How inappropriate use of Office 365 is increasing NDB exposure

On the 22nd of February 2018, the Notifiable Data Breach (NDB) scheme came into effect for all organisations with personal information security obligations under the Australian Privacy Act. Since this scheme can into effect Security Centric has conducted multiple incident investigations involving the compromise of an organisations’ Office 365 user accounts. Access to an Office 365 account generally gives the attacker access to the victim’s email, SharePoint, office applications and OneDrive.

Obligations

The obligations for an organisation under the NBD scheme are that the assessment for whether the breach meets the criteria for an eligible data breach should be done within 30 days of first discovering the breach. To bring Office 365 into this, this means an organisation must be able to determine within 30 days if any personal information was exposed when the account was compromised. The attacker could have accessed the victim’s email and OneDrive and the organisation’s SharePoint tenancy.

Observations

What Security Centric has found during these assessments is that quite often an individual will upwards of 10,000 emails and thousands of attachments. Usually, the organisation does not have sufficient logging turned on for their mailboxes, so it is difficult to determine exactly what emails the attacker accessed. If the attacker had access for a couple of weeks, they could have potentially viewed a lot of the emails. If the organisation collects personal information for their BAU activities and relies heavily on email to collect this information, there could be a high exposure of personal information (for example potential customer emailing a rental application to Real Estate agent).

Usually organisations think a lot of the personal information they store are in internal file shares, business applications or databases. If files are sent as email attachments regularly, copies of these files will be stored with the emails, if the Office 365 account is compromised, so are these files. Given the potential large number of files in a typical email account, assessing the impact of the data breach may be difficult to complete in the 30 day timeframe.

Reccomendation

On the other hand, by default SharePoint, OneDrive and Microsoft Teams has detailed logging turned on (as long the organisation has logging turned on for this tenancy). This makes it easy to determine exactly what the attacker accessed, and the impact can be assessed from there. Assessing the impact here should be quick and accurate.

Email wasn’t really designed as a file transfer mechanism and there are many other ways to share data that are more secure. An organisation that handles personal information should implement web portals for customers to upload documents, that way the organisation can control where the data is stored. Content filtering can be applied on incoming email to ensure personal information can’t be accidently sent to organisation via email. Sensitive business documents should also not be sent via email as a compromise will expose this information.