Cyber Attacks: Recent Guidance on Credential stuffing - Kuits Solicitors Manchester
  • Insights
  • Cyber Attacks: Recent Guidance on Credential stuffing

Cyber Attacks: Recent Guidance on Credential stuffing

Cyber Attacks: Recent Guidance on Credential stuffing

5th July 2022 - Published by Kuits Commercial team

Credential stuffing cyber-attacks threaten data security on a global scale. The increased use of online digital services has resulted in the increase of cyber-attacks targeting organisations and individuals’ personal data. Credential stuffing attacks have been identified as an increasingly significant area of concern with 193 billion credential stuffing attacks identified worldwide in 2020. In response, the International Enforcement Working Group (IEWG), a group made up of various data protection supervisory authorities from across the world, has recently published the ‘Credential Stuffing Guidelines’ to assist commercial organisations and ‘Credential Stuffing Awareness Raising’ document for individuals.

What is credential stuffing?

Credential stuffing attacks breach systems by using valid user credentials (username/email address and password) obtained from the dark market and attempting automated log-ins across numerous online sites to access accounts that use the same credentials. Attackers then take control of compromised accounts to carry out illicit activities, exposing victims to the risk of fraud, theft, reputational damage and infiltration of other data systems and further cyber-attacks. Online retailers are particularly at risk from this type of attack.


Part 7 of the guidance sets out recommended measures to detect, prevent and/or mitigate the risk from credential stuffing. Recommendations include:

  • multi-factor authentication;
  • account monitoring and detection;
  • use of a firewall;
  • additional checks for anonymity networks;
  • use of unpredictable usernames; and
  • use of secondary passwords and PINs.

Why should businesses take note of this guidance?

Businesses have a legal obligation to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Failure to do this could result in fines of up to the greater of 4% of global worldwide turnover and £17.5 million. Whilst it will not be appropriate for every business to implement all the measures set out in the guidance, in its investigation of a data breach the ICO will want to see that organisations have:

1. Considered the appropriateness of each of the measures, taking account of the cost of implementation in comparison to the risk were data to be breached; and
2. Properly implemented measures that are proportionate to the identified risk.

We therefore recommend that organisations bring together their relevant stakeholders to assess this guidance and consider any additional measures that it would be appropriate to implement. This assessment should be documented and regularly reviewed.

Links to guidance

Guidance for Organisations can be found here.

Guidance for individuals can be found here.

If you are an online business and require any legal advice, please contact our commercial team on 0161 838 7986.

Subscribe to our mailing list