Two years later, has GDPR fulfilled its promise? – 10 minute mail

Has the landmark law helped build a culture of privacy in organizations and have consumers become more wary of sharing their personal data?

“Relying on the government to protect your privacy is like asking a peeping Tom to install your window blinds” – John Perry Barlow, EFF (July 1992).

Any individual who has the slightest engagement in the privacy of their personal data online will likely be sympathetic to Barlow’s quote. It’s been 2 years since the implementation of the General Data Protection Regulation (GDPR), the EU’s data protection and privacy regulation which aimed to give control to individuals over their personal data and to simplify the requirements on businesses.

Are there fewer data breaches? Are companies taking privacy and consent more seriously? Do individuals engage in the protection of their personal information more? It’s difficult to answer the question of whether GDPR has been successful as we don’t know what would have been the state of play if the data protection regulation it succeeded was still in place.

Without doubt, though, the global privacy landscape changed with GDPR. The legislation placed the privacy conversation front and center in capitals and board rooms around the world. There are now in excess of 100 countries and states with individual privacy regulations, some more strict than others, and some of them, such as Argentina, Brazil, Chile, Japan, Kenya, South Korea and California, have clearly taken GDPR as a base model for their own legislation.

The growing number of regulations around the world demonstrates both the need and the willingness of governing bodies to step in, but with the growing number a complexity is created, something I discussed in a recent blogpost. The complexities of so many regulations probably mean that companies will look to harmonize their approach to privacy to comply with the majority and have a defensible position should they inadvertently breach a regulation.

Corporations, I am sure, have taken heed as regulators tasked with enforcing the GDPR started flexing their muscles and issuing fines or giving notice of intended fines. The first major fine, of €50 million (US$54 million), was issued in January 2019 to Google by the French data protection authority CNIL for showing insufficient control, consent and transparency over the use of personal data for behavioral advertising.

This was eclipsed by a mammoth £183 million (US$221 million) fine issued by the British Information Commissioner’s Office (ICO) against British Airways in July 2019 for poor security that resulted in a malicious attack that affected 380,000 website transactions. In comparison, Facebook was fined a mere £500,000 (US$605,000) by the ICO regarding the Cambridge Analytica scandal, which happened shortly before the implementation of GDPR and was the maximum fine at the time.

What’s the law got to do with it?

As a consumer, if you are in a country where privacy legislation has taken a similar approach to the GDPR, you will be used to seeing the numerous consent dialogues that companies are now required to display when collecting your personal data. The bold position of requiring opt-in consent set the bar for future legislation by other authorities; even if opt-out became the chosen route, the prominence of the message, which can probably, in part, be attributed to GDPR, at least gives the consumer the opportunity to make an informed decision.

There has also been a sea change in product and service development, and this too can probably, in part, be attributed to the GDPR. At the inception of a new product of service, privacy by design and default is now a relatively standard approach for any team to consider as projects come to fruition. Consumers now expect there to be a trusted relationship with a vendor and the vendor understands that this will bring long-term commercial success.

It seems impossible to write this blogpost without mentioning the current COVID-19 predicament with the numerous contact-tracing apps and location mapping data being provided to governments by telecom carriers. While privacy may have been put on hold in some cases, or at least modified to a point that in normal circumstances would be unacceptable, the visibility on personal information privacy that both the GDPR and the Cambridge Analytica scandal created have caused global scrutiny on the use of data to help solve the current pandemic. This scrutiny has seen governments backtrack on proposals and technology companies innovate new methods to ensure anonymity; there’s also a general consensus that a contact-tracing app needs to respect the user’s right to privacy.

The GDPR has legitimized privacy advocates across the globe having a voice and for their concerns to be considered and listened too. The big question, though, remains: ‘Have citizens become the owners of their personal data?’ I leave you with an inspired quote from the late Steve Jobs…

“Privacy means people know what they’re signing up for, in plain language, and repeatedly. I believe people are smart. Some people want to share more than other people do. Ask them.” – Steve Jobs



Tony Anscombe


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

General Data Protection Regulation: What It Means For Your Business – 10 minute mail

Coming into effect in May 2018, the General Data Protection Regulation will give EU data protection legislation a much-needed update and simplify data protection routines for businesses operating in the EU. For some companies, preparing for GDPR compliance entails a review of security practices, while others need to completely realign their focus and begin by putting security first. In this blog post, we explain what the GDPR means for your business and how Disposable mail can help you start working with security.

General Data Protection Regulation: What It Means For Your Business

Legislation for a digital world

Unlike tech innovation, the wheels of legislation move slowly. The current Data Protection Directive that will be replaced by the GDPR came into force all the way back in 1995 – that’s right, the year Windows 95 was brand new and the movie Hackers (Disposable mail team’s all-time favourite) was released. Although the Data Protection Directive was updated with an amendment in 2003, it could not keep up with the developments in the tech world. To the delight of journalists and the horror of courts throughout Europe, there was a growing number of disputes that existing legislation simply couldn’t handle. One particularly well-known example is the Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González case from 2010, when a Spanish citizen requested that Google remove his personal data. Legal issues in a digital world clearly needed laws drafted with modern technology in mind.

Enter the GDPR, developed to bring EU legislation up to date with the increasing digitalisation of data. Introducing novelties like the right to be forgotten and Data Protection Officers, the regulation will unify data protection practices in EU member states and establish a greater focus on security and privacy.

Adopted by the European Parliament in April 2016, the new legislation will come into force on the 25th of May, 2018. Sofia Gunnarsson, founding partner of Sharp Cookie Advisors, a Swedish law firm specialising in tech law, says: “This regulation is already law and is valid, in contrast to a directive that requires national implementation processes in order to take effect. The EU legislation on data protection is set. There is, however, some room for interpretation that is left by the legislator to the national supervisory authority, but I do not expect to see national variations. We can expect to receive complementary guidelines for interpretation from the EU as we come closer to 2018.”

What does it mean for businesses?

One of the leading principles behind the GDPR is to protect European citizens’ rights by keeping their personal data safe, but what about businesses? Regardless of the sector, a unified data protection regulation offers a streamlined way of working with data throughout the EU, but it also brings a whole new set of challenges. Companies need to evaluate their data processing and security practices to ensure they comply with the GDPR when it comes into effect. For those who have been working with security on a daily basis, this will require some additional work to ensure appropriate measures are in place, which might mean restructuring their existing security workflow and perhaps adding to it. However, for companies that have never prioritised security before, the next two years could prove nothing short of stressful as failure to comply with the regulation can result in considerable fines.

While preparing for compliance can be overwhelming, Sofia Gunnarsson emphasises staying focused: “From my work as a data protection specialist advising data-driven companies, the greatest challenge is, and has been, to think small. By thinking small, I mean to clarify a unified management led strategy in your company on privacy and privacy engineering while focusing on very specific issues.”

The GDPR outlines a range of measures companies working with data ought to adopt and many of these measures are, in fact, best practices that do not only help protect businesses from non-compliance fines, but also improve their overall web security. Hopefully, the new legislation will encourage more companies to take a step towards a safer internet and make security a priority by incorporating security best practices.

“Under the GDPR, the company will be required to demonstrate its compliance, which can be met with certain internal processes such as maintaining a register of data processing, to have a process to delete all data, ensure data portability and information security, and report data breaches. Many companies will also be required to appoint a data protection officer, a professional within data protection that acts as an advisor and performs data protection audits on behalf of the company,” explains Sofia Gunnarsson.

“The first question every organisation should ask themselves is – do we keep records on each processing of data we perform? A register is a basic tool to keep track of what personal data your organisation collects, process, share, store, delete etc. You use this one register to assess where in the organisation you should focus any further analysis and compliance activities.”

Security breach notification

The GDPR introduces a new security breach notification framework for all organisations working with data, including third-party data centres. The framework aims to make data controllers and processors accountable for data privacy breaches and is one of the bigger changes this legislation brings. To protect data, companies are required to implement “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.” (Regulation (EU) 2016/679) However, even preventive measures do not guarantee perfect security as attackers are constantly developing new ways to access sensitive information.

In case of a security breach that puts personal data at risk, authorities need to be notified within 72 hours. The affected company has to provide detailed documentation informing the authorities about the nature of the breach, a risk assessment, and an account of the steps taken to resolve the situation. If the data that has been exposed is highly sensitive, the organisation also needs to communicate the breach to all data subjects affected.

To prepare for compliance from a system level, Sofia Gunnarsson advises to “begin with the critical IT-systems, regarding system sensitivity, prone to cyber-attacks, geographic location, third party dependent. If you’d rather start your sensitivity analysis from the categories of data – which different categories of data and personal data do our systems use, which types of data are needed, any sensitive data.”

Data protection by design and default

Alongside the obligation to report breaches, companies also need to be able to show that they are constantly working with data protection principles and incorporating “data protection by design” into their routines. This makes it necessary for companies to implement: “appropriate technical and organisational measures /…/ which are designed to implement data-protection principles /…/ in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.” (Regulation (EU) 2016/679) Policies can range from regular security audits to up-to-date best practices and organisation-wide data protection education. In short, this is a way for organisations to illustrate their compliance with the GDPR in their everyday work.

Sofia Gunnarsson points out that companies will need to rethink why they work with data: “The principles of data minimization and privacy by default will mean that companies will be required to have a clear purpose of their use of data before collection. By contrast, it is not an uncommon practice to collect available data and let the business development and analytics later decide how to use such data. Given that many companies have a strategy to increasingly leverage end user data, the development of these new systems and processes have stakeholders across the organisation. As such, the area of data protection and security will require top management commitment and effort spanning much of the organisation.”

Enforcement

National data protection authorities will continue their work as supervisory authorities, supporting citizens, advising organisations, and investigating compliance. A few actions supervisory authorities have the power to take are issuing warnings, ordering organisations to notify data subjects of personal data breaches, imposing a ban on data processing, and imposing administrative fines. Fines can be as high as 10 000 000 EUR or up to 4% of the total worldwide annual turnover of the preceding financial year.

How Disposable mail can help you implement security measures

May 2018 might seem far away, but it is important to keep in mind that preparing for GDPR compliance could entail structural changes, educating the staff, and updating your entire way of working with data. What needs to be done depends on every organisation’s existing level of security measures, as well as the nature of the data that is being processed. Disposable mail can be a valuable piece of the data protection plan puzzle, helping you deploy safer code with automated security audits and encouraging an ongoing security dialogue. Our scanner is updated bi-weekly to keep up with the latest vulnerabilities and enable you to make your web application more secure.

We aim to educate developers about web security and give them the tools and knowledge to take security matters into their own hands. With our extensive knowledge base, detailed scan reports, newsletters, alerts, and regular blog posts, we wish to inspire companies to adopt a security-oriented way of thinking. Making your website safer doesn’t have to be complicated, intimidating, and costly, but it is a long-term team effort that requires an awareness of risks as well as remediation knowledge.

The GDPR is bringing great changes to the way businesses work with data protection and web security. Introducing a focus on security into your workflow with Disposable mail is just one of many parts of the compliance transition, but it can be a good place to start. There are plenty of companies and law firms that specialise in digital matters and can advise you on the GDPR to ensure your business complies with the new legislation.

Sofia Gunnarsson’s final piece of advice is not to lose sight of your business goals: “Do not forget to focus on the business while being compliant! Much of the available advice of the GDPR comes from compliance advisors, experts in many areas, but with a low interest of the sales side of your company. Embrace the opportunity to design your digital services and IT-systems with, e.g., the data protection legislation’s constraints (and opportunities) in mind. Too little has been told about the strategic value that the product owner and business development have over data compliance issues. At Sharp Cookie Advisors, we guide our clients to adopt a sales-focused strategy. In some cases, the strategy has led to the client’s decision to realign its product and service portfolio, creating new services or remarketing existing services with clearer purpose and expectations in relation to the end users.”

In the meantime, Disposable mail can help you get on the right track by prioritising security, so why not sign up for a free trial? We are ready to guide you towards a more secure website, one vulnerability at a time!

Read more

If you’d like to delve deeper into the legal text, check out the complete General Data Protection Regulation.

For more advice on working with security, read our CEO’s article on why security matters and learn how you can incorporate security into your daily routine in 7 steps.

There are several good guidelines of how to prepare for the GDPR, for example this one from the Swedish Data Protection Authority (in Swedish). To learn more about internal processes companies will need for GDPR compliance, read Sofia Gunnarsson’s article on the topic (in English).

If you have any questions, don’t hesitate to reach out at hello[at]detectify.com.


About Sofia Gunnarsson:

Founding Partner of law firm Sharp Cookie Advisors, Sofia Gunnarsson is an experienced lawyer in internet law, data protection, and international commercial law.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Should we regulate the Internet of Things? – 10 minute mail

The Internet of Things is new, exciting, and unregulated. What could possibly go wrong? Security analyst Emma Lilliestam highlights the shortcomings of IoT security and explains why self-regulation is a necessary step towards increased IoT security. 

Should we regulate the Internet of Things?

I am terrified of flying. As a security analyst, I know it doesn’t make sense. Planes are the safest way of traveling – at least when you fly regular traffic. But why is it so safe?

Imagine that the airplane that you were about to board was constructed by an average agile software team.

  • Initial sketches drafted with interior design and entertainment system in mind.
  • Documentation is in part old, but mostly nonexistent.
  • Tail wing is patched in at the last minute in the spirit of continuous deployment.
  • The Definition of Done does not include any safety testing.
  • There’s no regulatory body controlling, and no legal repercussions if the plane crashes into a kindergarten.
  • The body of the plane is made of Duroplast, proven not to withstand lightning. When you ask the material engineer about this, he says that it’s okay, “A skilled pilot avoids lightning anyway. Besides, we wrote it on page 532 in the manual.”

Would you board that plane? I sure wouldn’t.

Lack of standardized crypto frameworks

“One of the most singular characteristics of the art of deciphering is the strong conviction possessed by every person, even moderately acquainted with it, that he is able to construct a cipher which nobody else can decipher.” – Charles Babbage, 1864.

When I create a new server, I can implement state-of-the-art communication security in an hour. Everything I need is documented and peer reviewed and there are tons of free tools to use to test my HTTPS configurations.

As of October 2016, more than half of the requests on the web are encrypted. But keep in mind that the SSL/TLS that we now take for granted wasn’t conceptualized until 1994, and the first two versions were more or less immediate failures. It took a long time of prototyping and failing to reach the standardized frameworks for encryption that we use today.

For me, the warnings about not rolling your own crypto seemed meaningless for a long time – why would you even think that you need to do it when implementing great and cheap standards is so easy? However, in the world of microcontrollers it’s a different story.

I really avoid talking about security as something hard – it isn’t. But implementing good security on an IoT device is nowhere near as easy as when all your end points are servers.

Software running on regular computers is seldom constrained by hardware resources. It doesn’t matter if the size of your artifact is 199 or 202 kilobytes, but in the embedded world it can make all the difference.

Hardware components

“Cryptography transforms (communications) security problems into key management problems.” – Dr. Dieter Gollman, 2011

There are components of varying quality on the market. Available communication chips may have support for good encryption but will leave the key management as a bleeding wound!
This is not necessarily a problem if you order a few million units, but the firms that manufacture chips will often not even talk to small scale companies. The Arduino hobbyists and startups are left with products where good security is harder to implement.

Culture

“As security enthusiasts it is our obligation to create a culture of sharing and non-blame.” – Johan Rydberg Möller, 2017

I wrote earlier that I avoid talking about security as something hard. There’s a myth flourishing out there that security is something mysterious that common techies can’t understand. This myth is nourished by security people and non-security people alike. Both groups have something to gain from it: security people can keep an air of importance and their consultancy fees high, while non-security people are excused for screwing up on basic IT hygiene.

Cloudpets on sale

Cloudpets: 40 dollar teddies on sale for 99 cents. Monetary damage from IoT insecurity can be harsh. (Source: Twitter)

When asked what they know about security, many programmers say they don’t know anything. Then they get to work and do input validation, ssh into their servers, perform code analysis and code review… As soon as a security practice is commonplace, it stops being “security”. It’s just something that one does.

Truth is, most tech people need a bit of mentoring, googling and interest in order to become decent security analysts. There are tons of easy and open resources that are already available to you such as OWASP cheat sheets.

Regulation

“The market can’t fix this because neither the buyer nor the seller cares. … the insecurity is what economists call an externality: It’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.” – Bruce Schneier, 2017

Security researcher Bruce Schneier proposed in February that security-interested IT businesses need to lobby for regulation of the Internet of Things. He argues that the days of security as an afterthought in a benevolent computer network are over. If we don’t set the agenda now, regulation will happen to us – by legislators and lobby groups that don’t understand the fundamentals of the connected world.

Schneier’s reasoning revolves around an American context. With the year-old EU General Data Protection Regulation, GDPR, negligence to secure data will in a best case scenario be punished with substantial fines. I say best case, because the regulation will not be used for another year. There are vested interests with big money that want to set a precedence rendering the legislation an expensive but toothless paper tiger.

A few months back, non-secured IoT cameras brought down parts of the internet. Information Technology security is now a question of Physical World Security.

My proposal – a voluntary IoT security seal

Bruce Schneier sees the IoT security issues as a market failure, and thus we must resort to legislation. I am much less pessimistic! Should we regulate the Internet of Things? My answer is “No! Not yet.” I think that the huge brand damage that IoT insecurity has proven to be in recent time will continue, and the incentive for companies to do something about it increases.

I would argue that self regulation is more effective than legislation.

I would like to suggest a seal for voluntary certification of products, following the lead of the pioneers of organic food seals like Swedish KRAV. A non-profit funded by the members would handle the issuing and auditing.KRAV seal

The seal would cover the most important and IoT relevant parts of ISO 27000, GDPR, Hacker Ethics, and relevant OWASP best practices. Moreover, it must be communicated to the general public so that they can make an active choice for a reasonably secure product.

I would suggest the following simple baseline:
* Ensure that the product is protected from trivial or cheap attacks
* Commit to patching critical vulnerabilities
* Commit to following the intentions of GDPR
* Having and following a Security Vulnerability Disclosure Policy
* Not prosecuting security researchers and reverse engineers

Even if this seal only reaches a small percentage of the market, it will be a huge win.

If self regulation fails, sooner or later, a tedious, and in the worst case ineffective, compliance process on the EU level will be forced upon us. And if that day comes, it’s much better to showcase a proven and continuously improved framework that will provide actual security and not just another layer of costly bureaucracy.


About the author:

Emma Lilliestam is an IT security technician and DevOps manager of the IoT company Ewa Home. She will talk at Security Fest in Gothenburg the 1st of June.

Twitter: @emalstm


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

GDPR security from an ethical hacker’s perspective – 10 minute mail

Discussions about the GDPR (General Data Protection Regulation) often touch upon security, a topic that few people know as well as ethical hackers. What can organisations learn from the stories ethical hackers have to share? We take a look at the GDPR from a hacker’s perspective and explain why it is the perfect opportunity to transition to a security-first mindset.

Note: This article provides some helpful pointers, but we advise you to consult a legal expert when preparing for the GDPR to ensure you are fully compliant in May 2018.

Disposable mail’s take on GDPR security

Long before anyone even knew what GDPR was, our founders created Disposable mail with the vision of making the internet a safer place. Since then, alongside releasing the Disposable mail scanner, our ethical hackers have spent hours and hours doing security research and bringing critical data privacy issues to the light. For us, GDPR is an important step towards helping companies become more secure.

Chrome Extensions privacy

We’re glad that our security research has had an impact on the internet, and resulted in revised policies at Google, Slack and AWS – making users safer online. For instance, we exposed how popular Chrome extensions were tracking their users and selling their data to third party vendors.

The GDPR is complex, but the key thought behind it is very simple. Companies need to put customers’ privacy first, guided by the idea of data protection by design and by default. Investing in security and data protection is not just about avoiding hefty fines – it’s a no-brainer. To get you started, here are three tips that can help you comply with the GDPR, backed by ethical hacker knowledge.

1. Work proactively with security

Security measures are often an afterthought rather than the starting point in the development process. When deadlines are looming, security checks might seem time-consuming and unnecessary. However, adopting a proactive approach to security is a smart move that pays off.

Linus Särud, security researcher and ethical hacker, who has legally hacked companies like Google, explains: “It costs more to recover from a hack than to work proactively on it to prevent it from happening in the first place. Recovering from a hack is also more stressful than working with security continuously.”

What the GDPR says about this

This proactive approach to security is at the core of Article 32 of the GDPR, where the necessity of security testing is emphasised, requiring companies to implement “a process for regularly testing, assessing and evaluating the effectiveness of technical measures for ensuring the security of the processing.” (Article 32, 1d)

What you can do

Use automated web security scanning

Running regular security tests with a tool like Disposable mail allows you to stay on top of security and ensure security of processing that is always up-to-date. The Disposable mail scanner is updated on a regular basis, powered by the research of over 100 skilled ethical hackers. The hackers send in their security research that is then built into the scanner, providing you with fresh vulnerabilities every time you test your web app.

Disposable mail findings

After every Disposable mail scan, you receive a detailed overview of your site’s security status.

Implement a responsible disclosure policy

Utilize the ethical hacker community by allowing them to report vulnerabilities to you. If companies like Google, Facebook, PayPal turn to external researchers to help them stay on top of threats, so should you. The first step is to set up a responsible disclosure email ([email protected]), so that ethical hackers can get in touch with you easily.

Karim Rahal

Karim Rahal hacked Spotify when he was only 13. Since Spotify had a responsible disclosure policy, they received his report and were able to fix the vulnerability immediately.

2. React quickly and transparently

Perhaps you think nobody would ever attack you, but hackers seldom pick a specific target. It is far more common for them to focus on one type of vulnerability and then try to exploit it on as many sites as possible. If this happens and your site gets hacked, remember that the way you react can greatly mitigate the impact of the incident.

Linus explains that it’s important to stay calm if your site gets hacked: “Realise it’s not personal. Hackers want to hack as many as possible, not you specifically. There is no reason to panic, people have been hacked before and survived. With that said, act quickly and do not just ignore it.”

What the GDPR says about this

Transparency is vital for GDPR compliance as personal data breaches need to be reported to the authorities and the affected data subjects within 72 hours of being discovered (articles 33 and 34). Companies that fail to report a serious breach can be subject to considerable fines, but trying to conceal a security incident comes with additional costs, the most dangerous one being the loss of your brand’s reputation and customers’ trust.

What you can do

Review your incident response plan

If you don’t have one already, devise a detailed incident response plan that will allow you to react quickly in the case of a security breach. Review your incident response plan regularly to check whether it’s still viable. In the case of a security incident, keep in mind that concealing a breach is never a good idea and don’t panic. If you see the “This site may be hacked” flag when you search for your business using Chrome, follow our step-by-step guide on how to remove the flag.

Communicate transparently

GDPR compliance and thorough security routines will not create a 100% bulletproof website, because that is not possible. If Google and other tech giants are vulnerable, so are you. The real difference is in how you react and communicate when a security issue emerges. Clear, quick communication and transparency can turn bad PR to good PR.

In 2016, we contacted Slack and reported a bug that allowed hackers to hijack accounts and gain complete access to users’ chat history. Although the report came in on a Friday evening, Slack reacted straightaway, fixed the vulnerability in a few hours, and issued a statement detailing the incident. When the story was covered in the media, Slack’s response was highlighted as a positive example of how companies should work with security. To find out more, check out WIRED’s article on the topic and Graham Cluley’s take on the incident.

Geoff Belknap tweet

Geoff Belknap, Slack’s CISO, and his team fixed a vulnerability in less than 5 hours and received positive feedback from the security community and the press. Belknap encourages everyone to run a bug bounty program.

3. Minimise potential damage

“There are two types of companies. Those that have been hacked and those that have been hacked but don’t know about it,” Linus says. A security incident is less damaging if you ensure that the data hackers get their hands on is useless.

What kind of data would an attacker be interested in? Linus points out that you should be careful not to dismiss data as trivial: “Hacker are after credit card details to steal money, user credentials to log in to other places, personal information to use for blackmailing… The list goes on and it varies depending on what industry you are in. What’s important to keep in mind is that almost all data is interesting to someone.

What the GDPR says about this

The GDPR emphasises that companies should only process personal data that is necessary for operations (Article 6). Personal data should be protected using measures such as pseudonymisation and encryption (Article 32, 1a). In short, you should not process personal data unless you absolutely need to and the data that you do process should be protected and kept out of harm’s way.

What you can do

Encrypt personal data

Encrypt your users’ personal data and ensure that even if hackers were to breach your systems, they could not use whatever they might discover. Christoffer Fjellström, backend developer at Disposable mail, explains the steps you can take to protect your users’ data: “Make sure to use encryption that is fit for the purpose and implement it well. Encrypting data at rest is a good idea and if you use a cloud service provider, all you need to do is check a box. However, this will not protect data against an attack on a running server which is a very likely scenario.”

GDPR computer

How you encrypt data depends on how you intend to use it, Christoffer says: “For passwords that should only be verified but not be read in plain text use a cryptographic hash function like scrypt or bcrypt to safely store them. These both have parameters you can fiddle with to make them more (or less) secure so make sure you read up on how to use and implement them.”

Sensitive data that needs to be readable in its unencrypted form, on the other hand, is more of a challenge: “First off, always use a popular and well-tested encryption scheme and make sure you implement it the right way. The tricky part is to store the decryption key and there’s no single correct answer to this. As a bare minimum, do not store the key in the same place as the data it decrypts. Implement this so it’s possible to rotate the key periodically and do so. Finally, make sure that any access to the keys is properly logged.”

Are you considering adding web application security scanning to your GDPR compliance plan? Sign up for a free Disposable mail trial!

The most common vulnerabilities in EU countries

The most commonly identified vulnerabilities in EU countries based on Disposable mail’s scan statistics. Learn more about the impact and remediations of some of the featured vulnerabilities: XSS, CSRF, SQL Injection, Email spoofing. 

 

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.