Cyber Attack – What would your firm do?

There has been a lot of media coverage recently regarding cyber-attacks, with British Airways being the latest major organisation to be targeted.

What should you do in the event of a cyber-attack in the age of GDPR? Security firm Forcepoint recently ran an exercise to highlight the potential dangers.

Scenario

IT staff at fictional company’s head office have been suckered by a phishing email. Someone clicked on a link to a spoof website because they thought the email looked legitimate. It wasn’t. That was two months ago. Today sees the fallout of their actions.

Tuesday 8.30

The IT administrator finds an email from the previous night in the company’s public inbox with a customer’s name, credit card details and email address telling him they have more of where this came from and will be in touch with demands shortly.

Tuesday 13.30

A second email comes through with a ransom demand for £15,000 in the Litecoin crypto-currency, it tells them they have to pay by 22.00 BST or they’ll delete all the customer records.

With the security officer unsure about who needs notifying regarding the incident and what to do about GDPR, the firm’s security officer calls the firms legal counsel for advice.

Tuesday 15.30

Things are spiralling out of control. The hackers have posted a sample of customer’s names and credit card numbers on a public text-sharing website.

The data has been confirmed genuine and everyone involved is trying to work out their options, nobody knows what the data breach policy is or even who the data protection officer is. One idea is to shut down the website. Meanwhile, customers are being directed to their site for a promotional offer.

Tuesday 17.00

The PR team have drafted a statement but don’t plan to release it until people ask questions.

IT has now found another email containing malware and opens it up to investigate it.

Legal counsel suggests informing the Information Commissioner’s Office (ICO) but it has emerged that the business hasn’t got the latest threat detection software meaning they might not be covered by insurance.

How should they have reacted?

Experts believe they should have moved quickly to ensure that attackers could not dictate the pace. The firm’s lack of a data breach policy or awareness of roles has left it vulnerable.

The firm should have prepared a data breach plan with step by step actions to take and rehearsed it with staff so that everyone knows what to do and what their roles are.

Information should have been gathered for the ICO to show how the incident was handled and they should have sought advice from their cyber insurance provider.

A statement should be prepared for customers informing them of what has happened and how they are going to fix the damage.

They should have identified the cause of the breach and forced the infected devices offline before restoring lost data from back-ups.

Most importantly, a business should never pay the ransom because there’s no guarantee they will get the data back.

For professional legal advice regarding GDPR contact David Scott on 01904 528223 or email ds@hethertons.co.uk.