GDPR and the dark web

The Jaws theme plays in the background as GDPR approaches. On May 25, this year, the General Data Protection Regulation will become enforced, with nasty fines for any eligible business that doesn’t comply.

Data is the blood in the water that will attract the GDPR shark. If you keep your data handling processes compliant, you’re safe. But what happens if that data bleeds out? As cybercrime intensifies, it’s worth remembering that data is easy to sell, and safer for criminals to target than money. And should anyone get hold of your data, the best marketplace for selling it is the dark web.

So, just what is this ‘dark web’, and why is it such a concern as GDPR looms over us?



Potential data breaches

As Stephen Parker writes in The Conversation Engine, “Businesses are being targeted by cybercriminals on a scale never seen since the launch of the world wide web.” In fact, according to a 2017 government statistics report, nearly half of all UK businesses suffered a cyber breach or attack in the previous twelve months.

But a data breach is a many-headed beast. A breach won’t just come from hackers alone. Worryingly, you can leak data accidentally in a variety of (innocent) ways. These include:


  • Password recycling. Many people use the same passwords across multiple accounts – including your employees. Unfortunately, trouble arises if an employee uses a company email address and the same password as part of a personal membership elsewhere. If this external organisation suffers a breach, your company then becomes vulnerable too.


  • Lost devices. From time to time, employees need to take devices offsite to carry out their work. These devices are easily lost – left on the bus or a coffee shop. This is made even worse if a password is written down and lost alongside the device. That USB stick with a spreadsheet of customers is now in someone else’s hands; that inbox with private company information read by prying eyes.


  • Mis-email. Sometimes data needs to be emailed to customers or other bodies during its journey through your systems. Such data can end up leaking out if it is mistakenly sent to the wrong location, or intercepted maliciously.


This isn’t to mention the potential of cybercriminals deliberately hacking into your systems, or disgruntled employees gone rogue that could steal your data. The underlying problem is that because data is leakable in so many ways, breaches are markedly difficult to guard against.



Unnoticed, unchecked

Unlike a physical breach to your company – such as a flood or fire – a data breach can be difficult to detect. Data is often leaked or breached without notice. In fact, in 2016 FireEye found that EMEA companies were shockingly slow at detecting data compromises, with the mean time between the data breach and the detection of that breach sitting at a massive 469 days.

This is when the dark web comes into play. The dark web is the prime place for compromised data to end up. Its high anonymity makes it the perfect marketplace to shared and sell compromised data, without fear of repercussion for the criminal sharer.



What happens next?

The dark web is an area of the world wide web that won’t appear in normal searches. Google can’t find it. So how can the average small business? The obscurity of the dark web makes it painfully hard for businesses to find any of their leaked data.

Data breaches already cause a rush of issues for companies, with reduced confidence from customers and negative press. With GDPR, companies could also face hefty fines totalling as much as 4% of their annual turnover, as a data breach is indicative of non-compliance.

It is increasingly important for businesses to improve their understanding of how the dark web works. A switched-on understanding of the cybercrime cycle gives companies the best chance of mitigating the damages caused by leaked data early-on. Rather than lingering in the dark, businesses can act with swift responses and leak reports to the relevant Data Protection Authority.




Obviously, the most effective way to avoid the dark web is to never have a data breach. You can increase your chances of this with high cyber-security efforts. For example:

  • Encrypting all your data to make it exclusively accessible to people with the right keys or passwords
  • Helpful software that can look for breached data or help you keep it organised securely
  • Updated security protocols to reduce the risks of accidental data leaks

Even with multiple safeguards in place, mishaps can happen. The ability to identify leaked data and the source of the breach, and act quickly is invaluable. In the words of Jeremy Hendy: “‘Organisations need to ensure that they are continuously looking for their data appearing ‘outside the perimeter’, and promptly reporting any leaks.”



The murky depths of the dark web

GDPR requires all companies to report a leak within 72 hours of discovering it. Unfortunately, without an understanding of the dark web, you have less chance of discovering the breach. Until someone else finds it, and the GDPR repercussions blindside you at full force.

The bottom line is if you deal with any EU citizen, and your company data gets onto the dark web, you aren’t GDPR compliant. So, when May 25 comes around, businesses need to be aware of the risks and difficulties the dark web poses if they want to avoid the sharp bite of GDPR.



Useful links

The Conversation Engine

Five steps to GDPR compliance: key considerations for customer service teams

GDPR, bitcoins, and the great privacy backlash