Table of Contents
Data anonymization is a type of information sanitization whose intent is privacy protection. It is the process of either encrypting or removing personally identifiable information from data sets so that the people whom the data describe remain anonymous. This is required by law in different countries. Before we explain the Anonymisation of data, we want to answer a few questions regarding data security & privacy:
- Where is LUCY storing and processing data? Lucy can be installed On-Site or on a cloud server. All data is stored within LUCY, no matter where it is installed. No LUCY employee has access to the client's data, unless it was approved in written by the client.
- Where is data sent? No personalized information that falls under GDPR ever gets transmitted outside of LUCY. As you can see in this chapter, LUCY uses some connections to centralized servers (e.g. update server). This is only for maintenance reasons and to maintain the functionality.
- Do we have a data processing agreement: We do. Please visit this chapter
- Protecting personal data: Lucy encrypts the data and offers many possibilities to secure access to the data.
- Collecting personal data: In certain countries, you are not allowed to collect personalized data (e.g. who failed a phishing simulation and who did not pass a training). In such a case you need to enable anonymous mode in LUCY. This will be described in the next chapter.
What type of data can get logged in LUCY?
LUCY needs in minumum only email adresses (or in case of Smishing attacks phone numbers). In case of anonymization there is no personalized data logged at all. The following (not complete) list shows all the information that can be collected within a phishing or awareness campaign. Please note that every client can decide what data gets logged within a campaign.
- Emails Opened: Recipients opened the email
- Link Clicks: Recipients clicked the link in the email
- Successful Attacks: Recipients submitted data in a form (e.g. login data that is submitted via a form based POST request), clicked on a link, executed a file etc.
- Hourly Stats: Page views, link clicks, successful attacks, invalid submits, etc.
- Daily Stats: Page views, link clicks, successful attacks, invalid submits, etc.
- Recipient Criteria's: Based on the usage of additional fields in the recipients list you can sort and filter the statistics for each field
- Operating System Of recipient. This information is based on the user agent string
- Browser type of the recipient
- Browser Plugins of the recipient
- IP: Remote IP address of your recipient.
- Vulnerable Browser | Vulnerable Client: Based on the user agent, LUCY will tell you if there is any vulnerability.
- Time based stats: How long does the user stay on each landing page
- User history: Historical user statistics
- Awareness stats: Number of users trained, % correct questions, training results, users who did not start/finish training etc.
Anonymisation of personal data within a campaign
Within a campaign you can enable anonymous mode in the base settings:
Please note that this operation cannot be undone!
The personal information is then no longer visible:
If you also want to anonymize additional statistical data (browser, IP, etc.), you can set this in the advanced settings:
Additional anonymization options are possible in LUCY (under /settings/advanced settings):
Every campaign needs a recipient group to work. The recipient group are the users who receive the attack simulation or awareness content. You can create multiple groups for a single campaign. Groups can be used within LUCY to target users with specific phishing or training campaigns. Many organizations start by grouping users by department, location (if you have multiple office locations), or even domains (if there are multiple domains). The recipients can be in any number of groups and you can set up an unlimited number of groups.
How to Enter Your Recipients?
Recipients and groups can be configured under Admin/Recipients.
You can either add them manually (1), import them (2) or search the internet by using the "SCAN FEATURE" (3). The groups are always defined globally and you can re-use them among different campaigns.
We recommend importing them because it will enable you to create a custom text file with additional information about each target user (e.g. defining the division or location where they work). This information can later be used for automatic analysis and statistics. The more information you provide, the better.
Note: Searching the internet without a Bing or Google API won't get you the same results as if you searched directly with a search engine.
Process of anonymization
The recipients for the campaign can be imported via file or via LDAP. The recipients can contain the following attributes:
- 1.Email - Recipient's e-mail address
- 2.Name - Recipient's name
- 3.Staff - Job position or related
- 4.Location - Recipient's location
- 5.Division - Company division
- 6.Comment - Any custom comment
- 7.Link - Unique link part for the Landing Page.
- 8.Phone - recipient phone number
- 9.Language - recipient language
Once you imported the recipients, you have to associate the recipients with a specific campaign(attack simulation or awareness training):
After you start a campaign in anonymous mode you will only be able to see general statistics:
If you have less than 10 employees in a division, location etc, the marked stats will also not be visible: