WithPCI Logo
WithPCI.com

Social Engineering Data Breach Scenario

Scenario Overview

Exercise Type: Facilitated Discussion-Based Tabletop Exercise Scenario: Social Engineering Leading to Data Breach Target Audience: Cross-functional leadership and response teams Duration: 90-120 minutes Exercise Objective: Test organization's incident response capabilities to a sophisticated social engineering attack resulting in data exfiltration and extortion

Facilitator Guidelines

  • Present each inject sequentially, allowing 10-15 minutes for discussion after each
  • Use "Now what?" prompts to encourage discussion about next actions
  • Document all decisions, gaps identified, and lessons learned
  • Remind participants this is a no-fault learning environment
  • Focus on process improvement rather than assigning blame

Exercise Script

INJECT 1: Initial Compromise (Day 1 - 12:30 PM)

Situation:

  • Two well-dressed individuals arrive at [WithPCI.com Company Name] headquarters claiming to be representatives from [WithPCI.com Company Name] for a scheduled meeting with the CTO.
  • They present professional-looking business cards and company lanyards.
  • The primary receptionist is at lunch; an HR representative is temporarily covering the front desk.
  • The HR representative checks the calendar and confirms the CTO is also out for lunch.
  • The HR representative logs the visitors in the system and directs them to wait in the lobby area.
  • One visitor casually mentions, "We need to prepare our presentation. Could we get your guest Wi-Fi password?"

Facilitator Notes:

  • Observe if participants identify this as a potential social engineering attempt
  • Note if participants discuss visitor management protocols or visitor escort policies

DISCUSSION PROMPT: "Now what actions should be taken? Who is responsible for each action?"

INJECT 2: Discovery of Theft (Day 1 - 12:45 PM)

Situation:

  • The HR representative briefly leaves the reception desk to use the restroom.
  • Upon returning, they immediately notice:
    • The visitors are no longer in the lobby
    • Their corporate laptop, which was left unlocked on the desk, is missing
    • Several pieces of mail containing potential sensitive information are also gone
    • The visitor log shows they haven't signed out
  • Initial review of security camera footage shows the visitors entering a stairwell
  • The HR representative notifies their supervisor and the security team, admitting they did not lock their workstation when stepping away.

Facilitator Notes:

  • Focus on immediate containment actions and initial response
  • Assess if participants recognize the need for account lockouts and security alerts

DISCUSSION PROMPT: "Now what immediate actions should be taken? Who needs to be notified?"

INJECT 3: Confirmation of Data Breach (Day 3 - 10:15 AM)

Situation:

  • The security team has implemented the following measures:
    • Reset the HR representative's credentials across all systems
    • Deployed enhanced monitoring for unusual network activity
    • Reviewed access logs for signs of unauthorized access
    • Conducted initial inventory of potential data exposure based on device contents
  • No suspicious network activity has been detected within the environment
  • The executive leadership team receives the following email from an anonymous sender using a ProtonMail account:

Subject: Your Data Security Incident

Executive Team,

We've acquired one of your corporate assets and sensitive documents. The HR representative's laptop contained numerous files of interest, including:

  • Complete employee database with personal information
  • Salary and compensation details for all staff
  • Executive meeting notes and strategic plans
  • Customer contracts and billing information

For verification, see the attached screenshot showing your internal directory structure and file listings.

We will be in touch with further instructions.

Facilitator Notes:

  • Focus discussion on incident classification and escalation
  • Assess if participants identify this as both a physical security incident and data breach

DISCUSSION PROMPT: "Now what? How does this change your response strategy?"

INJECT 4: Extortion Attempt (Day 3 - 3:45 PM)

Situation:

  • A follow-up email arrives from the threat actor:

Subject: Your Options

Executive Team,

Since we haven't received any response, we're providing two straightforward options:

Option A: Pay 0.5 Bitcoin (approximately $30,000) within 48 hours to secure the return of your assets and our assurance that all copied data will be deleted.

Option B: Decline payment, and we will auction the data to interested parties and publish selected portions on public forums. Your clients and employees will be notified directly.

Payment instructions are attached. The clock is ticking.

  • The CISO has confirmed the screenshot appears legitimate and contains sensitive information
  • Legal counsel advises that this incident likely triggers regulatory notification requirements
  • The information security team has prepared an impact assessment

Facilitator Notes:

  • This is a key decision point - focus on the decision-making process, not just the outcome
  • Explore both potential paths (payment vs. non-payment)

DISCUSSION PROMPT: "What is your organization's response? Pay or not pay? Who makes this decision, and what factors influence it?"

INJECT 5A: Outcome if Ransom Paid (Day 4 - 9:00 AM)

Situation:

  • [WithPCI.com Company Name] decides to pay the ransom after consulting with legal counsel, cybersecurity insurance provider, and executive leadership
  • The next morning, the security team discovers a package outside the main entrance
  • The package contains:
    • The stolen laptop (powered off)
    • The missing mail (appears unopened)
    • A USB drive
    • A note reading: "Transaction complete. We've deleted our copies as agreed."
  • Digital forensics team is standing by to examine the returned items

Facilitator Notes:

  • Discuss handling of potentially compromised hardware
  • Focus on verification and recovery processes

DISCUSSION PROMPT: "Now what actions should be taken with these returned items? What additional steps are needed?"

INJECT 5B: Outcome if Ransom Denied (Day 4 - 9:00 AM)

Situation:

  • [WithPCI.com Company Name] decides against paying the ransom after consulting with law enforcement, legal counsel, and cybersecurity experts
  • The CEO receives a new email containing:
    • Screenshots of a dark web marketplace listing with your company data for sale
    • A link to a Twitter post tagging [WithPCI.com Company Name] and multiple cybersecurity journalists
    • A message stating: "As promised. The bidding has begun."
  • Initial media inquiries begin arriving at corporate communications
  • The information security team detects increased scanning activity against company networks

Facilitator Notes:

  • Focus on crisis communications and stakeholder management
  • Discuss regulatory notification requirements and timing

DISCUSSION PROMPT: "Now what actions take priority? How do you manage the multiple aspects of this incident?"

INJECT 6A: Wrap-Up (Ransom Paid Path)

Situation:

  • Forensic analysis of the returned laptop reveals:
    • Evidence of data exfiltration before return
    • Installation of persistent remote access tools
    • No evidence that data was actually deleted as promised
  • Regulatory authorities require notification despite ransom payment
  • Legal counsel advises potential liability remains

Facilitator Notes:

  • Focus on long-term remediation strategies
  • Discuss lessons learned and process improvements

DISCUSSION PROMPT: "What long-term actions must be taken? How will you prevent a similar incident in the future?"

INJECT 6B: Media Response (Ransom Not Paid Path)

Situation:

  • Multiple media outlets are contacting [WithPCI.com Company Name] requesting official statements
  • Journalists are directly messaging employees on LinkedIn and Twitter seeking insider information
  • Screenshots of alleged [WithPCI.com Company Name] data are appearing on social media
  • Customer service is receiving calls from concerned clients

Facilitator Notes:

  • Focus on coordinated communications strategy
  • Discuss employee guidance regarding media contacts

DISCUSSION PROMPT: "Now what is your media response strategy? Who communicates what to whom?"

INJECT 7B: Final Wrap-Up

Situation:

  • 30 days after the incident:
    • Regulatory investigations are ongoing
    • Some customer attrition has occurred
    • Employee morale has been affected
    • Security improvements are being implemented
    • Costs continue to accumulate

Facilitator Notes:

  • Focus on long-term recovery and organizational resilience
  • Discuss metrics for measuring the impact and recovery

DISCUSSION PROMPT: "What are the key lessons learned? What changes to policies, procedures, and controls would prevent similar incidents?"

Exercise Debrief

Key Discussion Points:

  1. What went well in our response?
  2. What challenges or gaps were identified?
  3. What immediate actions should be taken to address identified vulnerabilities?
  4. How effective was our communication during the incident?
  5. What policy or procedure updates are needed?

Next Steps:

  • Document all findings and recommendations
  • Assign action items with clear ownership and deadlines
  • Schedule follow-up to review progress on identified improvements
  • Plan future exercises to test improvements

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy