15th January 2019 | Posted in Cyber Security
Staff at a fictional accountancy practice Numbers Work head office have been sent through a phishing email. The email looked legitimate and a member of staff clicked on a link to through to a spoof website. The website wasn’t legitimate, and 2 months later, disaster strikes!
Fred Jones, Numbers Work IT admin is clearing out the company’s public email inbox, deleting out the usual junk and spam. As he is doing this one particular email stands out and Fred immediately fears the worse.
“We have more where this came from and we will be in touch with our demands”
The message says below someone’s name, credit card details and email address.
Fred hopes that it is a hoax, but he isn’t able to take the risk, he has to go in and see the company security officer, Liam Wilson.
“Do we know if this is a genuine credit card number, and more importantly, is it one of our customers?” Liam asks, Fred admits he doesn’t yet know.
“Ok, well when did we get this email?” Liam scowls.
“Well, it came in yesterday, after I had left work, so I didn’t see it until this morning”
“So, you’re telling me we are already over 12 hours into this?”
“Yeah, afraid so” Fred says with trepidation.
“A second email has come in, it’s a ransom demand for £25,000 in bitcoin, they say we have up until midnight tonight to pay, otherwise they will be deleting all of our customer records” Fred tells Liam.
In a panic, Liam shouts “I thought they only had one?”.
“No” says Fred “they claim that they’ve got them all”.
Liam know has little option, he has to call the companies legal counsel Aimee Lawton for advice.
“Obviously this is a potential breach, so do not reply to that message, I’ll need to review existing legislation, so we know where we stand” Aimee tells Liam.
Liam’s head is now swimming, what about the police, the information commissioner? What about GDPR? Who do they need to notify?
Things are going from bad to worse for Numbers Work, the hackers have posted a raft of customer names and credit card numbers on a public website for sharing text and source code, to make matters worse, Liam has now confirmed the data is genuine.
“What is our data breach policy?” Aimee asks.
“Doesn’t that come from you?” says Liam.
“Aren’t you the data protection officer?” Aimee asks Fred.
“No, it isn’t me….” It’s at this point that Liam realises that he is the data protection officer.
Sophie Bradshaw, the firms head of PR is now involved in proceedings. “Rather obviously this isn’t looking good, we could get absolutely hammered for this, we have failed to protect our customers private data”.
Sophie Bradshaw has drafted a public statement but doesn’t suggest releasing it until people start asking questions.
“Don’t use the word breach in the statement” Aimee says, thinking of the legal ramifications.
Fred then bursts into the room “We’ve found some malware, an email came in that went to quarantine, it had an attachment, that could be it!”
“Tell me you didn’t click on it, did you?” Liam asks, fearing his day was about to go from bad to worse.
“Erm, well I thought it might speed things up….”
As Liam rolls his eyes, Aimee turns the conversation towards informing the Information Commissioner’s Office “We can report it online, but we need to tell them what we did to mitigate the problem”.
“We were supposed to update our threat detection software last year, but timescales slipped and it kind of didn’t happen” Liam winces.
“Make sure you don’t tell the ICO that” Aimee advises “we need to show adequate controls in place, if we can’t, we could be in serious trouble, not only that but it might prevent the cyber-attack insurance people from paying out”.
Later in the day Liam confirms that the latest phishing email was a red herring, but tells the team “They found a phishing email from 2 months ago that linked to a log-in page that looked like our cloud provider, that’s how they got in”.
“We have to handle things better from now on, this will happen again, and its only going to get worse”.
By reacting late, Numbers Work were always on the back foot, hackers dictate the pace in these situations, so it is important to move quickly.