Compromised Routers are a GDPR Court Case Waiting to Happen
Posted on 02/05/2018
The United Kingdom’s National Cyber Security Centre and the United States’ Department for Homeland Security have both issued warnings regarding the flawed security of internet infrastructure devices such as switches, firewalls, and especially routers. The two organisations released a joint statement with the FBI warning that Russian state-sponsored actors are looking to exploit these devices – threatening the safety, security and economic wellbeing of our democracies. We also believe that the insecurity of routers could have serious implications for businesses that may have overlooked the possibility of stored personal data being hacked in this way.
The Warning
We should probably sit up and take notice of this warning. It is the first time that these intra-border organisations have ever felt compelled to issue a joint statement. ‘Cyber actors’ are targeting all non-secure devices. This warning is not just aimed at government and public sector organisations such as the NHS: these cyber-villains are targeting private sector routers from multinational organisations, large corporations, SMEs and even those relaying information in domestic settings. Once in control of your router, a hacker could limit or even modify your internet traffic. Your router could even be used as a gateway to the valuable intellectual property and personal data stored in your computer’s hard drive.
The Risk of Breach
In terms of GDPR compliance, the big risk of having a compromised router is of course a data breach. A data breach that could pose a high risk to a person’s rights and freedoms (for instance, a breach that could lead to identity fraud) must be reported to the ICO within 72 hours of becoming aware of it. Organisations will also have to inform the individuals whose data has been stolen. Under the new regulations, failure to report a data breach could result in a fine of up 10 million euros or 2 per cent of global turnover.
How to Ensure the Security of Your Router
If you think that your router may have been compromised, do a full firmware reset and choose a secure password to protect your system. Many routers are set up without changing the default username and password. It’s not going to take a hacker very long to access your system if the username and password are both ‘admin’!
Priviness CEO Sandy Gilchrist said:
“To what degree can an organisation demonstrate the robustness of its systems when it relies on devices that cannot validate their integrity? Joint and several liability with router companies in the supply chain is bound to be a lengthy court case.”
If you would like to know more about making sure your company is GDPR compliant, please get in touch. We run regular training sessions and can help you to identify all areas of your business where security might need to be tightened up.
Read regular articles relating to GDPR on our Facebook page.