By Pádraig Hoare
Cyber criminals are using the EU’s incoming general data protection regulation (GDPR) to target email users in a sophisticated phishing scam, gardaí and cybersecurity experts have warned.
Airbnb customers are among those who have fallen victim to the scam, where criminals send fake GDPR notices to customers asking them to confirm login or personal information via online links so that they can continue to use the service being provided.
The Garda National Cyber Crime Bureau said that while there are no reports of any incident reported in Ireland to date, a number of incidents have been reported throughout other parts of Europe.
European detectives have already identified a string of scams involving the sending of fake notices which allege to be from Airbnb asking customers to update details to continue their agreement, gardaí said.
The bureau advised before responding to unsolicited emails, to ensure that the email address used to send the message is genuine. It advised never supplying banking or financial information via email, and to delete and report it to a bank if such an email was received.
Cybersecurity expert Ronan Murphy said the criminals wanted to exploit the millions of emails being sent out by firms related to GDPR before the law is implemented on Friday.
The chief executive of Cork-based Smarttech247 said: “The criminals who are the architects of such scams are like well-oiled machines when it comes to putting them in place. This will be a blanket campaign across Europe to try and target anyone who is receiving GDPR-related emails.
“They usually have teams that will target users in a specific country, but this time, they will flood Europe targeting millions of people, because the GDPR is relevant to all EU citizens.”
A survey from KPMG of Irish chief executives found a third see the issue of a cyberattack as a case of when not if, with just under half confident in their ability to identify new cyber threats.
Just 44% were confident in their levels of preparedness, while 56% feel able to manage external stakeholders in the event of such an attack.
The GDPR was ratified in 2016, following four years of negotiation, replacing the existing directive on data protection.
Unlike an EU directive, which can be implemented over a certain time, the regulation is made law once it begins tomorrow, meaning penalties can be imposed from day one. The regulation is designed to harmonise data-privacy laws in the EU and to protect citizens’ data privacy.
It not only applies to organisations within the EU, but also to firms that do business inside member states.
If companies fail to comply with the regulation, they can be fined up to 4% of annual global turnover, or €20m.
Mr Murphy said there would be a “ferociously long bedding-in period” with a large number of firms and organisations not ready for the law. “I’m afraid we are still far behind. The regulation is very broad with a lot of technical details. How the EU enforces the law remains to be seen.
“I have no doubt regulators will be looking for the scalp of a big firm or organisation, such as a tech giant or a university, which historically have been very lax with user data because there is so much of it. That will be the acid test,” he said.