Cyber 3-2-1: What have a €60,000 fine, a €100,000 fine, and Multi-Factor Authentication (MFA) got in common?

Cybersecurity Without Insanity? It’s as simple as 3 – 2 – 1…
 
This week: What have a €60,000 fine, a €100,000 fine, and Multi-Factor Authentication (MFA) got in common? They are all mentioned in the 2022 Annual Report that has just been published by Ireland’s Data Protection Commission. You may not know it, but I’m a data protection nerd. However, given this data protection “thing” will never catch on, I’ll focus on lessons relating to cyber security.

 

3 – AN EMAIL BREACH AT THE TEACHING COUNCIL RESULTS IN A €60,000 FINE

Page 11 of the Annual Report confirms that The Teaching Council of Ireland was fined €60,000 by the DPC, following a data breach of two email accounts.

I covered this incident in a previous newsletter here. In summary, about 300 emails were auto-forwarded to cyber criminals after they gained access to the email accounts of two staff members. According to the DPC, the breach could have been avoided if the organisation had enabled Multi-Factor Authentication (MFA) on all email accounts.

Apart from the immediate cost of the attack and this fine, I think it’s safe to assume the organisation also incurred significant costs (both financial and time) engaging with the DPC during its investigation (as evidenced in the detailed report published by the DPC here).

 

2 – AN EMAIL BREACH AT A CARE HOME GROUP MAY RESULT IN A €100,000 FINE

Page 24 of the Annual Report states that Virtue Integrated Elder Care Ltd, an operator of 4 nursing homes, may be fined €100,000 by the DPC (subject to court approval), following a data breach of a staff member’s email account.

Similar to the attack on The Teaching Council, it succeeded when a criminal gained access to an email account by guessing the user’s password.

I know GDPR tells us that we must have ‘appropriate technical and organisational security measures’, but it does not give us many specific examples of such measures. Reports from the DPC fill that gap. Here’s just one line from the DPC’s report on this case:

“[T]he failure to implement multi-factor authentication, conditional access and mobile device management greatly increased the possibility of a data breach occurring as the result of a phishing attack.”

 

1 – THE BIGGEST RISK OF ADVICE? NOT IMPLEMENTING IT!

Case Study 16 in the DPC report explains why seeking advice is only valuable if you implement the advice.

This case study involves a Hospice Care Centre that uses Microsoft Office 365 as its email system. The organisation paid for a third party IT consultancy to audit this environment. The consultants provided a number of recommendations, including enabling Multi-Factor Authentication (MFA) on all user accounts.

Before the recommendations were implemented, a cyber criminal subsequently accessed a staff member’s email account after they guessed the user’s password. According to the DPC report, “this breach could likely have been prevented if the recommendation of the audit were introduced in a timely manner”.

 

The key takeways from these 3 cases?

• MFA, MFA, MFA – Engrave it on your brain (even if you don’t engrave it on your drinking glasses.)
• A criminal gaining unauthorised access to an email account is a personal data breach (in 99% of scenarios), regardless of what the criminal does with that access. In Europe, organisations should report such personal data breaches to their data protection regulator. In the three cases that I’ve mentioned today, the regulator chose to investigate how each one happened. So, if you’re going to be the victim of a cyber attack that may attract the attention of your regulator, try to learn from past attacks so you’re not the victim of a common attack.
• The cost of a cyber attack is not just the immediate cleanup and recovery. Recovery from the attack may be relatively quick, but reaching the conclusion to a regulatory investigation is seldom quick or cheap, and the timeline is out of your control. And in some cases, the investigation can become part of a permanent public record.
• When you seek advice on how to improve your security*, make sure the advice is going to be clear, pragmatic, and actionable, and that you are ready to start implementing the advice in a timely manner.
  Progression is far more important than Perfection.

 

* From someone like me!
 

PS To listen to Cyber 3-2-1 and a roundup of my other articles this week:All episodes are accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.