<![CDATA[Unauthorized access incidents often occur stealthily, with password spraying attacks resulting in the misuse of legitimate credentials. This study reconstructs a real-world incident using system logs from Identity Provider/Single Sign-On (IdP/SSO), Security Information and Event Management/Endpoint Detection and Response (SIEM/EDR), and application-level sources. The attack techniques were mapped to the MITRE ATT&CK framework, focusing on T1110 (Brute Force) and T1078 (Valid Accounts). A Data Protection Impact Assessment (DPIA) was conducted based on the Indonesian Personal Data Protection Law (Law No. 27 of 2022), complemented by a gap assessment against ISO/IEC 27001 and 27002 controls. The results show that the attackās success was driven by incomplete Multi-Factor Authentication (MFA) deployment, the continued use of legacy/basic authentication, weak adaptive rate-limiting and lockout mechanisms, and a monitoring system limited to alert-only functions. The DPIA identified exposure of thousands of personal data records with medium-to-high privacy risks, particularly concerning confidentiality breaches and identity impersonation, necessitating possible notification to authorities and affected data subjects. The study recommends enforcing MFA across all access channels, disabling legacy authentication, implementing risk-based or step-up authentication, activating automatic blocking for password spraying and impossible travel anomalies, extending DPIA coverage during control changes, and updating the Statement of Applicability to reflect modern security controls. Strengthening identity protection and adopting preventive monitoring are shown to significantly reduce privacy risks while easing compliance obligations.]]>
Copyrights © 2025
