Blog post

Criminals Prepare for GDPR

By Avivah Litan | May 24, 2018 | 0 Comments

At long last, GDPR takes effect tomorrow, Friday, May 25th.  Gartner clients in Europe, North America and across the globe are definitely busy preparing for it. In fact, GDPR was the number two search term on the Gartner research portal in April 2018, just after Blockchain.  Personally, I’m hoping GDPR works to keep my personal data much more private than it is today.

Not surprisingly, it turns out that the bad guys are also busy preparing for GDPR and are very well organized, as evident through three main indicators:

Demand for PII Data is on the Rise

According to threat intelligence firm Diskin Advanced Technologies, the first two weeks of May witnessed significant demand for sensitive personally identifiable information (PII) on criminal forums. The crooks rightfully expect prices on PII data to escalate as GDPR privacy controls take hold.

This reinvigorated demand comes after a two year period in which prices on PII data dropped significantly, largely due to massive PII and card data breaches where hundreds of millions of records were dumped on black markets for subsequent sale.  But just this month, demand for bulk PII data is up over 160% compared to April, as criminals anticipate GDPR will negatively impact their ability to steal more sensitive personal information in the future.  In that sense, the regulation is already having a positive impact.

Criminals Hoard PII Data

Aside from the rise in PII prices and data demand,  DAT has seen the criminals hoarding the current PII data lists they already own, by removing them from public criminal channels and restricting them to limited ‘invitation-only’ views.  It’s clear the bad guys are putting a higher premium on sensitive personal data and want to keep more of it to themselves for future use or resale.

GDPR-related Phishing campaigns are on the rise

The bad guys are also taking advantage of GDPR to get innocent consumers to give up PII data during mass phishing campaigns. Such campaigns have been noticeably visible and active since April. It kind of seems like a ‘last ditch’ effort (though unfortunately, I am sure there will always more PII data theft opportunities after GDPR takes hold).

In May, DAT threat intelligence researchers saw a doubling of French and German language phishing campaigns utilizing GDPR-related tactics when compared with April. Here’s a screenshot of one such German language campaign.   (See GDPR-related phishing campaign and Figure 1 below).

Figure 1: Sample GDPR related Phishing Email




Dozens of phishing campaigns are socially engineering individuals and organizations to update their own PII or the PII of their customers either by filling out questionnaires or by transferring files of personal data.  These phishing campaigns commonly disguise the criminals as legitimate organizations who are updating their systems for GDPR compliance and as such are reaching out to consumers to refresh and update their PII records.

Bottom Line

Whether or not your organization is ready for GDPR, and whether or not the EU will actively enforce compliance, one thing is for sure – the bad guys are taking GDPR seriously and are expecting it to make their ability to steal PII data much harder. Let’s hope they are actually right!



The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed