Working-Draft.org
Case Study • Incident Report

Incident Report IR-2025-1021: Access Governance & Privilege Containment

Lead Investigator: Arttu Pitou At
Incident Reference: IR-2025-1021 • Classification: Major Non-conformity
Date of Incident October 21, 2025
Impacted CIA Component Integrity and Availability
Primary Gaps Identified ISO 27001 Annex A 8.2 (Privileged Access Rights), Annex A 8.15 (Logging and Monitoring)
Status Remediated & Closed

Executive Summary

On October 21, 2025, an authorized user with excessive privileges performed unauthorized modification and deletion events across core institutional Shared Drives. The incident resulted in the moving and trashing of academic materials and the restructuring of directory hierarchies outside standard operational workflows. The account was suspended, containment via external gateway blocks was recommended, and availability was restored using Google Drive recovery and rollback functionality. Systemic remediation was performed to transition Shared Drive access rights to least-privilege defaults.

Context

The environment consists of a distributed multi-campus directory serving approximately 3,000 active users and 400 staff members. Because of the size and geographical distribution of the campuses, administration relies heavily on delegated access control within Google Workspace Shared Drives to partition departments, administrative offices, and academic bodies.

Challenge

At 11:03 AM on the day of the incident, administrative alerts and user reports indicated a sudden loss of access to files in shared academic directories. An actor was actively modifying folder titles, altering settings on folders belonging to senior leadership (such as "Office of the Principal" and "Foreign Teachers"), and executing mass-deletion commands, placing hundreds of files in the system trash. The immediate challenge was to identify the origin of the activity, stop the ongoing file modifications, assess the breadth of the impact, and restore access without data loss.

Investigation

A log analysis was conducted using Google Workspace Admin Console audit logs. The investigation traced the actions chronologically:

  • Vector: The activity was traced to two distinct IP addresses, including a sensitive external gateway.
  • Containment Phase (11:03 – 11:19 AM): The actor executed mass "Trash" events targeting the "Teacher Drive" and "Pre Testing" repositories. Impacted files included .pdf, .docx, and .ppt academic materials.
  • Unauthorized Modification (11:14 – 11:18 AM): Drive integrity was compromised via unauthorized renaming and settings overrides on core Shared Drives, including the principal's office and foreign educator repositories.
  • Restructuring (11:19 – 11:27 AM): The actor created new folder hierarchies and began moving existing institutional data, representing an unauthorized administrative bypass.

Findings & Root Cause Analysis

The investigation identified two critical security control failures:

Primary Failure: ISO 27001 Annex A 8.2 (Privileged Access Rights)
The actor maintained excessive permissions that exceeded their operational requirements. They held full "Manager" or "Editor" access on Shared Drives that should have been restricted to read-only or comment-only, permitting mass deletion and settings overrides.
Secondary Failure: ISO 27001 Annex A 8.15 (Logging and Monitoring)
While comprehensive audit logs were captured, no automated real-time alert triggers existed to flag or automatically halt mass-deletion actions, delaying initial detection.

Actions Taken

The response was executed in two phases:

  1. Immediate Containment & Recovery:
    • Suspended the compromised user account to halt active modifications.
    • Initiated a bulk restoration of data using Google Drive trash and native recovery tools, successfully restoring file Availability and folder hierarchies to maintain Integrity.
    • Recommended blocking of the identified external gateway access points in subsequent containment discussions.
  2. Long-term Corrective Action:
    • Implemented Annex A 5.18 (Access rights) across the entire domain.
    • Transitioned all Shared Drive permissions to a "View/Comment" default for non-owner staff.
    • Established a mandatory, documented approval workflow for any staff requesting "Editor" or "Manager" permissions.

Outcomes

The immediate recovery process resulted in the complete restoration of all affected directories without institutional data loss. The long-term policy adjustments eliminated excessive permissions across the directory, significantly decreasing the risk of subsequent modification or data destruction events by restricting administrative roles to verified, authorized personnel.