Legal measures in the EU to prosecute carders under the GDPR

S

Student

Professional
Messages
439
Reaction score
184
Points
43
For educational purposes, I will provide a more detailed answer about the legal measures in the European Union (EU) to prosecute carders under the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), focusing on the legal framework, enforcement mechanisms, interactions with other laws, case examples, and current trends. The answer will be structured for clarity, with an emphasis on educational value, including clarification of terms, procedures, and context. I will also note that carders (those who steal and misuse credit or debit card data) commit acts that fall under the GDPR, as card data is considered personal data if it allows for the identification of an individual.

1. Context: Who are carders and how does the GDPR apply to their activities?​

Carders are cybercriminals who steal, buy, sell, or use bank card data (card number, expiration date, CVV code, cardholder name) to conduct fraudulent transactions, purchase goods, withdraw funds, or resell the data on the black market (e.g., the dark web). Their activities include:
  • Data theft: Through phishing, skimmers, database hacking, malware (e.g. keyloggers).
  • Data use: Online purchases, cash withdrawals, transfers.
  • Selling data: On forums such as darknet marketplaces.

The GDPR applies because card data, especially when combined with name, address, or other identifiers, is considered personal data (Article 4(1) of the GDPR). Even partial data (e.g., just a card number) may fall under the GDPR if it poses a risk to the rights and freedoms of an individual (CJEU decision C-582/14, 2016). A violation of the GDPR occurs when data is processed:
  • Without legal basis (Article 6);
  • Without observing safety principles (Article 32);
  • Causing damage to data subjects (Article 82).

The GDPR is not a primary tool for criminal prosecution (that is the task of national laws and Directive 2013/40/EU on cyber-attacks), but it does provide powerful administrative measures to punish violators, including companies that failed to protect data, leading to leaks exploited by carders.

2. GDPR-Related Carding Violations​

Carders and their affiliates (such as platforms that have breached data) may be in violation of the following provisions of the GDPR:
  1. Unlawful processing of personal data(Article 6):
    • Carders process card data (collection, storage, transfer, use) without the consent of the data subject, legitimate interest, or other legal basis.
    • Example: Purchasing stolen data from darknet forums is processing without a lawful basis.
  2. Violation of safety principles(Article 32):
    • Companies storing card data (banks, online stores) are required to implement technical and organizational measures (e.g. encryption, two-factor authentication).
    • If data is leaked due to weak security (for example, software vulnerabilities), it is a breach.
    • Example: A company's database was hacked due to a lack of security patches.
  3. Data breach (Articles 33–34):
    • In the event of a data breach (for example, theft of a database containing card numbers), companies are required to notify data protection authorities (DPAs) within 72 hours and, where necessary, data subjects.
    • Carders often exploit such leaks, and companies are held liable for failure to comply with notification requirements.
  4. Liability of data controllers and processors(Articles 24–28):
    • Controllers (those who determine the purposes and means of data processing, such as a bank) and processors (those who process data on behalf of the data subject, such as payment systems) are responsible for data protection.
    • Example: If a payment platform does not encrypt card data and carders steal it, the platform is in violation of the GDPR.
  5. Transfer of data outside the EU(Articles 44–50):
    • Carders often transfer data to jurisdictions outside the EU (e.g. darknet servers in third countries), which violates cross-border transfer rules.
    • Companies that allowed such transfers due to weak security are also liable.

3. Measures of persecution under the GDPR​

Data Protection Authorities (DPAs) in each EU country (e.g., the CNIL in France, the ICO in the UK, and the DPC in Ireland) are responsible for enforcing the GDPR. For cross-border cases (e.g., carding through international forums), a "one-stop-shop" mechanism (Article 56) is in place, where the lead DPA coordinates the investigation with other authorities through the European Data Protection Board (EDPB). Measures include:

3.1. Administrative fines (Article 83)​

  • Amount of fines:
    • Up to €20 million or 4% of global annual turnover (for serious violations, such as illegal processing or lack of security measures).
    • Up to €10 million or 2% of turnover (for less serious violations, such as failure to comply with notification procedures).
  • Calculation criteria:
    • Intention or negligence.
    • The scale of damage (number of victims, volume of data).
    • Cooperation with DPA.
    • Previous violations.
  • Examples of cases related to carding:
    • British Airways (2018): 400,000 customer data, including card numbers, were leaked due to a vulnerability in the web application. The ICO fined £20 million (~€22 million, reduced due to COVID-19).
    • Marriott (2019): 339 million guest data breach, including payment details. Fine: £18.4 million.
    • Ticketmaster (2018): 9.4 million customer data breach, including card details. ICO fine: £1.25 million.
    • According to the Enforcement Tracker (2024), in 2023–2024, 18% of GDPR fines are related to financial data breaches, including carding.

3.2. Corrective measures (Article 58)​

  • DPAs can:
    • Issue a cease-and-desist order (e.g., prohibit the platform from processing payments until the vulnerabilities are fixed).
    • Impose a temporary or permanent ban on data transfer.
    • Require a security audit or certification.
  • Example: In the Equifax case (2017) (although pre-GDPR, but a similar approach), the ICO ordered the company to implement encryption and patch vulnerabilities after a leak of 147 million customer data, including cards.

3.3. Compensation to victims (Article 82)​

  • Data subjects(cardholders) have the right to compensation for:
    • Material damage: Financial losses from fraudulent transactions.
    • Non-material damage: Stress, fear, or anxiety from a data breach.
  • Key judicial clarification (CJEU, C-300/21, 2023): It is sufficient to prove a risk of misuse of data (e.g. fear that carders use the data) to claim compensation, without the need to prove actual damage.
  • Examples:
    • In the Bulgarian NAP case (2023), hundreds of citizens filed lawsuits following a leak of tax service data, including financial information. The average compensation awarded was €100–€500 per person.
    • In Germany (2024), victims of carding filed a class action lawsuit against an online store after 50,000 card data records were leaked.

3.4. Investigations and cooperation (Articles 57–59)​

  • Process:
    • DPAs conduct investigations (inspections, document requests, interrogations).
    • For cross-border cases, the EDPB coordinates action through a cooperation mechanism (Article 60).
    • In 2025, the EDPB introduced new procedural rules to speed up investigations (Regulation (EU) 2024/1689).
  • Example: In the Meta case (2023), the Irish DPA imposed a fine of €1.2 billion for the illegal transfer of data to the US, including financial data, which could be used by carders.

3.5. Criminal consequences​

  • The GDPR does not provide for criminal sanctions, but carding falls under national laws and Directive 2013/40/EUon cybercrime.
    • Penalties: Up to 5-7 years in prison for illegal access to systems, data theft, or fraud (varies by country).
    • Example: In 2025, Europol added a suspected carding suspect to the EU Most Wanted list for running an international network selling stolen card data.
  • DPAs forward data to the police or Europol if they detect signs of a criminal offence.

4. Specifics of applying the GDPR to carding​

  1. Card data as personal data:
    • Card number + name/address = identifiable data (Article 4 of the GDPR).
    • Even anonymised data (e.g. just a card number) may fall under the GDPR if it creates a risk to the data subject (UK tribunal decision, 2022).
    • The CJEU (C-184/20, 2022) clarified that data are considered personal if they can be linked to an individual through "reasonable efforts".
  2. Combination with PCI DSS:
    • The PCI DSS (Payment Card Industry Data Security Standard ) requires companies (banks, retailers) to protect card data.
    • A PCI DSS violation (such as a lack of encryption) increases liability under the GDPR because it demonstrates non-compliance with Article 32.
    • Example: In the Target case (2013) (although this was in the US, but similarly) a leak of 40 million cards resulted in fines for weak security, which in the EU would have been reinforced by GDPR.
  3. The cross-border nature of carding:
    • Carders often operate through servers outside the EU, which complicates enforcement.
    • The GDPR (Article 3) applies to any controllers/processors processing the data of EU residents, even if they are outside the EU.
    • The EDPB actively cooperates with international bodies (such as Interpol) to combat darknet forums.
  4. The role of banks and payment systems:
    • Banks are required to implement PSD2 (Directive 2015/2366/EU), including Strong Client Authentication (SCA).
    • Data breaches due to non-compliance with PSD2 increase liability under GDPR.
    • Example: In 2024, a bank in Poland received a €2 million fine for leaking 10,000 card data due to weak SCA.

5. Trends and statistics (2023–2025)​

  • Rising fines: According to the Enforcement Tracker (2024), total GDPR fines exceeded €5.88 billion, of which ~20% are related to financial data breaches.
  • Focus on Eastern Europe: 24% of fines over €10,000 are in Poland, Romania, and Bulgaria, where carding remains a problem due to vulnerabilities in local systems.
  • New enforcement rules: In 2025, updated procedural rules (Regulation (EU) 2024/1689) came into force, speeding up cross-border investigations.
  • GDPR reform proposals: Amendments to combat financial scams, including simplified data exchange between banks and DPAs, are being discussed in 2025.
  • Class action lawsuits on the rise: In Germany and the Netherlands, victims of carding are increasingly filing class actions under Article 82.

6. Examples of real cases​

  1. British Airways (2018):
    • Data leak of 400,000 customers due to a vulnerability in a web application (Magecart attack, often used by carders).
    • Violation: lack of security measures (Article 32).
    • Fine: £20 million (ICO, 2020, reduced due to pandemic).
    • Lesson: Companies must implement protection against script attacks.
  2. Marriott (2019):
    • 339 million guest data, including payment cards, were exposed due to weak security in Starwood's legacy systems.
    • Violation: Failure to comply with Article 32 and lack of due diligence during the merger.
    • Fine: £18.4 million.
  3. Bulgarian NAP (2019–2023):
    • Data leak of 6 million citizens, including financial data.
    • Hundreds of lawsuits from victims for non-material damages (fear of data misuse).
    • Fine: 2.6 million leva (~1.3 million euros).
  4. Europol и carding (2025):
    • An operation to shut down a darknet forum selling data from 10 million cards.
    • DPAs passed on data to Europol, leading to arrests in 5 EU countries.

7. Recommendations for protection against carding​

  • For companies:
    • Implement encryption, tokenization of card data, PCI DSS.
    • Conduct regular penetration testing.
    • Notify DPAs and customers of breaches within 72 hours.
  • For citizens:
    • Monitor banking transactions.
    • Use two-factor authentication.
    • File complaints to the DPA or take action under Article 82 in the event of a data breach.
  • For law enforcement:
    • Cooperate with Europol and Interpol for cross-border prosecution.
    • Use GDPR investigation data for criminal cases.

8. Conclusion​

The GDPR plays a key role in the fight against carding, providing tools for administrative penalties against companies that have caused data breaches and protecting the rights of victims. Key measures include large fines, corrective orders, and compensation for victims. However, for individual carders, the primary prosecution is through criminal law and international cooperation (Europol, Interpol). The combination of the GDPR with PCI DSS and PSD2 strengthens financial data protection, and new regulations for 2025 will expedite investigations. For educational purposes, it's important to understand that the GDPR isn't just about fines; it's also about creating a culture of data security, which reduces opportunities for carders.

Sources:
  • Text of GDPR (Regulation (EU) 2016/679).
  • Enforcement Tracker (enforcementtracker.com, data as of 2024).
  • EDPB reports (edpb.europa.eu).
  • Decisions of the CJEU (C-582/14, C-300/21, C-184/20).
  • Directive 2013/40/EU on cybercrime.
  • Europol News (europol.europa.eu, 2025).
 
You must log in or register to reply here.

Similar threads

S
A Detailed Explanation of the Legal Consequences of Carding: An Educational Overview
Replies
0
Views
56
Student
S
S
What legal measures are being taken in Russia in accordance with Federal Law No. 152-FZ to combat card data theft?
Replies
0
Views
36
Student
S
S
The Role of Extradition in the Prosecution of Carders: A Detailed Analysis for Educational Purposes
Replies
0
Views
75
Student
S
S
What laws regulate the fight against carding? (Overview of legislation, e.g. GDPR, PCI DSS, cybercrime laws)
Replies
0
Views
180
Student
S
chushpan
Laws Regulating the Fight Against Cybercrime
Replies
2
Views
820
Cloned Boy
Cloned Boy
Back
Top