Introduction
This whitepaper will explore the PSNI Data Breach which demonstrates the legal protocols involved in protecting and making relevant information freely available, as well as the repercussions of failing to adhere to these legal procedures. It will also explore the dangers of social engineering attacks and emphasise the importance of social engineering awareness training programs.
On Tuesday, 8th of August 2023, the Police Service of Northern Ireland (PSNI) was exposed to a data breach which affected over 10,000 officers and staff. The data breach occurred due to a spreadsheet that was accidentally uploaded online and included the following information in a hidden table:
- Initials and surnames of every employee.
- Rank and grade of employees
- Work location of each individual
- Duty type
According to the PSNI, the data was published in response to a Freedom of Information request which will be discussed further below. As a result, the Chief constable Simon Byrne has resigned, and the recovery costs were calculated at up to £240 million for extra security for officers and potential legal action.
Spreadsheets and why they are Insecure
Spreadsheets are used in many companies to store information about employees and perform calculations, however, they can often facilitate information disclosure due to a lack of access controls and ease of distributability. This lack of built-in security means that spreadsheets are generally only as secure as the systems and channels used to store and distribute them. Insecurities in these solutions, may permit unauthorised access to internal data.
In addition, some of the built-in protections in Excel, may provide a false sense of security, for example ‘Workbook / worksheet password protection’ can be bypassed with relative ease, and is only intended as an obfuscation / convenience feature, rather than a dedicated security feature. Excel’s built-in file encryption functionality on the other hand, which is intended to be a security feature, (but is often confused with the former) provides the ability to apply symmetric encryption, however, this is only as strong as the password assigned by the user. Microsoft currently enforces zero complexity requirements for these passwords making dictionary and password guessing attacks feasible exploitation vectors for malicious actors.
Freedom of Information Act
The Freedom of Information Act 2000 allows information held by public authorities to be accessed publicly. The Act permits individuals to request information held by public authorities including but not limited to the NHS, government departments, state schools and police forces. Requests for information made under this Act may include computer files, emails, and letters and the objective is to improve transparency in government operations, providing citizens with insight into the utilization of public resources.
The key aspects of the FOIA are as follows:
- Right to Access Information: As mentioned above, the act allows individuals to access information held by public authorities such as the NHS, state schools, etc.
- Request Process: A formal written request is submitted to the appropriate authority.
- Public Disclosure: After a request is submitted, public authorities can only publish the information that is requested and is permitted by the Act.
- Exemptions: Although the FOIA aims for transparency, some information such as national security, personal privacy, law enforcement and commercially sensitive information should still be protected.
- Appeals: Appeals about decisions made by public authorities can be made by individuals.
How Does the Freedom of Information Act affect Data Protection
While the Freedom of Information Act enables information held by public authorities to be accessed publicly, the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018, exist to regulate the handling of personal data; and include the right for individuals to access their personal data. Both FOIA and the DPA 2018 are found under the heading of “Information Rights” and are regulated by the Information Commissioner’s Office (ICO).
When an individual requests for information which includes personal data of another individual, it is important to find a balance between transparency and openness under the FOIA against the individual’s right to privacy under the DPA 2018. Information requests will be approved so long as they do not violate the DPA. If there is a conflict between the FOIA and the DPA, the DPA will take precedence and information will be withheld.
HSocial Engineering Awarenesss
The PSNI data breach appears to be caused by human error, and one possibility is that the individual at fault may have been a victim of a targeted social engineering attack. Familiarity, with common social engineering attack vectors, and exposure to social engineering awareness training programs may have prevented the PSNI disclosure
Below are some common social engineering techniques and examples with reference to Cialdini’s principles of persuasion and Gragg’s psychological triggers to describe how they influence behaviour:
- Phishing: This technique usually involves an attacker including malicious links within emails pointing to an illegitimate website which mimics the legitimate site to trick users into entering sensitive information. The following two principles from Gragg’s psychological triggers are often deployed under this technique:
- Strong affect – Produces a heightened emotional state in the victim disrupting normal logical thinking. In phishing this will usually be caused by invoking a sense of urgency.
- Authority: Humans have evolved so that they can quickly identify people in positions of authority; however, this process can be easily misled, allowing people who disguise themselves as holding such positions to pass as real authority figures. This vulnerability is made even more powerful by the fact that it is considered a violation of social norms to verify the validity of an authority figure. – (Questioning the authority is discouraged.) Social engineers will use impersonation to emulate a position of power in order to obtain compliance to illegitimate requests.
- Tailgating: This technique exploits the goodwill of an individual who may provide physical workplace access to someone else within close proximity who purports to be a legitimate employee. This basic mannerism of ‘holding the door open’ for someone else has led to countless unauthorised premises access. Social engineers can use the psychological tactic of ‘reciprocation’ as humans are wired to return favours and by nature, they feel obliged to provide back.
- Impersonation on social media: If an employee is browsing through social media and posting material that indicate where they work, an attacker could pose as that employee using their information that was shared on social media and potentially steal their identity. Another way of posing as a legitimate authority in person would be over the phone or via text. The same principle of ‘Authority’ is used in this technique, also known as Cialdini’s Principle of Authority. This means that individuals who are authoritative, can be more persuasive.
The most effective precaution against the above techniques, and others, is to educate all employees through security awareness training programs so that they can identify social engineering attempts and respond accordingly.
Conclusion
This incident involved an incorrect handling of a Freedom of Information request, whereby the Data Protection Act was not properly followed / considered, resulting in the disclosure of sensitive employee data, which should otherwise have been protected. In order to comply with the General Data Protection Regulation and Data Protection Act the affected employees would have needed to give their consent to have the included information publicised.
While unconfirmed, the disclosure might stem from a social engineering attack; and given the legal, financial, ethical, and reputational consequences of such incidents, organisations should be encouraged to proactively educate their staff through social engineering awareness training programs. Furthermore, sensitive information should always be stored in a secure manner with adequate encryption both at rest and during transit.
References
- https://www.oracle.com/uk/business-analytics/spreadsheet-risks/
- https://www.ukauthority.com/articles/ico-tells-public-authorities-to-stop-using-spreadsheets-in-foi/#:~:text=After%20several%20recent%20personal%20data,advisory%20notice%20to%20that%20effect.
- https://www.infosecurity-magazine.com/news/privacy-regulator-orders-end/
- https://ico.org.uk/for-organisations/foi-eir-and-access-to-information/guide-to-freedom-of-information/what-is-the-foi-act/
- https://www.nelsonslaw.co.uk/freedom-information-data-protection-act/
- https://blog.usecure.io/employee-social-engineering
- https://www.gov.uk/government/speeches/secretary-of-states-speech-psni-data-breach
- https://www.proofpoint.com/au/threat-reference/social-engineering
- https://www.giac.org/paper/gsec/2082/social-engineering-attacking-weakest-link/103563