The consequences of failing to meet General Data Protection Regulation (GDPR) compliance requirements around personal data can be significant.
In this article, we outline how conducting regular GDPR pen tests can help to mitigate the risks of data breaches.
Since it came into effect in 2018, the GDPR has helped to improve the way that organisations operating across the EU and UK collect, handle, process and store personal data.
The GDPR covers all aspects of data protection, including the requirement for organisations that handle personal data to improve information security and governance. This is outlined in GDPR Article 32, requiring organisations to implement ‘a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of data processing’.
How does pen testing support GDPR compliance?
A pentest is an ethical cyber security assessment conducted to identify, safely exploit and help eliminate security vulnerabilities that reside across an organisation’s networks, systems and applications.
GDPR penetration testing can help organisations comply with the GDPR requirement to test, assess and evaluate the effectiveness of controls and processes.
Pen testing covers a range of different areas, including:
- Internal/external infrastructure pen testing
- Wireless penetration testing
- Web application pen testing
- Mobile application pen testing
- Build and configuration reviews
Pen tests are conducted to help identify issues such as insecure encryption of data, misconfigurations, and weak access management.
When should GDPR security testing be conducted?
It is recommended that all organisations commission GDPR pen testing at least once a year, with additional security assessments after significant changes to infrastructure, as well as prior to product launches, mergers and acquisitions.
Organisations with large IT estates, as well as those that process significant volumes of personal and financial data or have supplementary industry compliance requirements to adhere to, may need to conduct pen tests more frequently.
Recent high profile GDPR data breaches
Although not referred to directly, GDPR penetration testing is a control alluded to in a number of high-profile penalty notices issued by the Information Commissioner’s Office (ICO). It can play an important role in helping to mitigate the risks of data breaches.
British Airways
The 2018 cyber-attack on British Airways led to the exposure of the personal data of over 400,000 customers and staff.
In its penalty notice, the ICO stated that BA could have used a number of measures to mitigate or prevent the risk of an attacker being able to access its network. These included:
- Limiting access to applications, data and tools to only that required to fulfil a user’s role
- Undertaking rigorous testing, in the form of simulating a cyber-attack, on the company’s systems
Ticketmaster UK
A cyber-attack on the Ticketmaster website in 2018 led to a data breach reported to have affected 9.4million of its customers across Europe, including 1.5million in the UK.
The ICO found that Ticketmaster UK failed to:
- Assess the risks of using a chat-bot on its payment page
- Identify and implement appropriate security measures to negate the risks
- Identify the source of suggested fraudulent activity in a timely manner
Marriott International
In 2018, Marriott International reported a data breach which was found to have compromised the records of over 300 million guests around the world.
The ICO’s investigation found that the company had failed to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems.
While Marriott did commission annual penetration tests, the investigation identified that these “did not evaluate the appropriateness of the way in which Marriott monitored (including through logging) the Starwood system or the configurations used for any such monitoring (including logging).”
Selecting a GDPR security testing partner
Pen testing is a key control to help meet the information security requirements of the GDPR. Organisations that require penetration testing should look for a provider that understands the regulatory landscape and can tailor GDPR testing not just to the requirements of the latest pen testing standards, but also to match the unique risk profile of their business.
As highlighted in the cases outlined in this article, it is essential to ensure that the right type of pen testing is conducted. A good pentest partner can provide advice on the most appropriate to choose and help scope it to meet security and compliance objectives.
More on our penetration testing