Gartner Blog Network

Criminals Prepare for GDPR

by Avivah Litan  |  May 24, 2018  |  Comments Off on Criminals Prepare for GDPR

At long last, GDPR takes effect tomorrow, Friday, May 25th.  Gartner clients in Europe, North America and across the globe are definitely busy preparing for it. In fact, GDPR was the number two search term on the Gartner research portal in April 2018, just after Blockchain.  Personally, I’m hoping GDPR works to keep my personal data much more private than it is today.

Not surprisingly, it turns out that the bad guys are also busy preparing for GDPR and are very well organized, as evident through three main indicators:

Demand for PII Data is on the Rise

According to threat intelligence firm Diskin Advanced Technologies, the first two weeks of May witnessed significant demand for sensitive personally identifiable information (PII) on criminal forums. The crooks rightfully expect prices on PII data to escalate as GDPR privacy controls take hold.

This reinvigorated demand comes after a two year period in which prices on PII data dropped significantly, largely due to massive PII and card data breaches where hundreds of millions of records were dumped on black markets for subsequent sale.  But just this month, demand for bulk PII data is up over 160% compared to April, as criminals anticipate GDPR will negatively impact their ability to steal more sensitive personal information in the future.  In that sense, the regulation is already having a positive impact.

Criminals Hoard PII Data

Aside from the rise in PII prices and data demand,  DAT has seen the criminals hoarding the current PII data lists they already own, by removing them from public criminal channels and restricting them to limited ‘invitation-only’ views.  It’s clear the bad guys are putting a higher premium on sensitive personal data and want to keep more of it to themselves for future use or resale.

GDPR-related Phishing campaigns are on the rise

The bad guys are also taking advantage of GDPR to get innocent consumers to give up PII data during mass phishing campaigns. Such campaigns have been noticeably visible and active since April. It kind of seems like a ‘last ditch’ effort (though unfortunately, I am sure there will always more PII data theft opportunities after GDPR takes hold).

In May, DAT threat intelligence researchers saw a doubling of French and German language phishing campaigns utilizing GDPR-related tactics when compared with April. Here’s a screenshot of one such German language campaign.   (See GDPR-related phishing campaign and Figure 1 below).

Figure 1: Sample GDPR related Phishing Email




Dozens of phishing campaigns are socially engineering individuals and organizations to update their own PII or the PII of their customers either by filling out questionnaires or by transferring files of personal data.  These phishing campaigns commonly disguise the criminals as legitimate organizations who are updating their systems for GDPR compliance and as such are reaching out to consumers to refresh and update their PII records.

Bottom Line

Whether or not your organization is ready for GDPR, and whether or not the EU will actively enforce compliance, one thing is for sure – the bad guys are taking GDPR seriously and are expecting it to make their ability to steal PII data much harder. Let’s hope they are actually right!



Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research


Avivah Litan
VP Distinguished Analyst
19 years at Gartner
34 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Ms. Litan's areas of expertise include endpoint security, security analytics for cybersecurity and fraud, user and entity behavioral analytics, and insider threat detection. Read Full Bio

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.