[Reading time: 34 seconds]

While my skills are in crime prevention rather than crime investigation, I sometimes get called when a friend-of-a-friend thinks their personal e-mail account has been hacked.

The friend-of-a-friend is usually suspicious after hearing from their friends, work colleagues, and clients about unusual emails sent from their e-mail address.

It doesn’t take long for me to confirm their suspicions.

Fortunately, the technical steps required to get the attacker out of the account usually takes a few minutes.

Unfortunately, the non-technical steps required to clean up the mess usually takes a lot longer.



Well, with a bit of know-how, it should be possible to identify the door that an attacker used to gain entry to an e-mail account, and to identify any other doors that they have opened to maintain their access even after the password is changed. These doors can be locked quite quickly.

However, investigating what the attacker did while they were in the account takes longer.

And if you don’t have any logs of their activity, you may have to assume the worst.


What’s the worst that can happen?

For most people, the worst means the attacker used their access to your e-mail account to:

  1. Gain access to your other accounts. (After all, the Forgot My Password link on many websites results in a Reset Password link being sent to your email address.)
  2. Impersonate you online and send malicious emails to all the email addresses found in your email account.
  3. Take a copy of every e-mail stored in your e-mail account, meaning the attacker will always have a copy of these emails.


Where’s the whopper?

1 – Resetting the passwords on all your accounts just in case the cyber attacker has gained access to one of them? Time consuming.

2 – Telling everyone that your account has been breached and warning them not to trust any recent emails from you? Embarrassing and damaging to your reputation.

3 – Dealing with the impact of an attacker having a copy of all the e-mails that were stored in your e-mail account? …

This is the real whopper.

Imagine needing to read through all the emails in your e-mail account to figure out what the attacker could find out about you and the people you have communicated with, and then figuring out what they could do with this information?

It’s enough to put you off your food.


And the double-whopper?

If any of the emails in your email account relate to your job, then your employer needs to get involved.

Because, depending on the nature of the data that was in these emails, this could become a reportable data protection breach.

And if it is, the regulator will ask how the employer (the ‘data controller’) can claim to have ‘control’ of the data if it has been sitting in an email account that they do not ‘control’.


What’s my point?

Individuals: If you can log into an email account from any device with just a username and password, the likelihood of you facing this scenario is higher than you think. At a minimum, you must protect your valuable accounts to ensure someone needs more than just a username and password to gain access.

Employers: If you allow an employee to use their personal email account to forward, send, or receive, work-related emails, a run-of-the-mill cyber security breach for them could be a significant data protection breach for you. At a minimum, you need to consider the benefits vs the risks, and ensure staff are clear on what they can and cannot do.



Need help?

For individuals and small teams

It’s scenarios like this one that motivated me to build MySecurityGuide.com.

If you work for yourself, or as part of a small team, and you don’t have access to IT or cyber security expertise, MySecurityGuide.com will show you how to implement reasonable security defences to significantly reduce the likelihood of something like this happening to you.

Step-By-Step: Security Without Insanity.

For employers

Even if you already have an IT team to manage the security of your technology, you need to think about the other key elements in your security defences (e.g. People, Policies, and Processes).

Technology is the easy bit.

Code in Motion provides independent security advice and assurance so you can prove you are taking reasonable steps.

Step-By-Step: Security Without Insanity.