[Reading time: 3 minutes]

In February 2020, The Teaching Council in Ireland was the victim of a cyber-attack which led to 323 emails being auto-forwarded to an unknown Gmail account and the personal data of almost 10,000 teachers being disclosed.

Apparently, it was the result of a cybercriminal gaining access to two Teaching Council email accounts after phishing emails fooled staff members into revealing their Microsoft 365 email passwords.

Once the criminal obtained the passwords, they logged in to each email account and set up auto-forwarding, so all future emails sent to these email accounts would also be sent to the criminal’s Gmail account.

 

The impact 

  • Customer impact – Included in the emails were the personal data of almost 10,000 teachers in Ireland. The data included each teacher’s name, address, and PPS number (Ireland’s equivalent to a Social Security Number. It is a unique identification number required to engage with Irish public services, and a valuable piece of information for anyone involved in identity theft).
  • Organisational impact – External Cost: The organisation engaged the services of two consultancy firms to investigate how the breach occurred and to advise on the security improvements that should be implemented to prevent it from happening again. Based on the robust exchange of views between the Teaching Council and the DPC (and detailed in the DPC report which I mention later), I also assume it involved external legal counsel.
  • Organisational impact – Administrative Fine & Reputational Damage: The organisation was obliged to notify Ireland’s data protection regulator (The DPC / Data Protection Commission) about the incident. The DPC subsequently investigated how the breach occurred, and assessed “the [broader] technical and organisational measures in place to ensure that there is adequate security over personal data” within the organisation. This resulted in a fine of €60,000 from the regulator.
  • Organisational impact – Internal Effort: This incident involved 2 consultancy firms, at least 1 law firm, and a DPC investigation that ran for over a year. All of this would have required a lot of time and attention from the organisation’s management team and staff. Time and attention that they were supposed to spend on their ‘real’ jobs.

 

So what?

I’m not mentioning this case to point fingers.

I’m mentioning this because it shows how a security measure can be missed, and how that can lead to a chain reaction of risk, cost, effort, and damage that no one wants.

 

So what should you do?

If you want to see what a data protection investigation looks like, I highly recommend you read the DPC’s report / decision. Alternatively, let me know and I will send you my more detailed analysis of the DPC investigation and the numerous ‘appropriate’ security measures the DPC mentions  – This list goes way beyond ‘Enable MFA’ and ‘Disable Auto-forwarding’.

You can also read The Teaching Council’s original public statement about the breach here.

But if you just want to know some key lessons, I’ll stick to three (which I have already mentioned this week here and here):

  1. Confirm that any email auto-forwarding rules set up on your email system today are reasonable and legitimate. (And watch out – The DPC report describes how some of the checks performed during this specific breach initially failed to identify all of these rules.)
  2. Implement controls to restrict the use of auto-forwarding in the future.
  3. BONUS: Make sure you have a secure foundation in place, including the enforced use of Multi-Factor Authentication on your Microsoft 365 accounts.