A Channel 4 Dispatches documentary included an interview with the head of RandomStorm’s Social Engineering Team, who was asked about blagging techniques that are used to trick employees into breaching section 55 of the Data Protection Act, “unlawful obtaining of personal data”, which states that “a person must not knowingly, or recklessly, without the consent of the data controller, (a) obtain or disclose personal data, or the information contained in personal data, or (b) procure the disclosure to another person of the information contained in personal data.”
The programme pointed to the risk of unregulated private investigation firms using “blagging” techniques and unscrupulous employees to breach section 55 of the Data Protection Act <http://www.legislation.gov.uk/ukpga/1998/29/section/55> , which carries a fine of £5,000 in a magistrates court. Blagging is the practice of contacting an organisation and giving personal information on a target individual, gleaned from other sources, to persuade employees to impart sensitive private information, such as bank details, medical or benefit records.
During the making of the documentary, film maker, Chris Atkins, persuaded three volunteers to give permission to have their identities checked by private investigators. The researchers were able to buy mobile phone records; online bank statements; information on GP appointments; a national insurance number and details of benefits claims.
Gavin Watson, Senior Security Engineer and head of the RandomStormSocial Engineering Team, was asked to advise on how employees can avoid being targeted by “blaggers” and filmed commenting on techniques used by social engineers to access personal records.
“An individual’s private data is only as secure as the businesses that handle it,” says Gavin Watson in the programme. “If you wanted to get hold of someone’s bank account details, you wouldn’t necessarily target that person as an individual. You could target the bank, or you could target their local gym, or you might target the council, or anyone who might have any interaction with those bank account details.”
According to the Dispatches documentary makers, a Freedom of Information request to the Department of Work and Pensions (DWP) found that 992 employees had been disciplined for data offences over a ten month period. However, the DWP denied that the benefits information obtained by Chris Atkins was leaked by the department and asserted that detailed audit trails are created on data accessed by the 200,000 employees authorised to use the DWP database.
“Employees of organisations that are entrusted with protecting our most sensitive data need to be made more aware of the social engineering risk and trained to thwart blaggers. Even with access controls and auditing technology in place, staff can be tricked into revealing too much information. I hope that the Dispatches programme will help to increase the general awareness of this risk,” adds Watson.
At last month’s Infosecurity Europe conference, Gavin Watson gave a presentation entitled, “Flattery gets you everywhere – addressing the social engineering risk to your business”. This outlined some of the techniques used by blaggers to gain unauthorised access to premises and information and shared tips on training staff to be alert to the dangers.
