A distributed denial-of-service (DDoS) attack hit the Luxembourg government last week, debilitating its web servers for over 24 hours. The attack, which is believed to have affected over 100 websites hosted by the government’s servers, has been confirmed by state-owned IT provider the Centre des technologies de l’information de l’Etat (CTIE).
According to the Luxemburger Wort, the attack began at 9.30 am on 27 February, with web servers for many state authorities going offline or grinding to a halt.
Motive for the attack
DoS attacks work by overloading or shutting down a service so that legitimate users can no longer access it. The most common form, DDoS attacks, use a botnet to flood a server with requests. The service disruption can result in financial losses and reputational damage.
Although the motive for a DoS attack may be monetary, the only way to make money from such an attack is through ransom payments. Revenge, activism or other political reasons are more typical motives for DoS attacks.
Government systems have proven to be a popular target, as Naked Security notes, and such attacks are often executed to protest the actions of a particular nation. The attack on the Luxembourg government follows that trend, although the CTIE director, Gilles Feith, commented that neither the purpose nor the origin of the attack is yet known.
DDoS attacks and the GDPR
This attack may also have been an attempt to steal information. While DoS attacks cannot in themselves be used to capture personal data, they are increasingly being used as a smokescreen to facilitate a second attack. According to SC Magazine, these ‘dark DDoS’ attacks were responsible for a number of recent high-profile data breaches, including attacks on Carphone Warehouse, Ashley Madison and TalkTalk.
The success of such attacks means that they will almost certainly be a growing challenge to business. With that in mind, all businesses should be evaluating their security measures – particularly in light of the General Data Protection Regulation (GDPR), which will be enforced from 25 May 2018. The GDPR has strict requirements for protecting personal data and that data is increasingly under threat from DDoS attacks.
The GDPR applies to all organisations that process EU residents’ personal data, whether or not they are based in the EU. For those looking to implement the GDPR, IT Governance offers a series of resources – including pocket guides, training courses and documentation toolkits. Find out more about our GDPR resources >>