I saw this today, and it made me cross.

(For those who don’t RTFA; a train company conducted an internal phishing awareness campaign by emailing staff to say that they’d be getting a ‘rona bonus in thanks for their dedicated hard work – when in fact, the link led to a message to the effect of “LOL not really, we’re testing to see how gullible you are”)

This is the most disgracefully insensitive, arrogant, cruel and counterproductive ‘phishing test’ I have ever had the misfortune to become aware of. Yeah, shock horror, it turns out if you send a corporate email from inside the company, to a workforce that’s at the end of its tether amongst a pandemic, offering them a ray of sunshine and bit of appreciation for their labours, the recipients will click on the ‘claim your reward’ link. Sucks be to them for expecting their employer to have a heart and a conscience, I guess. Poor fools.

From a data protection perspective, this was not just a) stupid and b) mean; it was also a stumble outside the boundaries of the first data protection principle, as set out in Article 5.1.a of the GDPR: ‘lawfulness,  fairness and transparency’

“fairness…..”

Fairness can be a nebulous concept, but a set of processing activities which causes unnecessary distress to individuals and disproportionate harm to working relationships, is very unlikely to meet this standard. 

That’s not to denigrate phishing awareness campaigns in general (that’s a topic for another day, because I do actually think they’re usually a waste of time and money), but in this particular instance, instead of posing as a supplier sending an invoice, or a retailer offering discounts, the email purported to be from the MD of the company offering bonus payments. In no Universe at all could that possibly be a fair test of phishing awareness, let alone fair processing of personal data. 

“……lawfulness…..”

Okay, let’s get the c-word out of the way first. This wasn’t email marketing so ePrivacy law requirements for consent don’t apply. No consent needed. Consent is irrelevant. Completely moot. No form or mechanism of ‘consent’ could have made this exercise compliant with data protection law. Article 6.1.a can GTFO, it’s not needed here.

Although a contract exists between staff and their employer, which would cover some security-related processing (such as logging, account admin, that sort of thing), it cannot be said that this particular phishing awareness campaign was in any way ‘necessary’ to fulfil the terms of that contract. (It wasn’t even helpful in supporting either party to comply with those terms). So Article 6.1.b is off the table.

Compliance with a legal obligation? Nope. There is no law that requires companies to conduct phishing awareness campaigns. That’s a policy choice.  Bye-bye Article 6.1.c.

Nope to ‘vital interests’ as well – in fact, this campaign is more likely to have harmed the vital interests of the data subjects than ‘necessary to protect’ them. Bzzt, goes the failsiren for Article 6.1.d

West Midlands Trains Ltd is a ‘public authority’ for the purposes of Freedom of Information law, but in order for Article 6.1.e to apply; the phishing campaign would have needed to be necessary for the organisation’s public duties to be carried out, or for there to be an outcome which is in the public interest and could not be achieved by any other processing activity. Trains do not run on phishing awareness, so…..no.

Legitimate interests *might* have been an option, as an organisation does have a legitimate interest in maintaining its security posture by educating its workforce about how to identify and respond to potential security threats.

*IF* this campaign hadn’t been so crass and heartness, *IF* a robust Legitimate Interests Assessment had been carried out, and *IF* the impact to the data subjects had been appropriately balanced against the interests being pursued; the processing activities involved in conducting the phishing awareness campaign could have been lawful. However, because of the lack of care for employees’ welfare, and the (assumed, but confidently so) lack of LIA; the processing could not qualify for a legit legitimate interests basis.

Which leaves……no lawful basis for the processing to rely on, making the processing…..unlawful.

There are penalties for that sort of thing, according to the GDPR. Article 83.5.a lists ‘infringement of the basic principles for processing…pursuant to Articles 5, 6, 7 and 9’ – exactly the same clause that triggered an avalanche of FUD about “HUUUUUGE GDPR FINES FOR BREACHES” when the legislation was born.

That being said, it is unlikely that the ICO will take an interest in this case, because a) it’s not a Reg 21 PECR case, b) it’s not a bang-to-rights security breach, c) it’s not headline-grabbing policy posturing and d) complaints are unlikely as the data subjects affected would need to be data protection nerds to identify the unlawfulness of the processing in the first place.

“…..and transparency.”

Well, the whole point of a phishing awareness campaign is to see how many people you can fool, (which does bring up interesting data-protection-nerd-pub-chat discussion points about how to satisfy Articles 12-14 in respect to this sort of thing, but I digress); so the deliberate deceptiveness of the email sent out is actually the least significant aspect of the processing. If WMT have included internal security testing as a purpose of processing in their employee privacy notice then they might have a chance at squeezing past that one, but I’d lay money on a wager that they haven’t, because, well, no-one does; even though they’re supposed to.

Infosec is not data protection

As a public authority for FOI purposes, WMT must have a statutory Data Protection Officer, under Article 37.a of the UK_GDPR (that’s the GDPR viewed through the lens of the UK Data Protection Act), and if the infosec galaxy brains that came up with this campaign had thought to consult with that DPO, they might not be getting a kicking in the press today.

Having said that; WMT is a public authority for FOI purposes, so it’s entirely possible that they’ve done what a lot of other non-governmental ‘public authorities’ have done, and awarded the title of DPO to whoever didn’t duck fast enough when the decision was considered. If so, that person is probably trying to do two jobs at once (with the DPO one taking lower priority, always), and likely doesn’t have a lot of expertise or experience in DP law to back them up. Actually, even if WMT does have a professional DPO on hand, the chances of the infosec team consulting with them on mechanisms for cybersecurity awareness are minimal. Vanishingly small, in fact.

(I’m betting it didn’t even occur to them to think about data protection beyond ‘this is for security, security is good, kthxbye’. This is a dangerous mindset for an infosec team to harbour.)

But infosec is not data protection, and something that is ‘good’ for infosec is not automatically OK for data protection.

When doing infosec stuff involves processing of personal data (like, for example, emailing everyone in the company to test their phishing awareness levels!); data protection law still applies. No exemptions, no caveats, no special VIP dispensation. The infosec team is part of a Data Controller which has certain legal obligations, one of which is don’t breach data protection law.

This means that it’s the responsibility of the infosec team to ensure that their processing of personal data does not breach the Principles, rights or obligations set out in data protection law – at the same time as they’re trying to protect the rest of the organisation’s info assets. One does not cancel out the other.

But playing cruel pranks on an exhausted and demoralised workforce to prove an intellectual point isn’t even ‘good’ infosec, it’s just sadism.