EU General Data Protection Regulation (GDPR) is now in full force since 25 May. By now, organizations should have evaluated their compliance as well as filled out any gaps in their processes and controls. One of the key requirements from the regulation pertain to the data subjects’ rights, which include (among a few others) the right to obtain access or copy of personal data belonging to the data subject, right to rectify incorrect information and right to be forgotten. The organizations are required to respond to data subject rights’ related requests “without undue delay” and at the latest within one month (extendable up to two months in some circumstances), which puts pressure on having effective processes in place. The requirements to respond to requests regarding the rights of data subjects is a good thing for everyone concerned of their personal data, but they may also introduce information security risks, specifically from social engineering perspective.
Social engineering refers to the acts or means used to manipulate other people into performing actions, such as providing confidential information. Social engineering attacks have been increasingly an issue faced by organizations as well as individuals in the form of identity thefts, CEO scams and as means to gain initial foothold in company networks. In 2016, FBI estimated the cost of reported CEO, or “business e-mail”, scams alone to be more than $2.3 billion from October 2013 to February 2016. An effective attack typically starts with obtaining information of the targeted individuals to increase the credibility of the actual scam. Knowing that each company needs to respond to personal data related requests without undue delay may provide opportunities to obtain that information, for example, by impersonating a company employee or customer. This should of course be possible only if organizations do a poor job in handling these types of requests.
The key vulnerabilities with regards to data subject’s right requests are the following:
The resulting risk is that the company may disclose information about individuals, which would be considered a personal data breach and lead into regulatory action, or the information may be used to gain useful information to attack the organization, for example, in form of more effective CEO scams.
What could be done to mitigate against the risks? The following recommended steps should be considered, when designing end evaluating the processes for handling data subjects’ right requests:
The risks described here are examples of information security related risks, which reach beyond traditional IT operations and may therefore be easily overlooked. Any change in the operating environment of organizations, regulatory or otherwise, always introduces risks that should be carefully evaluated from different perspectives, including the perspective of information security, and responded to in accordance with the company’s risk appetite.
Written by Joonas Sundberg