Skip to main content

Exposed Personal Information

dave herder
  • Updated

In this article:

    Description

    Social engineering attacks are significantly more damaging when malicious parties use them to expose personal information. For example, security questions to reset account passwords, or to recover accounts that require personal information. Additionally, it’s easier for hackers to impersonate employees to gain higher-level access. Please note that SecurityScorecard only sees the categories of information associated with exposure. For privacy reasons, affected user names are only visible to the Administrator of the respective account and are not displayed for other scorecards than you follow.

    The risk is that personal information for individuals associated with employee emails were exposed.

     

    How is this issue discovered?

    If personal information was leaked, but not passwords, then an issue will show up in this category. If password credentials were found in the leak, then this issue may show up in a related issue type, Credentials at Risk.

     

    Remediation

    It is not feasible to remove leaked information from the internet, so preventative mitigation against social engineering attacks is recommended. Ensure that:

    • Employees have regular cyber security awareness training.
    • Employees receive periodic, unannounced tests, such as simulated social engineering attacks.
    • Protocols are established for handling sensitive information.

     

    How can this issue be resolved?

    Follow the resolution process, and select the applicable resolution:

    • I have fixed this:
      • We removed the email(s) from the network and replaced the email handle.
      • We reset employee credentials and notified them of the change.
      • Advisement of usage of corporate emails on third party sites, security awareness training was administered and credentials have been changed.
      • The email(s) are no longer working for the company.
      • Email handle has been disabled until further notice.
    • I have a compensating control:
      • The affected users do not work at the company anymore.
      • The organization provides training for employees on security protocols relevant to their position.
      • The organization has standard security frameworks and protocols, including:
        • Making sure staff get regular training in data security
        • Only letting people have access to personal information if they need it for their job
        • Having a response plan in the event of a threat to data security
      • Multistep login processes in place, such as multifactor authentication.
      • Password policies or password management tools, such as  1password, are in place (Please indicate how this is enforced.).

      • The organization performs unannounced, periodic tests of the security framework.

      • The organization instills an awareness of, and resistance to, tricks or traps by testing employees with simulated social engineering attempts.

    • This is not my IP or domain.
      • The email handle is not of our company.
    • I cannot reproduce this issue and I think it’s incorrect.
      • This user has never been part of the company.

    Related articles