Firms warned over DNS data exfiltration as GDPR fines loom

Many firms are vulnerable to DNS data exfiltration exploits that use just ten lines of code, cyber security experts have warned ahead of the introduction of strict new data protection laws.

According to researchers from EfficientIP, cyber attacks known as DNSX can help cyber criminals to steal data via the system used to resolve web addresses.

In an IDC Technology Spotlight report, it warned firms to take precautions to mitigate the threat ahead of the full introduction of the EU’s General Data Protection Regulation (GDPR) in May 2018, which threatens fines of up to €20 million (£17 million) or four per cent of global turnover.

Cyber criminals can exploit DNS to encrypt stolen data inside seemingly legitimate address labels, the researchers warned, which could land businesses in hot water with regulators once the new law is introduced if they are seen not to be doing enough to protect information.

“GDPR is all about business risk,” said Duncan Brown, an IDC analyst. “In 2018, data exfiltration will change the game and it affects organisations globally – not just those in the EU.

“Enhanced DNS security is an added layer of protection when considering privacy for the network data and customers, preserving reputation and enabling GDPR.”

The report advised businesses to analyse DNS traffic patterns, blacklist compromised traffic sources and carry out packet analysis to detect rogue traffic.

“Quite simply, the choice is to take DNS seriously as a cyber threat or face public humiliation and potentially business-threatening financial penalties when [the] GDPR is in place,” said David Williamson, CEO at EfficientIP.

Business Reporter previously spoke to cyber security expert Edward Lucas about the implications of the GDPR and how businesses should prepare.

“This is going from being a thing where you might just possibly get sued to a thing where you might get very serious fines,” he said ahead of The European Information Security Summit 2017, which takes place this month. “This is a major threat to financials for a company that’s careless – or seen to be careless – with the personal data it holds.”