Data Security and Privacy across Borders

Term Project 2020

Max Marks: 50 Weightage: 25%

Guidelines:

1. Read the entire project document CAREFULLY.

2. This is a group project and each team will have 3-4 members. Any group with more
than 4 members will be disqualified and would not be considered for the evaluation
3. There are 6 projects listed below and each team has to choose 1 scenario for the
evaluation.
4. Each Group will create and submit a report (NOT Exceeding 20 pages excluding the
cover page, table of contents, and reference list) based on the questions asked in the
scenario. Submit a soft copy of the report after plagiarism verification in the folder:
5. Use tables and diagrams wherever necessary. Do provide the source of all Tables
and Figures.
6. The project report should be submitted by 28th January 2020 12:00 noon in a soft
copy with plagiarism report (from Urkund). Save your Project File as
<<CS2/CS1_RollNum1_RollNum2_RollNum3>>
7. Separate folders are created for Cybersecurity1 and Cybersecurity2 sections. Pls.
submit in appropriate folders. A separate mail has been sent with the shared folder
links.
8. Any report which has more than 15% plagiarism will NOT be considered for the
evaluation
9. Students are expected to answer all questions asked in a form of a report not as a
Q&A section.
10. The total marks allocate to the project are 25, however the first round of
evaluation is out of 20. The faculty will choose best 3 out of the submitted reports
from each section and those selected three teams will give a detailed presentation
(NOT more than 15 slides) on 30th January 2020. Out of 25 points, 5 points are
allocated for presentations and they will be awarded to only those selected
presentations based on their performance.
11. Wherever the information is missing, groups are free to make certain assumptions for
the solution or analysis of the situation
12. It is mandatory for all groups to attend the presentation scheduled in the last class on
30th January 2020.
13. A few project guidelines are provided in the Appendix in the end of the document for
reference purpose.

Phase 1 Deliverables with Urkund Report date: 28th January 2020 by 12:00 noon
Phase 1 Results: 29th January 2020 4:00 pm
Phase 2 Presentation on 30th January 2020

1
Scenario 1 –

Go through the scenario given about Google Fined 50 Mn EUR from the link:
https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-
euros-against-google-llc

Answer the following in your report:

1. A brief synopsis of the case / incident discussed in the case above
2. Outline a PESTLE analysis for Google
3. In your opinion why was the organisation fined? What were the relevant law(s)
involved? Provide details along with the article and section?
4. According to you, what was the objective and motivation of the adversaries
5. Provide a post-mortem analysis on the type of attack. For instance, describe in your
own words the technique in detail and what are the tactics used by adversaries to
perform this type of attack.
6. What was the response of the organisation? Is there a way in which the response could
have been better? Propose your analysis and solution.
7. Describe two security controls the organisation could have implemented to protect
them from this breach
8. What was the information given to the data subjects about the breach? Was it
sufficient? Design a consent statement for the company if you were the Data protection
officer.
9. Mention two principles of GDPR/ relevant law involved in this exercise
10. Mention two rights of data subjects (if any) which were violated in this exercise.
11. What rules around Identity and access management could have been implemented in
this case?
12. What are the technical and organisational controls which could have been
implemented to prevent this security breach?

2
Scenario 2 Data Leak Case

Onpay started business in 2012 and provides payroll processing services to 20 enterprise
Customers / clients (B2B service). Onpay hosts a multi-tenant architecture based application
service on Amazon Web Services (AWS) cloud and delivers the Payroll application as a
Service (SaaS). Onpay uses AWS as Infrastructure as a Service (IaaS) Provider and develops
the payroll application by itself and deploys major release every quarter for all customers.
Features and services are not customized for any specific customer. Onpay uses AWS data
centres of EU, US and UK.

Onpay’s 11 customers are from Europe and US. Europe is subject to strong Labour
Regulations which are tightly implemented and governed by the European customers' internal
work Councils. Onpay stores and processes personal and confidential information, of
employees of its customers, such as:

 First name
 Last name
 Date of Birth
 Bank account number
 Bank IFSC number
 Joining date in the company
 Department name in the company
 Income tax computation and deduction

Since May 25, 2018, 2 of 20 customers of Onpay have signed a Data Protection Agreement
(DPA) and Model / Standard Contract Clause (M/SCC) with Onpay.

In June / July 2018, a large beverages company operating in Europe reports to its European
Data Protection Authority that personal data of 3000 of its employees were leaked due to
security lapse in one of its Payroll services provider Onpay.

Answer the following in your report:

1. Read more about OnNpay and its customers from www.onpay.com and conduct a
PESTLE analysis for the company.
2. Similarly conduct a PESTLE analysis for the beverages industry from the data
criticality point of view
3. Why payroll data is an important consideration for any organization?
4. What measures should the beverages company take to address the privacy risks and
concerns of its 3000 employees in Europe?
5. What Measures should Onpay take to address the privacy risks and concerns of its
customer's employees?
6. Is the problem statement limited only to the 3000 employees of the beverages
company? How will you determine the full problem statement? What measures
should the beverages firm use?
7. Should Onpay disclose the breach to all its customers? What is the role of a legal
counsel and Public Relations team/firm in breach/incident management?
8. How would you design the communication for informing about the data breach to
external stakeholders? Present a sample.
9. What is the key principle to determine if the data leak should be reported to
regulators, customers and data subjects?
10. What measures should the beverages company have taken before accepting Onpay
as a vendor?

3
11. What are the technical and organisational controls which could have been
implemented to prevent this security breach?
12. Imagine the data leak is reported to regulators and the beverages company wants to
sue Onpay for the leak. If found responsible, Onpay will be liable to pay a fine of up to
€10 million or 2% of the company’s global annual turnover, under Article 83(4) of the
General Data Protection Regulation. Write down the key steps how will Onpay handle
the situation and mitigate the issue.

4
Scenario 3: DDoS attack brings the online portal down

Client: TraveleCom
Location: US

It’s the eve of Black Friday and Cyber Monday during the Thanksgiving time in US. A week
before the Thanksgiving, the Engineering and Datacentre team is having critical stand-up
meetings several times during the day to gear up for the traffic and business that awaits them
on Black Friday, Thanksgiving Weekend and Cyber Monday. Typically, TraveleCom gets
about 30% of its revenue from these 4 days and the daily traffic jumps from 5 million hits to 50
million hits on the 4 days. Business provides goodies in terms of deep discounts, coupons,
freebies to make maximum of this rush to maximize the conversions. Huge marketing costs
have been spent and is going to be spent in terms of campaigns in print and digital media.
The Engineering and Development team have freezed all new code deployments in the
production environments. The production environment has been ramped up 15 folds to
manage the traffic bump. Looks like everything is set to make the maximum out of
Thanksgiving eve.

Crisis strikes on Monday morning as the site experiences severe DDoS attack on Black Friday
by Hackers. The site goes down multiple times during the day forcing TraveleCom customers
to look elsewhere. The next 3 days till Cyber Monday are disasters since the genuine traffic
falls to less than 2 million hits owing to site reliability issues. Company is facing barrel in terms
of huge loss of revenue, reputation.

Phase 1 Deliverables:

1. Outline a PESTLE analysis for online travel industry

2. What is a DDoS attack and why it is considered a threat for TravelCom?
3. What should be the key concerns and priorities of the CISO at this stage?
4. Mention two principles of GDPR/ relevant law involved in this exercise
5. Mention two rights of data subjects (if any) which were violated in this exercise.
6. Conduct the business impact analysis (BIA). Which all activities and stakeholders are
affected? Students are free to take a few assumptions
7. Design a communication informing about the incident which the organization can send to
the management, employees and customers
8. Develop a Business Continuity Plan / Disaster Recovery Plan for the above situation.
Identify preventive controls
9. Develop an IT contingency plan. Please make sure that the contingency plan should
contain detailed guidance and procedures for restoring a damaged system.
10. What are the technical and organisational controls which could have been implemented to
prevent this security breach?
11. After facing a tumultuous week, the CEO of TraveleCom was getting his morning cup of
coffee the day after Cyber Monday when he was greeted by an email of an alleged hacker
stating that they have the data of 100 million users of their platform which included
usernames, passwords, social security numbers and worst of all- their credit card
information. He was perplexed by this threat since they had just completed their annual
security audit conducted by KPMG and had full faith in his CISO to guarantee safety of
user information. However, the time to react is limited as the hacker threatens to make the
information public within 6 hours if a sum of 1million USD is not transferred to them via
bitcoin. State the ideal steps the CEO, CTO and CISO should take in order to prevent
another disaster from occurring.

5
Scenario 4

Go through the incident Marriot fined 99 Million pounds from the given link:
https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/statement-
intention-to-fine-marriott-international-inc-more-than-99-million-under-gdpr-for-data-
breach/

Answer the following questions:

1. A brief synopsis of the case / incident discussed in the case above

2. Outline a PESTLE analysis for hotel industry and Marriot
3. In your opinion who was responsible and why was the organisation fined?
4. According to you, what was the objective and motivation of the adversaries
5. Provide a post-mortem analysis on the type of attack. For instance, describe in your
own words the technique in detail and what are the tactics used by adversaries to
perform this type of attack.
6. What was the response of the organisation? Is there a way in which the response could
have been better? Propose your analysis and solution.
7. Describe two security controls the organisation could have implemented to protect
them from this breach
8. What was the information given to the data subjects about the breach? Was it
sufficient? Design a consent statement for the company if you were the Data protection
officer.
9. Mention two principles of GDPR / relevant law involved in this exercise
10. Mention two rights of data subjects (if any) which were violated in this exercise.
11. What rules around Identity and access management could have been implemented in
this case?
12. What are the technical and organisational controls which could have been
implemented to prevent this security breach?

6
Scenario 5 LOSS OF WEBMAIL – PHISHING ATTACK

Company: BBC
Location: London, UK.

BBC News (also known as the BBC News Channel) is a British free-to-air television news
network. It was launched as BBC News 24 on 9 November 1997 at 5:30pm as part of the
BBC's foray into digital domestic television channels, becoming the first competitor to Sky
News, which had been running since 1989.

On January 28, 2015, some of the employees notices a suspicious email in their inboxes.
There is a link in the email which if a user clicks would take him / her to the BBC Webmail
logon page. When they enter their logon details in this page it does not take them to their email
inbox, rather to some spurious free download site. The website opens in a loop, which means
whatever button or link the user clicks, it opens another unknown website

As a CISO, you were informed by the Manager – BBC Information Systems that the BBC is
the target of an email phishing attack. The email that your users have seen has been identified
as the phishing email.

This is not just enough, one of the internet notorious groups calling itself as “the Syrian
Electronic Army” has subsequently hacked some of the key BBC Twitter accounts. They are
posting messages on Twitter boasting that they have taken over these accounts. It is
suspected that the phishing email is the tool that they have used to gain access to the admin
email rights and Twitter accounts. It is suspected that they have all the BBC Login account
details and passwords of BBC employees and users whosoever has clicked so far on the link
and accesses the fake BBC Webmail logon page.

As a precaution the Information System department has shut down the webmail, which means
that only users who have a BBC Remote Access Token can logon to the BBC network from
outside the BBC. They have released a reporting form and advised not to click on any
attachments or links within emails and to raise a call with the ATOS service desk if received
any email with the link.

Answer the following questions:

1. Conduct a PESTLE analysis for media industry and BBC

2. Explain the severity of attack at an individual level, department level, organization
level and at the industry level.
3. How does this incident impact the ability of an organization to with their critical
business activities? Provide a business impact analysis in UK (the group is free to
provide certain assumptions).
4. Which all activities and stakeholders are affected?
5. Mention two principles of GDPR / relevant law involved in this exercise
6. Mention two rights of data subjects (if any) which were violated in this exercise.
7. What rules around Identity and access management could have been implemented
in this case?
8. What is the role of a legal counsel and Public Relations team/firm in breach/incident
management?
9. What should be the key concerns and priorities of the CISO at this stage?
10. Design a communication for the CISO to circulate to various stakeholders
11. Design a Disaster Recovery Plan and explain how this can be prevented further?
12. Later, the situation has escalated, the hackers have used the credentials of senior
management and gained accessed to sensitive data such as upcoming acquisition

7
plans, unreleased documentaries, employee details and bank account details, etc.
The group has threatened to release the information online which will affect BBC
adversely and may cost millions and release of business secrets. How will the
company tackle the situation?

8
Scenario 6
Read the incident of British airways fined 184 million pounds-
https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/ico-
announces-intention-to-fine-british-airways/

Answer the following questions:

1. A brief synopsis of the case / incident discussed in the case above
2. Outline a PESTLE analysis for British Airways
3. In your opinion why was the organisation fined? What were the relevant law(s)
involved? Provide details along with the article and section?
4. According to you, what was the objective and motivation of the adversaries
5. Provide a post-mortem analysis on the type of attack. For instance, describe in your
own words the technique in detail and what are the tactics used by adversaries to
perform this type of attack.
6. What was the response of the organisation? Is there a way in which the response could
have been better? Propose your analysis and solution.
7. Describe two security controls the organisation could have implemented to protect
them from this breach
8. What was the information given to the data subjects about the breach? Was it
sufficient? Design a consent statement for the company if you were the Data protection
officer.
9. Mention two principles of GDPR/ relevant law involved in this exercise
10. Mention two rights of data subjects (if any) which were violated in this exercise.
11. What rules around Identity and access management could have been implemented in
this case?
12. What are the technical and organisational controls which could have been
implemented to prevent this security breach?

9
 Appendix – Project Guidelines

Students may use the below information as a reference point for the analysis

Steps of Disaster Recovery Plan formulation:

1. Develop the contingency planning policy statement - A formal policy provides the
authority and guidance necessary to develop an effective contingency plan.
2. Conduct the business impact analysis (BIA) - The business impact analysis helps to
identify and prioritize critical IT systems and components.
3. Identify preventive controls - These are measures that reduce the effects of system
disruptions and can increase system availability and reduce contingency life cycle costs.
4. Develop recovery strategies - Thorough recovery strategies ensure that the system
can be recovered quickly and effectively following a disruption.
5. Develop an IT contingency plan - The contingency plan should contain detailed
guidance and procedures for restoring a damaged system.
6. Plan testing, training and exercising - Testing the plan identifies planning gaps,
whereas training prepares recovery personnel for plan activation; both activities improve
plan effectiveness and overall agency preparedness.
7. Plan maintenance - The plan should be a living document that is updated regularly to
remain current with system enhancements.

Business continuity planning should involve:

1. Business impact analysis (BIA);
2. Risk assessment
3. Risk management; and
4. Risk monitoring

BUSINESS IMPACT ANALYSIS –

A business impact analysis (BIA) is the first step in developing a BCP. It should include:

 Identification of the potential impact of uncontrolled, non-specific events on the

institution's business processes and its customers;
 Consideration of all departments and business functions, not just data processing;
and
 Estimation of maximum allowable downtime and acceptable levels of data,
operations, and financial losses.

RISK ASSESSMENT –
The risk assessment is the second step in developing a BCP. It should include:

 A prioritizing of potential business disruptions based upon severity and likelihood of

occurrence;
 A gap analysis comparing the institution's existing BCP, if any, to what is necessary
to achieve recovery time and point objectives; and
 An analysis of threats based upon the impact on the institution, its customers, and
the financial markets, not just the nature of the threat.

10
RISK MANAGEMENT –
Risk management is the development of a written, enterprise-wide BCP. The institution
should ensure that the BCP is:

 Written and disseminated so that various groups of personnel can implement it in a

timely manner;
 Specific regarding what conditions should prompt implementation of the plan;
 Specific regarding what immediate steps should be taken during a disruption;
 Flexible to respond to unanticipated threat scenarios and changing internal
conditions;
 Focused on how to get the business up and running in the event that a specific
facility or function is disrupted, rather than on the precise nature of the disruption;
and
 Effective in minimizing service disruptions and financial loss.
RISK MONITORING –
Risk monitoring is the final step in business continuity planning. It should ensure that the
institution's BCP is viable through:

 Testing the BCP at least annually;

 Subjecting the BCP to independent audit and review; and
 Updating the BCP based upon changes to personnel and the internal and external
environments.

The assessment of the project can be done on the basis whether the groups have
covered the following:
1. The plan development team should meet with the internal technology team, application
team, and network administrator(s) and establish the scope of the activity, e.g., internal
elements, external assets, third-party resources etc. IT department senior management
should be properly informed.
2. Have the groups gathered all relevant network infrastructure documents, e.g., network
diagrams, equipment configurations, databases.
3. Have they obtained copies of existing IT and network DR plans if they exist?
4. Have they identified what management perceives as the most serious threats to the IT
infrastructure, e.g., fire, human error, loss of power, system failure?
5. Have they identified what management perceives as the most serious vulnerabilities to
the infrastructure, e.g., lack of backup power, out-of-date copies of databases?
6. Have they reviewed previous history of outages and disruptions, and how the firm
handled them?
7. Have they identified what management perceives as the most critical IT assets, e.g., call
centre, server farms, Internet access?
8. Have they determined the maximum outage time management can accept if the
identified IT assets are unavailable?
9. Have they identified the operational procedures currently used to respond to critical
outages?
10. Have they determined when these procedures were last tested to validate their
appropriateness?
11. Have they identified emergency response team(s) for all critical IT infrastructure
disruptions; determine their level of training with critical systems, especially in
emergencies.

11
12. Have they compiled results from all assessments into a gap analysis report that identifies
what is currently done versus what ought to be done, with recommendations as to how to
achieve the required level of preparedness, and estimated investment required.
13. Have management review the report and agree on recommended actions.
14. Prepare IT disaster recovery plan(s) to address critical IT systems and networks.
15. Conduct tests of plans and system recovery assets to validate their operation.
16. Update DR plan documentation to reflect changes.
17. Schedule next review/audit of IT disaster recovery capabilities

Sources –
https://www.fdic.gov/regulations/examinations/supervisory/insights/sisum06/bcp.pdf
http://www.al.undp.org/content/dam/albania/docs/STAR/Disaster%20Recovery%20and%20
Bussines%20Continuity%20Plan.pdf
http://www.epcc.edu/IT/InformationSecurity/Documents/Business_Continuity/Business_Conti
nuity_Planning_Guidelines.pdf

12