Phishing attacks can be a daily threat to everyone both in their personal and professional lives. The fact that a successful phishing attack can compromise an account and force a password reset is well-known. Here, we’ll be talking about how phishing threatens an organization’s compliance with regulations designed to protect the sensitive information under their care.
A Brief Introduction to Data Protection Regulations
Laws and regulations have been around for quite some time to protect personal information in certain fields (healthcare, finance and more). When the EU’s General Data Privacy Regulation (GDPR) came into effect in May, the bar for data protection was raised for many organizations. For those who may not be familiar with what data is protected in certain industries, this section provides a brief introduction to the data protection regulations known as GDPR, HIPAA and PCI DSS.
The General Data Privacy Regulation (GDPR) is a regulation recently enacted by the European Union. Its purpose is to protect the privacy of EU citizens by setting out clear requirements and penalties for organizations processing the personal data of EU citizens. The regulation applies to any organization storing, processing, or transmitting EU citizens’ personal data, not just those within the EU.
According to Article 4 of the GDPR, an individual’s personal data is “any information relating to an identifiable or identified natural person.” In other words, GDPR covers any data that can be used to uniquely identify someone either on its own (name, email address, phone number, home address and so forth) or through aggregation (i.e., gender, ethnicity, birth date and so on).
Under GDPR, an organization is liable to be fined up to 4% of global revenue or 20 million Euros (whichever is larger) for a personal data breach. A personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” The GDPR also requires that organizations report a breach to the appropriate authorities within 72 hours of discovering it (with failure to do so also being ground for a fine).
The Health Information Privacy and Accountability Act (HIPAA) is a United States regulation affecting anyone who provides healthcare services (covered entities) or any vendors or subcontractors of healthcare providers (business associates). The purpose of HIPAA is to protect patients’ personal information from being breached.
The information protected by HIPAA does not only include the data stored in their medical record. Other protected information includes:
- Any conversations between the patient and their healthcare provider regarding their treatment
- A patient’s billing information
- All medical information stored by the patient’s health insurance provider
Failure to comply with HIPAA requirements can cost organizations a maximum of $50,000 per breach, with a yearly maximum of $1.5 million.
The Payment Card Industry’s Data Security Standard (PCI DSS) is designed to protect the personal information of credit and debit card users. Under PCI DSS, organizations are allowed to store and required to protect the user’s primary account number, name, service code and card expiration date. They are not permitted to store the full magnetic stripe data, CVC code or PIN numbers. Penalties for PCI DSS non-compliance can range from $5,000-$100,000 per month.
When Phishing Meets Regulations
Most people have heard of phishing attacks and are familiar with the fact that they are a popular attack vector among hackers. By drilling down into specific types of phishing attacks, it’s possible to see which types of attacks are most likely to get an organization in trouble with different regulations.
Business Email Compromise (BEC)
Business Email Compromise (BEC) attacks are a specific type of spearphishing attack. In a BEC attack, a phisher will masquerade as an authority figure within an organization (such as C-levels and VPs). The recipient of the email will typically be someone with access to data of value to the attacker. For example, an attacker may masquerade as the CEO or head of the Finance department and request W-2 tax information for employees from one of the members of the department. The potential impact of these types of attacks is immense, since W-2 forms provide all of the information that an attacker needs to perform identity theft.
Business Email Compromise scams can be designed to provide phishers with a variety of different types of information. Depending on the information breached, these attacks could render an organization non-compliant with each of the regulations described above.
GDPR protects all personally identifiable information of EU citizens. A few example pretexts that would violate GDPR include:
- The example described above requesting employee tax information
- A request from the “Head of HR” for the mailing list for a new advertising pitch
- An “IT manager” asking for contact information for a customer to follow up on a complaint
- A “software developer” looking for a list of beta testers for the newest product release
BEC scams can also result in a breach of information protected by HIPAA. Some examples include:
- An “auditor” performing customer service quality assurance requesting phone recordings from a physician’s office staff
- A healthcare provider’s “billing services” confirming billing information for a patient
Finally, anything that results in the leak of a customer’s credit information is covered by PCI DSS. A phisher could use several different pretexts including:
- Correcting invalid billing information for a customer
- An “IT help desk worker” needing to troubleshoot an issue on Point-of-Sale systems
The threat of a BEC compromise is not limited to financial and legal impacts. The breach of certain types of information may result in an organization being penalized for improper protection of personal information as well.
Credential harvesting attacks are designed to allow a phisher to steal a user’s login credentials for a high-impact site. Depending on the pretext, this can end up with an organization in trouble with different regulatory authorities. Some ways in which credential harvesting could result in a reportable breach include:
- Loss of email credentials for an account used for marketing campaigns
- Email addresses are protected under GDPR
- Loss of banking credentials giving access to account history
- Patient billing information is protected under HIPAA
- Customer payment card information is protected under PCI DSS
People have accounts on a variety of sites that can touch many different types of data. If a user account has access to protected data, compromise of that account’s credentials (either directly or because they’re reused on an account that is compromised) can cause a breach and incur regulatory penalties.
Phishing emails are one of the primary means for delivering and installing malware on users’ computers. The potential regulatory impacts of a malware infection depend on the type of malware delivered to the system:
- Data Exfiltrators: Potential loss of data and credentials stored on system
- Potential violation of GDPR, HIPAA and PCI DSS
- Network Listeners: Identification of IP addresses of customers
- IP addresses can be used to identify a person and are protected under GDPR
- Point-of-Sale Malware: Potential theft of payment card information from infected system
- Violation of PCI DSS
- Ransomware: Loss of data on compromised system
- Violation of GDPR (“accidental or unlawful destruction” of personal data)
- Remote Access Toolkits: Potential loss of all data and credentials on system and use of infected system to compromise other systems
- Potential violation of GDPR, HIPAA and PCI DSS
These are only some of the types of malware that can have regulatory impacts for an organization. If a compromised computer ever has the ability to touch protected information, there is the potential for a breach that puts an organization out of regulatory compliance.
Understanding the Impact of Phishing on Regulatory Compliance
Phishing attacks are a common part of life and most people have the training and knowledge necessary to protect against them. However, phishing attacks continue to be effective simply because security often takes a backseat to efficiency and usability.
Organizations and individuals need to realize that the impact of a phishing attack can be far more than the need to change a password or check an account for anomalous activity. Most personal information is protected by some regulation and the effects of a successful phishing attack may be invisible (like stealing the contacts list of a compromised email account). However, even these “invisible” attacks can land an organization in regulatory hot water if the effects of the breach are ever discovered or publicized.
Art. 4 GDPR, Intersoft Consulting
Failure to Comply With HIPAA Can Result in Both Civil and Criminal Penalties, The Health Law Firm
PCI Data Storage Do’s and Don’ts, PCI Security Standards Council