Phish in a Barrel: How Sensitive Data is Vulnerable to Email Breaches
As an immigrant to Canada, I have seen the process and the documentation required to get here. My entire life condensed into a folder to be submitted to a consultant, who will in turn validate everything, and then submit it all to the IRCC (Immigration, Refugees and Citizenship Canada). This translates to a lot of deeply personal information put into the trust of a third-party, and this article goes into how quickly a phishing attack on any business can put sensitive information at risk.
I’d engaged an agency for eligibility and had started the process with them for Permanent Residence. I’d sent through a bunch of documentation, including my passport and other pertinent information like work and education history. A few weeks later, I received an email from the owner of the agency, whom I’d only seen in cc on my emails before, which was clearly a phishing email.
On a check, this was indeed from their own email servers, so it was coming from his actual email address and not someone using a fake server to send on his behalf. As such, this was an immediate tip off that his mailbox was compromised and that contacts in his inbox were being emailed directly. The information in his inbox and outbox was all compromised.
A note at this point: I contacted them immediately and a professional breach management agency was brought in to contain the incident and put in place controls and mitigations.
How a phishing attack plays out:
Given the way this unfolded, it seems his mailbox was the first and only to be compromised, and I had not sent any information to him directly, which was a relief. It would also seem that his mailbox did not contain applicants’ information (phew), but was likely a very high risk for business confidential information for the agency itself.
In general, a phishing compromise such as this one would take place in the following manner. An email is sent to an individual at a company, either targeted or a “spray and pray” approach, and that person would click on a link and be prompted by a fake login screen to enter their credentials for their email. This email and password combination would then be captured, and the mailbox could be accessed by the attacker.
This is where trust and familiarity come in. Often what we will see in these attacks is that in an automated manner, contacts in the person’s inbox would be reached out to, either with false invoices, purchase orders, or other fraudulent requests. What would happen internally to the agency, is that other employees would be contacted to get them to also compromise their passwords. This generally works quite well for the attacker, as the employees often trust the source of the email and are less likely to apply a critical eye to it.
This is where it gets messy and a cascade effect occurs, compromising mailbox after mailbox in the same manner, and at the same time, stealing information from those mailboxes that may belong to clients and applicants.
(Thankfully, this was not the case in the instance I’m referring to as it was caught in time).
What’s the damage?
Well, part of these attacks is to act quickly and get rid of direct access to the mailbox. It is, however, recommended to get a professional in to do this as there are often mailbox rules that are added to silently forward or publish emails (over RSS feeds) that are received out to the attackers even after the direct access is removed.
The damage? It depends on what’s in your inbox and sent items. Part of PIPEDA in Canada refers to the Real Risk of Significant Harm, or RROSH. This is a multi-part test comprised of the sensitivity of the information (passports, histories, and applications would all be sensitive) and whether the information could be expected to be misused (or worse, has been misused already). The more sensitive and the higher the likelihood of harm, the bigger trouble you’re going to be in from a regulatory standpoint, and the more danger your clients and applicants are going to be in from identity theft (which could have additional legal consequences for you in terms of class actions and other lawsuits).
Prevention is most certainly better than cure in this instance. You need to be considering your obligations under privacy laws and data protection to ensure your compliance and mitigation of legal action against you, and as part of that, you need to be serious about putting in modern and effective security measures, even if you are a small agency. As a lawyer friend of mine says frequently; “would you rather meet the guard railing on the mountain pass, or meet the ambulance at the bottom?”. A combined approach such as Bamboo’s GPS (Governance, Privacy, and Security) offering is greatly beneficial and a double-whammy in terms of hitting both bases.
Morals of the Story:
Cyber security across the business is vitally important. Gone are the days where you can rely on your antivirus tool and the hope that you’re “too small to matter”. The fact that you’re smaller in the market, if anything, likely makes you a bigger target as attackers are aware of smaller agencies likely having fewer controls in place. Modern problems require modern solutions.
Multi-factor or password-less authentication, available on Microsoft 365 and Google Workspace (the only email options you should be considering), should be enabled, and in the above case would have likely stopped the compromise in its tracks. You need to safeguard your email and keep it close to your heart, because in reality, it probably contains the “keys to the kingdom” within sent items and inboxes.
Privacy regulators (such as the federal OPC or provincial regulators) pay far more attention when you have potentially sensitive information. In the immigration game, you have more sensitive information than most corporate organizations! You’ve got to put a program in place. It’s well documented in the privacy industry that regulators look far more favourably on organizations that are at least trying to do the right thing, than on organizations that exhibit an inaction or ignorance to the requirements.
You may not only be subject to Canadian law. While the risk is not huge that you’re going to get an enforcement order, if you’re dealing with EU residents’ data, you may be subject to those laws. Similarly, other global laws may also be extraterritorial, and you could be hit with enforcement actions if people complain, you have a breach that’s exposed, or as we’re starting to see, the attackers decide to report you to the regulators themselves after they have compromised you.
Have your Ghostbusters on speed-dial. Know who you are going to call. If you have cyber insurance (hint hint, this is a good idea), they will likely have a hotline that will give you access to a breach coach and various agencies for containment. If you don’t have this insurance, then you want to have some form of expertise in-house or more likely with an external agency, that can offer governance advice before the fact, and/or breach coaching after an incident happens. You don’t want to waste time though in either circumstance, and you need to have arranged this before an incident happens.
In closing:
This was an example in terms of an agency for immigration, but the fact is, if you’re in any business to consumer style organization, all of the above likely applies to you. The risks, the challenges, and in many cases, sensitive personal information of different kinds. You can’t manage what you can’t see, and a risk assessment of your organization should be a requirement of any company taking their data seriously.