Category Archives: ICO

ICO Analysis: Solve.Care

The stated mission of Solve.Care is to “Make health care and benefits programs work better for everyone.” Solve.Care aims to improve security and privacy while also improving access and accountability in a manner that current centralized systems cannot accomplish. Solve.Care’s platform intends to vastly improve the administration of benefits and the coordination of care. By […]

The post ICO Analysis: Solve.Care appeared first on Hacked: Hacking Finance.

ICO Analysis: Friendz

Friendz connects brands with their community of users to promote “word of mouth” marketing. Unlike a majority of ICOs, the company has already been in business since 2016. They’re using the ICO as an opportunity to incorporate blockchain technology into their platform to automate picture validation and reward distribution (more on this later). The team […]

The post ICO Analysis: Friendz appeared first on Hacked: Hacking Finance.

ICO Analysis: Skraps

A growing number of statistics is showing that very few people save anything at all for their retirement. In a study conducted by Bankrate, it was discovered that from the age of 30, less than half of all Americans save more than 5% of their annual salary. What’s more, 20% of Americans in the same […]

The post ICO Analysis: Skraps appeared first on Hacked: Hacking Finance.

ICO Review: VALID

VALID is a two-part blockchain ecosystem for you to use to manage and authenticate your digital and potentially sell your personal data. The project is part of Procivis, a digital identity platform that’s been working with governments to create eIDs for their citizens. VALID Wallet According to the whitepaper, the VALID wallet is a mobile […]

The post ICO Review: VALID appeared first on Hacked: Hacking Finance.

ICO Analysis: Havven

Cryptocurrency market volatility is nothing new to crypto investors. There have been several projects creating asset-backed coins including those secured with diamonds, real estate, and USD to provide investors a sense of stability. Havven looks to add a layer of stability to their project through a dual token system they say will include a crypto […]

The post ICO Analysis: Havven appeared first on Hacked: Hacking Finance.

ICO Analysis: Serenity

During the past few decades, internet connectivity and technological advancement evolved rapidly to satisfy a large spectrum of the digital consumer crowd up to and including finance. The demand for online stock exchange, currency trading and investing has led to the development of thousands of online brokerage platforms and systems all over the globe. However, […]

The post ICO Analysis: Serenity appeared first on Hacked: Hacking Finance.

ICO Analysis: Acorn Collective

Acorn Collective, commonly called just ‘Acorn’, is a crowdfunding platform with the mission to provide “free crowdfunding for any legal project in any county.” Crowdfunding platforms like Kickstarter and GoFundMe have grown in popularity over the last 10 years but still exclude many projects looking for funding. As centralized entities, they restrict what projects can […]

The post ICO Analysis: Acorn Collective appeared first on Hacked: Hacking Finance.

ICO Analysis: Dock.io

According to Research and Markets, “the online recruitment market in the US is forecast to grow at a CAGR of 6.47% during the period of 2016-2020.” As the online recruitment industry continues to grow in size and popularity, online recruiters have developed in-house recruitment CRMs that are heavily reliant on data intelligence. Data helps online […]

The post ICO Analysis: Dock.io appeared first on Hacked: Hacking Finance.

ICO Analysis: Signals

Bitcoin and other cryptocurrencies have witnessed an unprecedented growth in volume over the past one year. Although cryptocurrencies were created for purely transactional or utility purposes ,their rapid price appreciation, growing volume and high volatility has rendered them the status of speculative trading assets. Trading mechanisms like the algorithms found in trading bots are now […]

The post ICO Analysis: Signals appeared first on Hacked: Hacking Finance.

ICO Analysis: EximChain

The world of supply chain management is changing rapidly, as new technology and process upgrades continue to drive competition for market share. This has prompted many businesses to re-evaluate their existing processes and performance with an emphasis on boosting efficiency, transparency and customer service. Although processes may be evolving, traceability and transparency remain an integral […]

The post ICO Analysis: EximChain appeared first on Hacked: Hacking Finance.

More than 1 million worth of ETH stolen from Bee Token ICO Participants with phishing emails

Participants to the Bee Token ICO were robbed for 100s of ETH, scammers sent out a phishing email stating that the ICO was now open, followed by an Ethereum address they controlled.

Another day, another incident involving cryptocurrencies, hundreds of users fell victims to email scams in the last days.

The victims were tricked by scammers into sending more than $1 million worth of Ethereum to them as part of Bee Token ICO (Initial Coin Offering). Bee Token is a blockchain-based home sharing service, it launched the ICO on January 31 and ended on February 2, when the Bee team obtained the $5 million necessary to start their project.

During the period of the ICO, the crooks sent phishing emails posing as the Bee Token ICO.

The scammers, impersonating the Bee team, sent out emails with a character of urgency to the potential investors inviting them to buy Bee Tokens by transferring Ethereum coins to their wallets.

The scammers attempted to convince users to participate to the ICO by sending Ethereum spreading the news that the company started a partnership with Microsoft and would be giving participants a 100% bonus for all contributions in the next 6 hours.

Cybercriminals also guaranteed that the value of Bee Token would double within 2 months, or participants would receive their RTH back.

“Today, investors who were eagerly waiting for their opportunity to join the Bee Token ICO were robbed for 100s of ETH. Scammers managed to get their hands on the Bee Token mailing list and sent out a phishing email stating that the ICO was now open, followed by an Ethereum address to send their contributions to.” states the blog post published TheRippleCryptocurrency.

After the Bee team became aware of fraudulent activity it issued three security alerts to warn of the ongoing scam:

The Bee Token team has been made aware of phishing sites that have copied the Bee Token website in an attempt to deceive users into sending them their money. Please DO NOT trust any website other than https://www.beetoken.com/ . REPEAT: DO NOT trust any website other than https://www.beetoken.com/reads one of the Bee Token Security Notice.

The Bee Token team also created a Google scam reporting form to allow users to report scams.

The RippleCryptocurrency.com had access to two different versions of the email that reported the following Ethereum addresses used by crooks:

a third one was reported on Reddit by users:

The overall amount of money contained in the three wallets at the end of the ICO was over $1 million.

Unfortunately such kind of incident is not uncommon, for this reason, Facebook banned ads for ICOs and cryptocurrencies on its social network.

Pierluigi Paganini

(Security Affairs – Bee Tokens, scam)

The post More than 1 million worth of ETH stolen from Bee Token ICO Participants with phishing emails appeared first on Security Affairs.

ICO Analysis: Bubbletone

Bubbletone Blockchain has generated a lot of buzz in the ICO world. In the age of globalization and heightened cross-border travel, the promise of global telecom without intermediaries is quickly gaining traction. Imagine traveling anywhere in the world and being able to use your mobile device seamlessly without changing your SIM card or paying huge […]

The post ICO Analysis: Bubbletone appeared first on Hacked: Hacking Finance.

Scammers steal nearly $1 million from Bee Token ICO would-be investors

Another day, another ICO-related scam. In an attack similar to that which fooled investors into the Enigma cryptocurrency investment platform, users who were aiming to buy Bee Tokens during a Token Generation Event (i.e., an initial coin offering) were tricked into sending the money to scammers instead. What is the Bee Token? Beenest is a home-sharing network built on top of a set of Bee Protocols (Ethereum smart contracts) running on the Ethereum network. The … More

ICO Analysis: Ethearnal

There is a profound shift underway in the labor market: many people are disavowing traditional 9-5 employment in favor of the ever-growing ‘gig economy’ – a phrase that describes the bustling world of freelancing and short-term contracts. Although the transition partly reflects the breakdown of stable employment opportunities, it also taps into an even bigger […]

The post ICO Analysis: Ethearnal appeared first on Hacked: Hacking Finance.

ICO Analysis: AdHive

Digital advertising is the fastest growing segment of the advertising industry, and now has the highest market share in terms of ad spending beating TV in 2017. Despite losing billions of dollars in revenue to challenges like ad blocking or insignificant banner ads, the digital ad industry is still multiplying due to new growth avenues. […]

The post ICO Analysis: AdHive appeared first on Hacked: Hacking Finance.

ICO Analysis: Grain

As human capital continues to rise worldwide and supply chains gain international footprints, companies are increasing looking for ways to have cross-border collaboration in terms of employment and freelance work. However, current payroll processes create regulatory and compliance hurdles and also come with significant currency exchange fees when companies look to hire abroad.   One […]

The post ICO Analysis: Grain appeared first on Hacked: Hacking Finance.

ICO Analysis: Faceter

When it comes to security, video surveillance is currently one of the best ways to ensure ‘what really happened’ in any situation. Public crime and terrorist activity are the main factors that generate the need for the development of the global surveillance market. According to Stratistics MRC, the global video surveillance market was worth an estimated $19 billion in 2015 […]

The post ICO Analysis: Faceter appeared first on Hacked: Hacking Finance.

ICO Analysis: FCFL

According to Newzoo, the global leader in eSports, games, and mobile intelligence, the eSports economy was worth $696 million in 2017, a dramatic increase from $71.5 million in 2013. Growing demand for online streaming media platforms, particularly Amazon’s Twitch.tv, has become central to the expansion and promotion of eSports competitions, and their prize pools respectively. Newzoo estimates a […]

The post ICO Analysis: FCFL appeared first on Hacked: Hacking Finance.

ICO Analysis : A2B TAXI

People generally prefer the convenience of taxis over other public transportation methods various reasons. Unlike public transportation that has a predestined operational path, moving speed and multiple users at the same time, taxis give you the options of privacy, dedicated service and the convenience of arriving right at your doorstop. The global taxi market is […]

The post ICO Analysis : A2B TAXI appeared first on Hacked: Hacking Finance.

ICO Analysis: DataWallet

I love the way The Economist describes the data economy: “Data are to this century what oil was to the last one: a driver of growth and change. Flows of data have created new infrastructure, new businesses, new monopolies, new politics and—crucially—new economics. Digital information is unlike any previous resource; it is extracted, refined, valued, […]

The post ICO Analysis: DataWallet appeared first on Hacked: Hacking Finance.

ICO Analysis: Play2Live

The gaming industry crossed the $100 billion revenue mark in 2017, becoming one of the fastest growing industries globally. To give you a perspective on things, games generated nine times more revenue than Hollywood in 2016. The gaming industry has also attracted the widespread attention of the blockchain community, with roughly 30 blockchain-based gaming projects […]

The post ICO Analysis: Play2Live appeared first on Hacked: Hacking Finance.

DFINITY is the Third Wave of Blockchain

The use of blockchain technology is rapidly proliferating, and it has already become a strong candidate to be the most revolutionary technology of this decade. The first generation of blockchain technology came with the invention of bitcoin by Satoshi Nakamoto in 2008. It depended heavily on a virtual ledger, which keeps track of all transactions […]

The post DFINITY is the Third Wave of Blockchain appeared first on Hacked: Hacking Finance.

ICO Analysis: Coinvest

As more and more asset managers begin to allocate a portion of their portfolio to cryptocurrencies, they’ll be seeking risk-adjusted returns from a diversified basket of tokens. However, the current index funds that are available may not be what they are looking for. This is because many asset managers are constrained by mandates and risk-controls, […]

The post ICO Analysis: Coinvest appeared first on Hacked: Hacking Finance.

ICO Analysis: Feast Coin

Feast Coin is a decentralized currency and app you can use to order from your favorite take-out and/or delivery restaurant. With Feast Coin you can pay using cryptocurrency without having to go through the arduous process of converting to fiat. Differing from the majority of other ICOs, Feast Coin is built on the Waves platform. Waves […]

The post ICO Analysis: Feast Coin appeared first on Hacked: Hacking Finance.

ICO Analysis: DADI

DADI (Decentralized Architecture for a Democratic Internet) is a platform for decentralized cloud and web-based services. The platform uses a Decentralized Autonomous Organization (DAO) and fog computing to bring you these services in a cheaper, more secure fashion. The project is attempting to remove the power of the behemoths (Microsoft Azure, Amazon Web Services, Google […]

The post ICO Analysis: DADI appeared first on Hacked: Hacking Finance.

ICO Analysis: ArcBlock

Blockchain technology is still in its infancy. There are many issues preventing developers and businesses from creating widespread, decentralized blockchain applications. Performance is one of the main challenges facing current blockchain solutions. The blockchain that bitcoin uses is designed to handle seven transactions per second, and Ethereum can only handle a few more. As of […]

The post ICO Analysis: ArcBlock appeared first on Hacked: Hacking Finance.

Carphone Warehouse fined £400K for serious 2015 data breach

The Information Commissioner's Office (ICO) is back to doing what it does best today, slapping Carphone Warehouse with a £400,000 fine for a 2015 data breach that exposed the personal information of over 3 million customers and 1,000 staff. It's one of the heftiest invoices the ICO has ever written up, though TalkTalk was fined just as much for failing to protect user data from a cyberattack that same year. Carphone Warehouse suffered a comparably serious breach that affected several of the company's brands. Not only were names, addresses, dates of birth and other personal details exposed, but the "historical" card details of 18,000 customers. According to the ICO, though, "there has been no evidence that the data has resulted in identify theft or fraud."

Source: Information Commissioner's Office

Uber says 2016 hack affected 2.7 million UK customers and drivers

As Uber prepares to defend itself following news that it suffered -- and subsequently hid -- a massive data breach in 2016, the company has begun shedding light on how many people it affected locally. At first count, 57 million global users were implicated in the attack, but the ride-hailing service today revealed that as many as 2.7 million UK customers and drivers had their names, email addresses and mobile phone numbers stolen.

Source: Uber

UK data watchdog opens its own investigation into Uber hack

After reports emerged that Uber had suffered a massive data breach, the UK's Information Commissioner's Office (ICO) has said it has "huge concerns" about the company's data protection policies and has confirmed it has launched its own investigation into Uber's decision to cover it up.

Cyber Security Roundup for August 2017

TalkTalk yet again made all the wrong cyber security headlines in the UK this month, after it was handed a £100,000 fine by the Information Commissioner's Office (ICO) for not adequately protecting customer records from misuse by its staff. The ICO investigated the Internet Service Provider after receiving complaints from customers, who said they received cold calls from scammers who knew their TalkTalk account information.

Second-hand goods firm CeX disclosed a compromise of up to 2 million online customer accounts due to a hack, however, CeX has yet to disclose any details about the cyber attack. My blog post and advice about this is here http://blog.itsecurityexpert.co.uk/2017/08/up-to-2-million-cex-customer-account.html

Hackers had a field day taking over social media accounts, from Real Madrid and FC Barcelona to Game of Thrones, much embarrassment could have been avoided if they had adopted multi-factor authentication on the accounts, aside from the spate of Instagram hacks which were caused by the exploitation of a software vulnerability, namely within Instagram's API.

In what looks like a follow on from the UK's Parliament's email brute force email account attack in June, the Scottish Parliament was hit by a very similar cyber attack, it was reported, as per the Westminister attack, many SMPs were found to be using weak passwords. Let's hope the Welsh Assembly have taken note and have learned the password security lessons.

A massive 'spambot' holding 711 million email addresses was found to be spreading malware by a security researcher. It was said to have been put together using stolen data from previous LinkedIn and Badoo data breaches. Using legitimate email addresses helps in the avoidance of anti-phishing and spam filters.

On the ransomware front, LG reported WannaCry caused a two-day shutdown of its business in South Korea. TNT customers were said to be furious after NotPeyta badly affected its ability to deliver hundreds of thousands of items, particularly within in the Ukraine. And Digital Shadows reported a trend in cyber criminals dropping Exploit kits for Ransomware, as there is simply a lot more money to be made out of ransomware attacks.

On the critical security patching, Microsoft released 25, Adobe released 43, and Drupal patched a critical bug. And there was an interesting article posted by Microsoft on Cyber Resilience worth reading.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Cyber Security Roundup for July 2017

Apologises for the delay in this month's Cyber Security Roundup release, I been away on holiday and taking a breach for monitor screens and keyboards for a couple of weeks.

The insider threat danger manifested at Bupa where an employee stole and shared 108,000 customer health insurance records. Bupa dismissed the employee and is planning to take legal action. The Bupa data breach was reported both to the FCA and the ICO, it remains to be seen if the UK government bodies will apportion any blame onto Bupa for the data loss. 

The AA was heavily criticised after it attempted to downplay a data compromise of over 13 gigabytes of its data, which included 117,000 customer records. The AA’s huge data cache was incorrectly made available online after an AA online shop server was “misconfigured” to share confidential data backup files.

A customer databreach for the World Wrestling Entertainment (WWE) should serve as a stark warning for businesses to adequately assure third parties and to secure hosted cloud systems. Three million WWE fan records were compromised after a third party misconfigured a cloud hosted Amazon server used by the WWE online shop.

The aftershock of Peyta \ NotPeyta rumbles on with, with malware still reported as disrupting firms weeks after the attack. There there are claims the mass media coverage of the attack have improved overall staff cyber security awareness.

It was found that over 1.6 million NHS patient records were illegally provided to Google's artificial intelligence arm, DeepMind, without patient concern meant the NHS and Google have breached the Data Protection Act.

A 29 year old British hacker named as Daniel K, but better known by his hacker handle "BestBuy" or "Popopret" admitted to hijack of 900,000 Deutsche Telekom routers in Germany after he was arrested at Luton airport in February. He said he made "the worst mistake of my life" when he carried out a failed attack in November for a Liberian client who paid him 8,500 Euros to attack the Liberian's business competitors. BestBuy used a variant of the Mirai malware to take advantage of a security vulnerability in Zyxel and Speedport model routers which were used by Germany Internet Service provider, with his intention to increase his botnet, and so the scale of DDoS attacks he could perform on behalf of clients.

A document from the National Cyber Security Centre (NCSC) was obtained by Motherboard and was verified by the BBC with NCSC as being legitimate. The document states some industrial software companies in the UK are "likely to have been compromised" by hackers, which is reportedly produced by the British spy agency GCHQ. The NCSC report discusses the threat to the energy and manufacturing sectors. It also cites connections from multiple UK internet addresses to systems associated with "advanced state-sponsored hostile threat actors" as evidence of hackers targeting energy and manufacturing organisations.

UniCredit Bank had over 400,000 customer loan accounts accessed through a third party. This is the second security breach at the Italian bank in a year.

Finally this blog was awarded with the Best Technology Blogs of 2017 by Market Inspector and by Feedspot this month.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Simple GDPR Information Security Guidance: Don’t believe the Hype

PDF version of this blog post is available here - ITSE-GDPR-InfoSec-Guide-Jun17.pdf

There are plenty of Cyber Security Sales and Marketing teams jumping on the General Data Protection Regulation (GDPR) bandwagon at the moment, often peddling fear of massive fines and in far too many cases spouting nonsense and unnecessary guesswork about the GDPR's information security requirements.

You do not need to be a lawyer or a fancy pants security consultant to understand the GDPR's information security requirements, they are freely provided by the European Union. It is just a matter of taking the time to actually read and digest each of the GDPR's requirements and then interpreting how your organisation will comply, albeit some requirements result in full blown project plans. I recommend reading the bite-sized formatted and section headed version of the GDPR on www.privacy-regulaton.eu rather than the EU released GDPR paper

Everything in this blog post is not official legal advice but an interpretation and personal opinion on meeting the GDPR’s requirements. Further official and detailed GDPR Information Security guidance are expected to be released.

Brexit
The United Kingdom’s exit from the European Union will not occur before GDPR comes into UK law on 25th May 2018. Therefore all UK organisations storing or processing any personal data records will have to comply with the GDPR from May 2018. It is highly likely GDPR compliance will continue to be a UK personal data legal requirement post Brexit. The GDPR applies to any non-EU country processing EU Citizen personal data, it is unlikely that the UK will adopt a tiered data protection legal requirements system, where UK nationals have fewer privacy rights than EU nations.  

Only 3 of the 99 GDPR Requirements are directly Information (Data) Security Related
That's right, there are just three information (data) security requirements in the GDPR, Articles 33, 34, and 35, the other 96 Articles relate to data subject rights, data controller responsibilities, sending personal data outside the EU and general administration. There is a hidden Information Security requirement in GDPR Recital 63, but aside from that, there is not a lot for information security professionals to worry about unless you have been tasked to prepare an organisation to meet all the GDPR's requirements, in which case you need to be a data privacy qualified. 

Information Security Vs Data Privacy
Some companies like to lump data privacy within information security management, but to properly understand and manage modern data privacy rights in medium to large organisations, it requires individual(s) with the appropriate qualifications and background in privacy law. Data Privacy is a completely separate discipline, applying privacy rights intricacies within business processes can be completely alien to the average information security professional. We still live in an age where the information security function is incorrectly placed as a subset of IT in some organisations, but nether-the-less even though privacy and security are linked they should be regarded as separate business functions and as separate professions, a notion included as a requirement in the GDPR under Article 37.

Article 37 “Designation of a Data Protection Officer”
"the data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39."  
Article 37 & Article 38 requires the designation of a Data Protection Officer (DPO)

Article 39 “Tasks of a Data Protection Officer” outlines a number of privacy officer duties, including monitoring compliance with the GDPR.

GDPR's Information Security Requirements (Recitals & Articles)
GDPR has 173 Recitals and 99 Articles. Recitals set out the reasons and what is trying to be achieved by the regulation, while Articles are the regulatory requirements, the GDPR rules.

Article 32 Apply an Appropriate level of Information Security (Risk Assess)
This is best practice Information Security Management, nothing specific or new here, it all should be already being done. Take a risk assessed approach, 101 information security; confidentiality, integrity and availability of all personal data within the organisation. Don't forget the availability as unlike PCI DSS the GDPR security regards the availability of personal data as a requirement. Article 32 requires information security to be of an industry best practice standard, appropriate to the size and nature of the organisation, this means information security does not need to achieve a 'state of the art' level but what a level that is generally considered an adequate level of security for the nature and type of organisation. So if your organisation already has a strong security posture, to the standard of ISO27001:2013, you are in an excellent position to meet GDPR information security requirements.

Article 33 Notification of Breaches to the ICO
The ability report data breaches to the ICO within 72 hours, so part of incident management and response policy and planning, include a process to inform the company designated Data Protection Officer (DPO) about any detected personal data breaches, allowing the DPO to be informed and to report any data breaches to the ICO.

Article 34 Notification of Breach to Data Subjects
As per article 33, ensure company DPO notification is included as part of your incident management/response process, to allow your DPO to inform data subjects should their personal data be at risk due to a security incident.

Article 35 Data Protection Impact Assessment
“7. The assessment shall contain at least: (7d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.”
Article 35’s 11 requirements is a Data Privacy Officer responsibility in my view so it is not concluded as one of the 3.  However to meet some of Article 7d it cites a repeat of Article 32, a risk assessed approach to applying information security controls appropriate to protecting personal data.

Documentation and assessments evidence is required to demonstrate compliance, again such documentation and security assessments should already be in place if your organisation operates a best practice level information security management.

Article 30 – Records of Processing Activities
“1. Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information. g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).”

“2. Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing d) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

Another Data Privacy Officer set of requirements, but Article 30 references the Information Security “Article 32”. In other words, make sure the record processing activities are in scope of the information security policy/programme, and the security controls are documented, which they already should be.

Data Subject Access Rights Portal
Recital 63 refers to organisations providing a Data Subject Access Rights Portal.
"Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data."
Providing a portal is “possible” for most organisations, for many organisations it could mean adding additional functionality to existing staff and customer facing websites/portals. 
Bear in mind even though Recital 63 reads like a GDPR requirement, it is the Articles are the legal requirement to meet not Recitals. Then there is Article 12 which states 
"Where the data subject makes the request by electronic form means, the information shall be provided by electronic means".

The provision or expansion of an internet-connected portal to handle GDPR's data privacy rights could fulfil this requirement. Obviously, the privacy portal needs to be secure. As such it will be an information security responsibility and GDPR requirement to secure it.

GDPR Privacy Data Subject Rights (via an Internet Portal)
The GDPR requires the following data subject privacy rights to fulfilled within a one month and without any charge, so given Recital 63 and Article 12 the best way to do achieve this, especially where there are thousands of personal data records in the care of the organisation, is using internet facing portal to provided each data subject with the ability to exercise their new GDPR privacy rights.
  • Article 13 - explain how personal data is processed
  • Article 15 - provide a copy of personal data (Data Subject Access Request)
  • Article 16 - correct any incorrect personal data
  • Article 17 - personal data erasure
  • Article 18 - restrict the processing of personal data
  • Article 20-  personal data portability, provide personal data to another data controller
  • Article 21 - object at any time to the processing of personal data
  • Article 22 - not be subject to not automatic data processing and profiling
Not complying with the above articles means a data subject can go after compensation through engaging with a solicitor and complaining to a court (Article 79 & Article 80). Or through a complaint to the ICO (Article 77) which has the infamous up to 20M Euro or 4% of global turnover fine potential.

Should go without saying, the security of any Internet facing portal hosting personal data on mass, needs to be highly robust and security tested via penetration testing at least annually and after any significant change.

The Information Security Breach GDPR Fines Truth
A breach of Information Security means an up to 10 Million Euro (not 20 Million Euro) or up to 2% of global turnover (not 4%)
Article 83 states "be subject to administrative fines up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:  - (a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43" - Articles 32, 33, & 34 are the information security requirements, the higher level penalty rates are for privacy breaches.

The GDPR Right to Data Protection (not that clear-cut as you might think) 
Recital 1 is titled "Data Protection as a fundament right*
but Recital 4 states "The right to the protection of data is not an absolute rightand goes on to state "it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality".  

So the GDPR is rights-based and respects all other EU 'rights', which must include the right of 'the freedom to conduct business' as stipulated in various EU Charters and Treaties, remember the EU is founded upon a free trading block of countries, not as a nation state.  I am not a lawyer so I am not making a conclusion, but pointing out what might be an area of interest to lawyers fighting GDPR enforcement penalties.