Compromise of Information Security

Network Phishing - Fraudulent Use of Technology to Steal Information

An employee receives a convincing email that appears to be from the IT department, instructing him to
log in to a fake security portal. Believing the email is legitimate, the employee provides their credentials.
The attacker then uses the credentials to access the Corporation’s internal network and steal sensitive
member data.

Tampering with Data - Unauthorized Changes

A supervisor in the Comptrollership Department alters financial reports before they are submitted to the
board of directors, inflating collections numbers to meet GCG Corporate Targets and secure larger
bonuses. This manipulation is later discovered during an audit, leading to a corporate scandal.

Data Error - Mistakes in Data Input or Processing

A frontline staff in a LHIO mistakenly inputs incorrect premium data for hundreds of walk-in customers.
This leads to erroneous billing and claims processing, causing significant financial discrepancies and
customer dissatisfaction.

Third-Party/Service Provider Breach

A third-party payroll provider was procured by the Corporation is compromised due to inadequate
security measures. The attacker gains access to employee personal and financial data, including Social
Security numbers and bank account details, leading to widespread identity theft among the
Corporation's staff.

Communication Error/Failure - Unintended Release of Data

An employee at a healthcare organization providing Konsulta services was

supposed to submit to PhilHealth but accidentally sends an email containing
medical records of multiple patients to the wrong distribution list. The email is
delivered to individuals not authorized to view the data, compromising patient
confidentiality.
Here are detailed scenarios for each compromise of information incident involving loss of
confidentiality, integrity, and availability of information.

1. Interception - Capturing Data Before It Reaches Intended Recipients

Scenario: A logistics company uses an unencrypted communication channel to transmit

sensitive information about client shipments, including addresses and contents of high-value
packages. An attacker monitors network traffic, intercepts this data, and reroutes the shipments
to a new location, causing massive financial losses.

Impact:

 Loss of confidentiality and financial harm to clients.

 Damaged customer trust and reputation.
 Legal action due to mishandling of client data.

2. Spying - Secretly Collecting Information About Another Organization

Scenario: A competitor places an undercover agent within a major tech company. The spy
works in the R&D department and regularly reports back on the company’s new product designs.
The competitor releases a similar product before the tech company, undermining their market
position.

Impact:

 Competitive advantage lost.

 Financial losses and market share reduction.
 Potential legal action for industrial espionage.

3. Eavesdropping - Listening in on a Conversation Without Knowledge

Scenario: During an international conference, an executive has a phone call using an

unprotected Wi-Fi network in the hotel. An attacker uses a Wi-Fi sniffing tool to eavesdrop on
the call, gaining access to insider information about an upcoming acquisition deal.

Impact:

 Loss of confidential business information.

 Financial and reputational damage if leaked.
 Potential insider trading investigations and legal consequences.

4. Disclosure - Making Sensitive Information Public

Scenario: An employee at a financial institution accidentally posts a document containing

hundreds of customer bank details on a public forum instead of an internal portal. The data is
quickly accessed and shared by malicious actors before the company can take it down.

Impact:

 Customers' personal and financial data exposed.

 Financial losses due to compensation and fraud.
 Legal penalties under data protection regulations (e.g., GDPR).

5. Masquerade - Unauthorized Entity Pretends to Be Another

Scenario: A hacker gains access to an executive’s email account by using stolen credentials. The
hacker then emails the finance department, pretending to be the executive, and instructs them to
wire $500,000 to a fraudulent account.
Impact:

 Financial loss due to unauthorized transactions.

 Damaged internal trust and reputation.
 Legal action to recover lost funds and possible regulatory fines.

6. Social Engineering - Psychological Manipulation to Divulge Information

Scenario: An attacker calls the IT helpdesk of a law firm, impersonating a senior partner and
claiming that they are locked out of their account. Using urgency and authority, the attacker
convinces the helpdesk to reset the account password. The attacker then uses this access to steal
confidential legal case files.

Impact:

 Loss of highly sensitive legal data.

 Reputational damage and potential loss of clients.
 Legal action from affected parties and significant financial penalties.

7. Network Phishing - Fraudulent Use of Technology to Steal Information

Scenario: An employee at a major bank receives a convincing email that appears to be from
their IT department, instructing them to log in to a fake security portal. Believing the email is
legitimate, the employee provides their credentials. The attacker then uses the credentials to
access the bank’s internal network and steal sensitive client financial data.

Impact:

 Compromise of customer financial records.

 Financial losses and reputational harm.
 Legal penalties and costly security overhauls.

8. Tampering with Data - Unauthorized Changes

Scenario: An insider in the finance department of a large corporation alters financial reports
before they are submitted to the board of directors, inflating profit numbers to secure larger
bonuses. This manipulation is later discovered during an audit, leading to a corporate scandal.

Impact:
  Loss of data integrity and internal trust.
 Legal penalties for financial misreporting.
 Long-term damage to investor relations and stock value.

9. Data Error - Mistakes in Data Input or Processing

Scenario: An employee at an insurance company mistakenly inputs incorrect premium data for
hundreds of customers. This leads to erroneous billing and claims processing, causing significant
financial discrepancies and customer dissatisfaction.

Impact:

 Financial loss due to compensation and refunds.

 Damage to customer trust and regulatory fines.
 Increased operational costs to correct the errors.

10. Position Detection - Identifying Location of Sensitive Information

Scenario: A hacker uses network scanning tools to identify the location of an unprotected server
that stores sensitive customer data at a retail company. The attacker then targets this server in a
ransomware attack, encrypting the data and demanding payment.

Impact:

 Data availability compromised due to encryption.

 Financial losses from ransom payment and system recovery costs.
 Reputational harm and potential regulatory fines.

11. Third-Party/Service Provider Breach

Scenario: A third-party payroll provider used by a company is compromised due to inadequate

security measures. The attacker gains access to employee personal and financial data, including
Social Security numbers and bank account details, leading to widespread identity theft among the
company's staff.

Impact:

 Loss of employee trust and potential lawsuits.

 Regulatory penalties for failing to ensure vendor security.
 Reputational damage and increased operational costs for remediation.
12. Hacking - Unauthorized Access to Systems

Scenario: A hacker exploits a vulnerability in an outdated content management system (CMS)

used by an online retailer. The hacker gains unauthorized access to the retailer’s customer
database, stealing credit card information for thousands of customers.

Impact:

 Significant financial loss due to credit card fraud and compensation.

 Regulatory fines under data protection laws (e.g., PCI-DSS violations).
 Damage to customer trust and potential lawsuits.

13. Identity Fraud - Unauthorized Use of Someone’s Identity

Scenario: An attacker obtains the personal details of a high-net-worth individual through a data
breach at a credit reporting agency. The attacker uses these details to open multiple credit
accounts and make large fraudulent purchases before the victim becomes aware of the identity
theft.

Impact:

 Financial loss and damage to the victim’s credit score.

 Legal action and lengthy recovery process for the victim.
 Potential lawsuits against the breached agency.

14. Communication Error/Failure - Unintended Release of Data

Scenario: An employee at a healthcare organization accidentally sends an email containing

medical records of multiple patients to the wrong distribution list. The email is delivered to
individuals not authorized to view the data, compromising patient confidentiality.

Impact:

 Violation of patient privacy and regulatory penalties (e.g., HIPAA violations).

 Reputational damage and loss of patient trust.
 Financial losses due to legal action and compliance fines.
These scenarios illustrate the various ways in which information can be compromised, either
deliberately or accidentally, and emphasize the importance of robust security measures,
employee training, and compliance with data protection regulations.

Here is a sample Information Security Incident Prioritization Table based on the Incident
Impact Table from the previously attached image and the scenarios you provided. The table
uses High, Medium, and Low categories of impact as per the details from the image.

Impact
Scenario Description/Justification
Level
Interception - Capturing Significant risk to the confidentiality of data, impacting
Data Before Reaching High (H) a large number of systems and individuals. Could result
Intended Recipients in legal liability and reputational damage.
A severe breach of confidentiality with potential to
Spying - Secretly Collecting
High (H) affect strategic business information and damage
and Reporting Information
competitiveness.
Eavesdropping - Listening Compromises confidentiality but may affect a limited
Medium
to a Conversation Without number of individuals. Moderate potential for
(M)
Knowledge propagation and further harm.
Disclosure - Publicly High probability of causing significant damage to
Releasing Sensitive High (H) reputation and financial losses due to public exposure
Information of sensitive data.
Threatens confidentiality and could lead to significant
Masquerade - Pretending to
High (H) financial fraud or unauthorized access to critical
Be Another Entity
systems.
High impact on a large number of individuals if
Social Engineering -
High (H) sensitive information is compromised, especially in a
Psychological Manipulation
targeted phishing or vishing campaign.
Network Phishing - Using High risk to data confidentiality, especially if large
Technology to Steal High (H) numbers of users' credentials or sensitive information
Information are stolen. Could spread rapidly across the network.
Major breach of integrity, potentially affecting critical
Tampering with Data -
High (H) business systems and causing significant operational or
Unauthorized Changes
financial damage.
Affects integrity but may only have moderate effects on
Data Error - Mistakes in Medium
specific systems or processes. Can cause financial
Data Input or Processing (M)
discrepancies.
Position Detection -
High impact due to the potential for attackers to target
Identifying Location of High (H)
critical information systems for further exploitation.
Sensitive Information
Third-Party/Service High (H) Affects a large number of individuals, especially if a
 Impact
Scenario Description/Justification
Level
critical third-party exposes personal data. High
Provider Breach
reputational and legal risks.
Severe impact, especially if critical business data or
Hacking - Unauthorized
High (H) systems are compromised. Legal liabilities and
System Access
reputation could be at stake.
Identity Fraud - High impact on individuals and potential legal liability
Unauthorized Use of High (H) for the organization. Can result in significant financial
Someone’s Identity loss and reputational damage.
Communication Could cause moderate damage depending on the
Medium
Error/Failure - Unintended sensitivity of the information. Internal controls may
(M)
Data Release mitigate the extent of harm.

Summary of Impact Levels

 High (H): Severe and immediate threat to confidentiality, integrity, or availability of

systems or data. Likely to result in major financial loss, legal liability, and damage to
reputation.
 Medium (M): Moderate adverse effects on systems or data, potentially causing
operational disruption or reputational damage, but with limited propagation.
 Low (L): Minimal adverse effect with limited scope of disruption or damage. Little to no
risk of propagation.

This table can help prioritize responses to information security incidents based on their potential
impact and urgency, allowing the organization to focus resources effectively.