords with employees without revealing them in plain text, while also offering application-to-application password management.

The clock is ticking down to the GDPR's complete implementation. But, it's never too late to apply the above practices and begin your journey towards GDPR compliance. While being completely GDPR-compliant requires a variety of solutions, processes, technical controls, and measures, the first step towards compliance is eliminating poor credential management practices and controlling administrative access.

The moment a hacker gains access to privileged credentials, the entire organization becomes vulnerable to attack. So, a strict access management routine is a critical step to achieve a comprehensive, GDPR-compliant security perimeter around data systems containing users' personal information. Not to mention, automating the entire life cycle of privileged access with a comprehensive solution like ManageEngine's Password Manager Pro makes the whole process easier, as well as more effective. Get started today with your free 30-day trial of Password Manager Pro.

Password Manager Pro - Enterprise Password Management Software trusted by

Technical Support Request Demo