This week:

My focus is on the Irish Data Protection Commission’s 2023 report, which was released earlier this week. You can access the report here: https://dataprotection.ie/en/news-media/press-releases/data-protection-commission-publishes-2023-annual-report.

While the DPC regulates some of the ‘Too Big To Care’ companies that you may have heard of (e.g. Facebook / Meta, Microsoft, Google, TikTok, LinkedIn, X), let’s not worry about those bit-part players.

Here are 3 of the many interesting stories in this 148 page-turner:

3 – One school learns why Multi-Factor Authentication is my favourite subject.

2 – One health provider realises the cost of a ransomware attack is not just the ransom demand.

1 – One telco demonstrates how ignoring direct marketing laws must be a profitable endeavour.

 


 

3 – One school learns why Multi-Factor Authentication is my favourite subject.

“The DPC received a breach notification from a school in relation to a bad actor who accessed and infiltrated a school’s ICT systems, including the email system, for an unknown length of time.”

This is from Case Study 23, on page 131 of the report. The school’s financial administrator received an email from the school principal’s email account, asking them to pay a supplier’s invoices. “However the bank account details [stated on the invoices] were manipulated by the bad actor to redirect the payment to an unknown recipient. [..] The breach was discovered when the legitimate supplier reported that they had not been paid.”

So what?

“The DPC [..] recommended that the school take a number of actions to recover from the breach and mitigate against a recurrence including the implementation of Multifactor Authentication”. In other words, if one of your important online accounts is only protected with a username and password, it’s an easy target for a cyber attacker.

 


 

2 – One health provider realises the cost of a ransomware attack is not just the ransom demand.

“The [DPC] Inquiry was commenced following a ransomware attack affecting patient data held on Centric’s patient administration system. Over 70,000 patients were affected by access to, unauthorised alteration of, and loss of availability of their personal and special category data. Some 2,500 patients were permanently affected as their data was deleted with no backup available. The Decision reprimanded Centric and imposed fines totalling €460,000.”

This is an extract from page 33 of the Annual Report, and relates to a DPC investigation of a ransomware attack at an Irish healthcare provider. Further details of the investigation is not included as a case study in the Annual Report (even though the organisation’s name appears across 5 pages in the Annual Report). A 50-page report was published by the DPC in early 2023 which includes detailed information on the organisation’s actions before, during, and after the attack.

Whatever about the €460,000 fine, I doubt anyone in the organisation is too happy to know that the following statements will be publicly-accessible on the DPC’s site for the next number of years:

  • “[The organisation] had a range of Data Protection Governance policies and procedures in place to ensure the accuracy and security of patients’ personal data. However, these policies were not adhered to and the steps within them were not carried out at the determined intervals”. (page 22).
  • “[The] server was fully exposed to the internet with a password that “could have been brute forced without too much difficulty” and many unsuccessful attempts were made to log in to the account prior to successful log in”. (page 23)
  • “[The] network firewall was fully exposed, allowing all inbound and outbound traffic through” (page 24)
  • “[The organisation] indicated that it was “satisfied that the appropriate measures were implemented to secure the processing of personal data at the time of the breach”. However with reference to the measures detailed above, [The DPC] find that there is very little basis for this assertion. [The organisation’s] failure to implement industry standard measures such as complete patch application, encryption of data at rest, appropriate levels of server security and failure to ensure an appropriate level of security of passwords and log in credentials demonstrates that adequate technical security measures were not in place” (page 25)
  • “The processing by the ransomware bad actor was unauthorised and unlawful. The processing by [the organisation] itself in the immediate aftermath of the ransomware attack resulted in processing causing permanent accidental loss of some personal data. In the circumstances as outlined above, I find that the lack of appropriate measures to prevent the placement and execution of ransomware on this system and the subsequent steps taken by [the organisation] that permanently deleted some of the personal data amounted to an infringement’ of GDPR. (page 28)

So what?

Putting aside the impact of such an attack on patients, this report shows that the cost of a ransomware attack is more than the cost of the ransom payment. Alongside this hefty fine from the DPC, there would have been bills from the cyber security forensic and legal experts. Internal resources and senior managers would also have been involved throughout the incident and investigation, diverting them from their ‘real’ jobs. And the publication of a detailed report doesn’t do much for the reputations of the organisation or the senior people who worked there.

So, even if you think the likelihood of a ranwomare attack is low, are you really ready for this level of impact? Or do you now see why ‘spending money’ on security defences may actually be an investment?

 


 

1 – One telco demonstrates how ignoring direct marketing laws must be a profitable endeavour.

“Recent email marketing campaigns [..] resulted in marketing messages being sent to 20,790 customers who had opted out of marketing. [..] The District Court convicted Vodafone Ireland Limited [..] and imposed a fine of €500. Vodafone Ireland Limited agreed to discharge the DPC’s legal costs.”

This is from Case Study 18 in the report (page 124), and relates to Vodafone (one of Ireland’s largest phone companies) sending over 20,000 marketing messages to people who had opted out of receiving them. The fine equates to less than €0.03 cent per illegal message. That’s probably less than the price of the marketing tool that they used to send the messages. But that’s not the most interesting aspect of this story, because the case study goes on to say that the DPC “had previously prosecuted Vodafone Ireland Limited in 2022, 2021, 2019, 2018, 2013 and 2011 [..] in relation to previous complaints”.

So what?

While direct marketing has nothing to do with cyber security, case studies like this one reveal the real costs, risks, and benefits to companies that consistently ignore direct marketing laws. What does that say about us mugs who try to stick to the rules?