ICO issues a warning on credential stuffing attacks

A report was published last week by the Global Privacy Assembly’s International Enforcement Working Group (IEWG, which is a sub-working group made up of various data protection authorities including the UK’s ICO) on the growing trend of credential stuffing attacks. The ICO also provided an update on the report on its blog.

The IEWG report stresses the increasing risk posed by credential stuffing and sets out guidance for commercial organisations on how to prevent, detect and mitigate the risk of these attacks.

1. What is a ‘credential stuffing attack’?

A ‘credential stuffing attack’ is essentially a cyber attack method employed by the attacker by exploiting people’s tendency to use the same combination of usernames and passwords across their multiple online accounts. As noted by the IEWG report, credential stuffing attacks are, sadly, relatively straightforward forms of cyber attack which utilise a range of accessible automated software. The attackers’ usual motivation will be financial gain, although identity theft and reputational damage are examples of other potential motivators.

The IEWG report describes this as an “increasingly significant issue” and “one which poses a risk to personal data on a large and global scale”, especially given that “Our reliance on digital media shows no sign of slowing”.

This is supported by some striking statistics cited in the IEWG report, including:

• An alert issued in September 2020 by the US FBI¹, in which it noted that “Credential stuffing accounted for the greatest volume of security incidents against the financial sector at 41 percent of total incidents”

• A report published in October 2020 by ENISA², in which it noted that “Companies experience an average of 12 credential-stuffing attacks each month, wherein the attacker is able to identify valid credentials.”

2. Data protection and privacy

As noted in the IEWG report, the requirements on data security in the General Data Protection Regulation (GDPR) are very high-level – the GDPR simply states that organisations should process personal data in such a way that “ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss…” (GDPR Article 5(1)(f)).

However, whilst the GDPR might not specify the steps which organisations need to take to ensure compliance, this does not mean that the ICO won’t take action where it feels that a lack of appropriate security measures have led to a personal data breach. Indeed, three of the biggest fines issued by the ICO to date related to a lack of adequate security by the fined organisation:

• British Airways was fined £20m for failing to protect the personal and financial details of over 400,000 of its customers (you can read our articles here)

• Marriott International Inc. was fined £18.4m for failing to keep millions of customers’ personal data secure (you can read our article here)

• Ticketmaster UK Limited was fined £1.25m for failing to keep customers’ personal data secure (you can read our article here)

Moreover, as noted in the IEWG report, the ICO fined Uber £385,000 in 2018 specifically for failing to protect customers’ personal information from a credential stuffing attack during October and November 2016, and for allowing a number of “avoidable data security flaws” to expose the credentials of some 2.7 million UK customers and 82,000 UK drivers to the attackers³.

3. What should organisations do?

The IEWG helpfully provides details in the final section of its report (see section 7, “Measures to detect, prevent and/or mitigate the risk from credential stuffing”) on steps which organisations should take to mitigate what they describe as “no longer simply a ‘threat’ but an unavoidable reality”.

In light of its recognition of the fact that the malicious actor is using valid credentials and this can make these types of attacks particularly difficult to detect, the IEWG provides details of steps which should be taken to combat these risks. Their suggestions include:

• Allowing guest checkouts wherever possible
• Never storing passwords in plaintext (but instead using hashing algorithms)
• Enforcing strict password policies (eg special characters, password length)
• Providing education and assistance for users (eg informing users of the risks)
• Considering whether an alternative to passwords would be possible / appropriate
• Implementing multi-factor authorisation
• Requiring additional security information (eg a PIN or specific characters from a secondary password)
• Carrying out account monitoring / detection as well as checks for anonymity networks
• Apply web application firewalls, IP blocking-lists and ‘good’ IP addresses
• Having in place robust incident response plans and user notifications

The IEWG report recommends having a “Qualified Individual” who is responsible for the overseeing, implementing, and reinforcing of an organisation’s IT security program. We would recommend that you appoint such an individual (to the extent this has not already been done) and that they review these recommendations from the IEWG against your firm’s current practices.

Next steps

Assign a “Qualified Individual” (who is responsible for the overseeing, implementing, and reinforcing of an organisation’s IT security program) to review and implement the IEWG’s recommended measures to deter, prevent and / or mitigate the risk from credential stuffing.

¹ Federal Bureau of Investigation (FBI), ‘Private Industry Notification 20200910-001’: https://www.ic3.gov/media/news/2020/200929-1.pdf accessed 25 May 2021.
² European Union Agency For Cybersecurity (ENISA), ‘Main Incidents in the EU and worldwide January 2019 to April 2020’: https://www.enisa.europa.eu/publications/enisa-threat-landscape-2020-main-incidents accessed 25 May 2021.
³ UK Information Commissioner’s Office (ICO), ‘ICO fines Uber £385,000 over data protection failings’:
https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/11/ico-fines-uber-385-000-over-data-protectionfailings/ accessed 25 May 2021.