Do Credential Stuffing Attacks Need to Be Reported Under the GDPR?
Friday, February 19, 2021
GDPR on screen
Print Mail Download i

The European Data Protection Board (EDPB) issued draft practical guidance on various types of data breaches to assist companies with identifying situations in which a data security incident may need to be reported to EU supervisory authorities (the government regulator for privacy in various EU member countries) and to the individuals themselves. One example discussed in the guidance relates to credential stuffing, i.e., attempts to log in to online accounts using stolen usernames and passwords. The example, however, is so specific that it leaves many questions unanswered. The example proposes that a vulnerability in an online banking website exposed certain data elements, like name, gender, date and place of birth, and user ID. A hacker then attempted to log in to 100,000 accounts using a fixed, common password. The user was able to successfully log in to 2,000 online accounts.

The EDPB says notification to all 100,000 data subjects is required, even if the attempts to log in were unsuccessful. The EDPB’s view is based on the exposure to the threat actor of the personal data of the full population, independent of whether the log-ins were successful. However, the example does not explain whether notification to the larger population whose account log-ins were not successful would be required had the hacker simply obtained usernames and attempted to log-in using the fixed, common password.

The EDPB also does not opine on the more common scenario where credentials obtained in an unrelated breach are used to attempt to log in to a different company’s website (i.e., Company A has a breach and the threat actor attempts to credential stuff Company B’s accounts, hoping that the users are recycling the same username and password across multiple, unrelated online accounts). In that scenario, Company B may not have had an actual breach unless the threat actor accesses a Company B account and, as a result of that access, was able to view additional personal information about the data subject. The guidance is not clear as to when Company B would be expected to report the incident to either supervisory authorities or data subjects. The obligation to report may be based, in some measure, on whether the threat actor was able to access additional personal information after logging into Company B’s account and whether such access exposed the data subject to additional risks.

©2024 Greenberg Traurig, LLP. All rights reserved.

Current Legal Analysis

More from Greenberg Traurig, LLP

Despite Claim of Circuit Split, U.S. Supreme Court Declines to Review ATM Class Certification in Antitrust Case
by: Jonathan H. Claydon , Sylvia E. Simson
EPA Announces Broad Suite of Pollution Regulations for Power Plants
by: Bernadette M. Rappold , Jenna Rackerby
Competition Currents | May 2024
by: Gregory J. Casas , Stephen M. Pepper
When Good Intentions Become PAGA: Initiative to Repeal PAGA on November 2024 Ballot in CA
by: Charles O. Thompson , Taylor Hall
HHS OCR Amends HIPAA Privacy Rule to Protect Reproductive Health Care Privacy
by: Brad M. Rostolsky , Julie A. Sullivan
USCIS Updates I-526E Filing Fee Schedule to Include $1,000 Integrity Fund Fee, Bringing Total Filing Fees to $12,160
by: Kristen Davis Mangan
London Real Estate Practice Quarterly Legal Update – Spring 2024
by: Danielle L. Martin , Matthew James Priday
Treasury Regulations Finalized Under FIRPTA Regarding Domestically Controlled REITs
by: Carl J. Riley , Jennifer H. Weiss
NY Law Amended to Restrict AI Deceptive Practices in Elections
by: Joshua L. Oppenheimer , Cathryn O. Crummey
US Supreme Court Hears Oral Arguments Regarding Emergency Abortions
by: Adam H. Laughton

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins