Storage giant Seagate suffered exposure of the withholding-tax records of some 12,000 employees following a phishing attack.
At the time Seagate noted that there was no evidence that the information had been misused, also known as the absence-of-evidence defense.
Fast-forward a year or so, and the evidence has appeared.
As is usual in these cases, we have a combination of failures, such as:
- A single person could extract a large volume of PII to a file
- There was unthinking compliance with (what was thought to be) an order from above
- Files could be emailed outside the organization
What lessons does this hold for GDPR compliance?
- No one person should be able to extract a lot of PII
- Outgoing channels (attachments, USB ports) should be restricted, at least on machines of users with PII access
- A company’s employees are also its data subjects. You and your colleagues can be victims and have your lives turned upside-down by PII-driven identity theft. (In this case, even the data of employees’ spouses was compromised.)
We laugh at unsophisticated phishing attacks, such as the classic Nigerian prince, but this case shows a clever use of combined PII, as well as a methodical exploitation of the acquired data. A successful attack can be created with very little; in this case Seagate’s CEO was impersonated with only a spoofed label on a return email address.
My guess is that this email was targeted to a specific Seagate employee considered as likely have access to HR data. This implies that the thieves already had some information, such as the name and job function of the targeted employee and were able to build a profile sufficient to zero in a specific person.
The attack might have been even more sophisticated; for the fake email’s sender the thieves spoofed the head of the company, which was not the most convincing choice. Why would the CEO of a large company want thousands of W-2 forms? Surely he or she would not be handling such a task personally.
If the targeted employee had been suspicious and hesitated to comply, the attackers might have tried a different employee in the HR department, this time with the purported sender being a more plausible executive taken from the company’s web pages or from social media.
If I were the attackers I would have several employees lined up. If the first one didn’t reply within short time, I would try a second one quickly, in case the first one had raised the alarm. The second target might reply before security could send out a warning and have it seen by the remaining targets.
My points here are:
- very little PII is needed for a tailored attack. Here, it appears to have consisted of first and last name, job function, and the name of the company CEO. All of these items might have been available on the web (that is, no data breach needed to get started)
- attackers can try several victims; it is important for employees who have suspicions to raise the alarm immediately
- once the alarm is raised, outgoing email should be suspended, in case other targets have not yet seen the warning
- the PII useful for a phishing attack is not confined to the PII of the data subject, but to peripheral information, like the names of the subject’s colleagues or superiors, and standard in-house email formats (which enable them to guess a victim’s email address from his or her name)
- publicly-available data (company web pages, social media) may provide data sufficient for a hand-crafted, convincing email
These thieves knew what PII they wanted and how to exploit it, filing false tax returns (I’m guessing that the PII was used to claim tax refunds, which would require bogus addresses, false identification, and other tools of organized crime), and were not afraid of being caught by the authorities for tax fraud; that is, they know how to cover their tracks. They also had to move quickly enough to stay ahead of the police and counter-measures by the victims.
In light of what these thieves accomplished, it seems certain that they have the ability to build profiles of employees at targeted companies, matching fragmentary information (each element of which would be harmless by itself) into profiles specific enough for a phishing attack.