A local charity experienced a phishing attack, which resulted in unauthorised access to a staff member’s email account by an external party. The threat actor then sent phishing emails from this account.
What happened?
A local charity experienced a phishing attack, which resulted in unauthorised access to a staff member’s email account by an external party. The threat actor then sent phishing emails from this account.
One of the Office of the Data Protection Authority’s (“the Authority”) main concerns was the notification of affected individuals who had previously engaged with the organisation through the compromised account. The organisation handles sensitive and, in some cases, special category data, therefore the breach potentially posed a high risk to the significant interests of some of these people.
The Authority highlighted to the organisation that the risk was not just limited to those who may have received a phishing email but also any individuals identifiable within the compromised account. The Authority informed them of the requirement under the Data Protection (Bailiwick of Guernsey) Law, 2017 (“the Law”) to notify affected individuals of high-risk data breaches.
The organisation confirmed they had notified the people who had received the phishing email but were initially reluctant to notify the people whose personal details may have been identifiable within the compromised account. The Authority expressed concerns that the threat actors may contact any email addresses acquired through the compromised account, thereby increasing the risk of harm posed to those individuals.
The organisation felt it was not feasible to notify everyone potentially affected, due to the volume of emails compromised and the work required to review that information. Furthermore, they raised concerns regarding potential harms to certain people if they were notified that their personal details had been breached. Ultimately, the organisation did instruct their IT provider to review the email account and identify any affected individuals, intending to risk assess on a case-by-case basis whether notification was appropriate.
The Authority raised concerns that the decision to notify these people was unnecessarily delayed. After a significant amount of time, the organisation’s IT provider said it was unable to conduct the review requested. As a result, the organisation performed a manual review of its internal systems that allowed the organisation to perform necessary risk assessments of each person to determine who should be notified.
As a result, additional notifications were sent out to the relevant individuals, almost three weeks after the organisation first identified the breach.
On review of the organisation’s governance addressing personal data breaches, the Authority determined that their Incident Response Plan was insufficient and required updating to properly assess risks posed to individuals and ensure timely and effective action is taken once a breach has been identified.
Why is this important?
The Law requires organisations notify affected individuals of a personal data breach if it is likely to pose a high risk* to their significant interests.
This is critical step and a powerful mitigation tool when considering the potential risk to affected individuals following a personal data breach.
The risk to individuals increases the longer they are unaware, as they cannot take the necessary steps to protect themselves. The Law therefore requires notification must occur as soon as practicable.
An organisation’s failure to promptly notify people potentially affected by a high-risk breach can pose a significant risk to them. Governance should be designed to both inform staff of this requirement as well as guide them through the appropriate considerations that should take place when a breach is considered potentially high risk.
*note: this does not prevent organisations from notifying individuals when the risk is not deemed high. Notification can still be a positive step, depending on the circumstances.
What can be learned from this?
Best practices and an incident response plan should be established prior to a breach occurring. It is the controller’s responsibility to understand their data, systems and third-party providers to ensure prompt and effective action when a breach is identified. Reliance on a third party can lead to overlooking potential straightforward solutions that can be conducted internally and concurrently.
This can be actioned through proper governance and a detailed Incident Response Plan, which can guide staff through the necessary considerations, both under the Law and specific to the organisation. Had the organisation fully understood their systems and IT provider’s capabilities, the manual review could have been undertaken immediately, facilitating their risk assessment and prompt notification of individuals.
When determining the next steps in response to a phishing attack, organisations should consider not only the individuals who received a phishing email but also any individuals identifiable within the account to which the threat actor had access.
“When your organisation is hit with a cyber-attack, time is of the essence,” said Commissioner Homan.
“Having a plan, and reacting quickly to notify victims is critical to protecting them from harm.”
Technical background
Section 43(1) of the Law states…
“Where a controller becomes aware of a personal data breach that is likely to pose a high risk to the significant interests of a data subject, the controller must give the data subject written notice of the breach as soon as practicable”