Social engineering and GDPR data subjects’ rights
EU General Data Protection Regulation (GDPR) is now in full force since 25 May. By now, organizations should have evaluated their compliance as well as filled out any gaps in their processes and controls.
One of the key requirements from the regulation pertain to the data subjects’ rights, which include (among a few others) the right to obtain access or copy of personal data belonging to the data subject, right to rectify incorrect information and right to be forgotten. The organizations are required to respond to data subject rights’ related requests “without undue delay” and at the latest within one month (extendable up to two months in some circumstances), which puts pressure on having effective processes in place. The requirements to respond to requests regarding the rights of data subjects is a good thing for everyone concerned of their personal data, but they may also introduce information security risks, specifically from social engineering perspective.
Social engineering refers to the acts or means used to manipulate other people into performing actions, such as providing confidential information. Social engineering attacks have been increasingly an issue faced by organizations as well as individuals in the form of identity thefts, CEO scams and as means to gain initial foothold in company networks. In 2016, FBI estimated the cost of reported CEO, or “business e-mail”, scams alone to be more than $2.3 billion from October 2013 to February 2016. An effective attack typically starts with obtaining information of the targeted individuals to increase the credibility of the actual scam. Knowing that each company needs to respond to personal data related requests without undue delay may provide opportunities to obtain that information, for example, by impersonating a company employee or customer. This should of course be possible only if organizations do a poor job in handling these types of requests.
The key vulnerabilities with regards to data subject’s right requests are the following:
- The requester’s identity is not reliably verified making it possible for an attacker to perform requests on behalf of others, for example, by knowing the social security number or some other “convincing” identifying detail regarding the victim.
- The data provided by the organization is not standardized, but depending on the request may contain extraneous information about data subjects or useful clues about the target environment.
The resulting risk is that the company may disclose information about individuals, which would be considered a personal data breach and lead into regulatory action, or the information may be used to gain useful information to attack the organization, for example, in form of more effective CEO scams.
What could be done to mitigate against the risks? The following recommended steps should be considered, when designing end evaluating the processes for handling data subjects’ right requests:
- Ensure there is a controlled and systematic process in place to respond to data subjects’ right requests. Specifically, ensure that:
a) there is a reliable and effective way to verify the identity of the requester,
b) the information to be provided follows a standard format (so that there is no variation on the detail of information provided between different requests) and no unnecessary information about other individuals or the organization and the IT environment is disclosed,
c) the information is transferred in a secure way.
- Train your employees to ensure everyone who might be involved with handling the requests understands the process and the risks involved.
- Test your processes regularly to identify gaps in the processes or employee awareness and improve accordingly.
The risks described here are examples of information security related risks, which reach beyond traditional IT operations and may therefore be easily overlooked. Any change in the operating environment of organizations, regulatory or otherwise, always introduces risks that should be carefully evaluated from different perspectives, including the perspective of information security, and responded to in accordance with the company’s risk appetite.