In May, the GDPR celebrated its first anniversary. This European Union regulation changed the personal data protection landscape, and put this vital aspect of cybersecurity in the limelight.
After several months with no news about the GDPR, in July, data protection made the headlines again. British Airways and Marriott both received steep fines—€204 million and €110 million respectively—for the data breaches they suffered last year. Facebook also received a fine from the Italian authorities, while in Canada, an insider stole the personal data of 2.7 million people.
A massive data theft
Now, personal data is back in the spotlight. A cybersecurity worker in Bulgaria has been arrested and charged with stealing the personal and financial data of up to 5 million citizens from the country’s National Tax Agency (NRA). This is the largest data breach that the country, which has 7 million inhabitants, has ever experienced.
The stolen information includes names, information about income, tax declarations, medical insurance payments, and loans.
An attacker with knowhow
On Tuesday afternoon, the police raided the house of the suspect, a 20 year old, and arrested him. There, they found devices that contained the encrypted information.
According to the Bulgarian press, the suspect worked as a cybersecurity researcher, searching for vulnerabilities is IT networks to prevent cyberattacks. In 2017 he made the news when he discovered important flaws in the Bulgarian Education Ministry’s website.
He was also active on social media, posting articles about cybersecurity and hacking on a regular basis before his arrest.
A country’s cybersecurity problems
This cyberattack has reignited the debate about the country’s lax cybersecurity standards. The country’s Prime Minister said the arrested man was a “wizard” hacker, and that the country should hire “unique brains” like the attacker.
Nevertheless, some of the experts who have inspected the stolen data say that the tactics used were relatively basic, and were more indicative of a lack of adequate protection than of the hacker’s abilities.
The country’s leading business organization, the BIA, warned about possible flaws in the Nation Tax Agency’s data protection years ago. It has demanded that the NRA send detailed information about the leaked documents to every person and company affected.
Under the GDPR, the NRA may face a fine of up to €20 million or 4% of its annual global turnover. The sanction will depend on the number of people affected, as well as the volume of information stolen.
Although there have been large fines under the GDPR, to date, we haven’t seen any sanctions that have reached the maximum amount allowed—4% of an organization’s turnover.
How to keep your organization from being fined
The GDPR affects any organization that handles the personal data of EU citizens. As such, complying with it is a priority in order to avoid the economic and reputational damage that infringement can bring.
- Discover and audit: It automatically identifies company files that contain personally identifiable information, as well as the users, employees or collaborators, and computers and servers that can access this information.
- Monitor and Detect: Reports and real-time alerts offered by Panda Data Control on unauthorized and suspicious use, transmission and exfiltration of personal data files, help implement proactive access and operation measures related to these reports.
- Simplify Management: The Panda Data Control module is native in Panda Adaptive Defense and Panda Adaptive Defense 360. It doesn’t require organizations to deploy anything other than the standard protection, and can be easily and immediately activated without cumbersome configurations.
- Demonstrate to senior management, the DPO and all other employees in your organization the strict security measures in place to protect PII at rest, in use and in transit between endpoints and servers.
The new data breaches and fines that we’ve seen this month will by no means be the last. New cases of GDPR infringement and personal data theft will come along soon. Make sure your company isn’t the next victim with Panda Data Control.