Navigating Business Email Compromise Responses, From Data Mining to Notification

Email has long been the pervasive vehicle for corporate communications. Until recently, corporate email has been powered by network infrastructure, housed primarily in on-premise servers.

Over the past few years, however, cloud-hosted email platforms have disrupted the electronic mail paradigm and corporate migration toward cloud-based email over the last 12-18 months exposed a new class of data breach vulnerability that previously existed only within the company’s physical infrastructure. We determined these to be the following.

Business Email Compromise 
Business Email Compromise (BEC) is among the most common data breach tactics in our world today. In 2017, a staggering 77% of companies fell victim to a BEC scheme.

In a traditional network or server breach, response teams can identify the exact data that has been compromised and automatically generate a notification list to alert individuals impacted by the breach. When a cloud-based email platform is compromised, response protocols are much different. 

First, forensic investigators must pinpoint, with precision, which accounts were compromised, to what extent, and during what time period. What they often cannot identify is the value or worth of the data that exists within the compromised emails and, more importantly, within the attached documents. 

As a result, breach response teams are now charged with mining, reviewing, and culling data from compromised emails and attachments to identify all affected parties and execute comprehensive notification programs.

Data Mining + Management
The manner in which data is mined and managed following a cloud email breach is driven largely by the scope of the breach, industry regulations, and regulatory timelines.

First, breach response professionals must evaluate the data landscape to determine if existing records are accurate and current. They must understand both the volume and complexity of data within the targeted emails and assess whether they are likely to encounter duplicate information in multiple locations. Finally, they’ll consider what data is necessary to launch a notification program that satisfies company, industry, and regulatory guidelines.

Because cloud-based email systems typically contain large volumes of data, breach response stakeholders must define how inclusive or exclusive the data mining process should be, a decision that impacts the response program’s cost. A more inclusive approach is likely to return more voluminous, detailed results – necessary in some but not all matters. 

The data landscape and inclusivity requirements will, ultimately, inform the entire scope of the breach response, helping breach professionals determine appropriate staffing levels and resource allocation. 

Document Review + Deduplication
In the majority of matters involving cloud-based email compromise, manual and technology-assisted document review is critical to reduce data and build accurate notification lists. 

Documents housed within email attachments often hold valuable data identifying affected individuals. However, at the outset, it can be difficult to quantify how many attachments exist, in how many formats, and whether they contain privileged information. Document review is key to accurately identifying all pertinent records.

Beyond document review, response teams must find and eliminate identical records for individuals appearing in multiple locations in a process called deduplication. Advanced analytics and filtering technology enables breach response teams to identify duplicate records, roll-up information, and automatically cross-check final data sets against sequel databases or company records to confirm accuracy. In some complex matters, deduplication can be a 12-layer process.

Interestingly, in most matters, notification timelines are not extended to account for the substantial time required to complete document review and deduplication.

In the event of an email data breach, all parties directly or indirectly affected must be notified within a timeframe that satisfies regulatory obligations. 

Depending on the industry, some courts require detailed accounts of notification and outreach activities, so it is crucial that all data files and notification documents have been scrubbed of protected information and redacted prior to entering the public record.

When delivering notice via email, keep in mind the prevalence of BEC schemes and take measures to ensure all sensitive or privileged information, such as social security numbers or credit card information, has been removed prior to circulation.

When notification is delivered via U.S. Mail, it is prudent to conduct physical examinations and spot checks of outgoing notification documents to ensure they uphold the privacy of the intended recipients. 

Just two years ago, on-premise email infrastructure was a preferred target for corporate data theft. Today, however, cloud-based email systems represent a prime opportunity for infiltrating organizations through business email compromise schemes.

As the tactics and strategies employed by malicious outsiders become more advanced, our systems for managing breach response programs must keep apace. While we cannot predict tomorrow’s data breach vulnerabilities, we are confident that new and emerging technology will create even greater efficiencies in the breach response workflow, allowing companies to expedite notification to their stakeholders and return to work quickly.

What’s Hot on Infosecurity Magazine?