Our client experienced a business email compromise and was alerted of this incident when the client’s cornerstone customer queried a fake invoice which had been created and sent by attackers to the customer using our client’s email account.
The client needed urgent assurance to provide to the customer, clarifying what had occurred and how it had occurred if possible, and most importantly, detailing whether there was a need for both the client and their customer to undertake notification to the Information Commissioner’s Office (ICO) and a set of thousands of individuals involved.
Our team undertook a comprehensive end to end assessment of the systems involved, reviewing all available logs and email correspondence to determine the scope of the incident and the potential impact on data confidentiality. Systems reviewed extended beyond the initial Outlook 365 to include access reviews for data sharing environments such as client Sharepoint sites.
Working with Mishcon de Reya’s Data Protection team, we assisted the client in determining that notification was not necessary; the Data Protection team then engaged with the data protection team of the client’s customer, working to assure them that notification was not needed.
Our client was ultimately able to demonstrate that suitable security measures were now in place to protect against any further breaches. Further to this, we were able to avoid an unnecessary notification to the ICO and individuals whose data had not been impacted by a data breach, avoiding unnecessary costs and concern for all involved.