Private investigators, said to be working on behalf of credit unions in Ireland, didn't need to be social engineering experts in order to convince staff at the Department of Social Protection (DSP) and other government agencies to hand over personal information on citizens.
According to an investigation by the Irish Independent, the PIs were tracing agents who provided the questionably collected details – including names, addresses, and social welfare information – to the credit unions for a lucrative fee.
The Irish Independent confirmed that 468 credit union customers were crosschecked by the Office of the Data Protection Commissioner (ODPC) in Ireland, along with the Department of Social Protection, due to fears that their personal information was compromised.
As it turns out, only 78 of them were confirmed to be part of this scheme, which according to the ODPC is 78 too many.
After just one phone call from a PI pretending to be a state official, the DSP handed over "reams of personal data from officials in the country's biggest-spending department" and not once were the PIs required to prove who they were.
"All the private investigators had to do was ring up and say they were State officials," the Irish Independent report explained.
However, the Irish League of Credit Unions (ILCU) said that the credit unions, which were paying the PIs for their information, were not aware that they data was collected using questionable means.
"If this was being done, it was without the credit unions' permission or knowledge. Credit unions would not knowingly employ any company who use illegal tactics and we certainly do not in any way condone the use of securing information by illicit means," a statement from the ILCU said.
Even if that's the case, it doesn't excuse the poor PII protection. The two DSP officials that were targeted by the PIs were given written warnings, and no other punishment.
According to the Irish Independent report:
"In one scenario, the agent said he worked for a state agency in Northern Ireland. In another example, an agent phoned the same civil servant on a regular basis and requested the addresses of customers and their spouses.
"She [the agent] only offered her first name and said she was working on behalf of a state body involved in the education sector. In both cases, the private investigators managed to convince the department officials that they were legitimate agents of the State. Armed with the information they required, the investigators provided it to at least 12 credit unions in return for a sizable fee."
The ODPC is said to be focusing their investigation on the PIs rather than the credit unions.
"It is a criminal offense under data protection legislation for a person to obtain access to personal data without the prior authority of the data controller by whom the data is kept and to disclose it to another person," a statement from the commissioner said, noting that the DSP had been cooperating with their investigation.
"The Data Protection Commissioner has commenced prosecution proceedings in the District Court against some private investigators who are suspected of breaches of the Data Protection Acts."
Again, while the ODPC is clearly working the right side of the investigation, it's clear that the DSP had some serious gaps in policy regarding data protection.
The DSP says they have extensive audit records on data access, as well as rigorous data protection and information security policies, standards, and procedures in place. Employees are supposed to be trained regularly with regard to policy and data protection requirements.
"The bottom line is that user activity causes a large majority of breaches and gaps," said Alex Moss, managing partner at Conventus, when asked his thoughts on user awareness training.
"No one wants to do training in a company, much less IT, much less security training. Although compliance extends from a need, many who undertake compliance training are simply looking for a checkbox. So when you train, you need to make sure people understand what they are trying to learn."
The only way to help them learn is to communicate impact, Moss says.
Organizations have to equate real impact, such as how a breach of data or protocol can lead to a loss of net income, the financial burden of fines, or in the worst case – the loss of their jobs, without resorting to fear tactics.