Outcomes - Selected Case Summaries



Ransomware attack at overseas financial services provider

Informal Resolution | 14 September 2020

An overseas financial services company with a presence in Cayman suffered a ransomware attack on all of its core systems, which resulted in the encryption, blocking and extraction of data. The company could not operate any of its business systems for two days, and its clients were unable to use their accounts for withdrawals or deposits. The ransom note indicated that the perpetrators had extracted at least some of the data contained in the bank’s systems.

The breach notifier initially notified us, as it thought that it was a data controller, but, on closer scrutiny of the beach notifier’s corporate structure and processing activities, we determined that it did not satisfy the definition of data controller. Consequently, we did not have jurisdiction over this data breach, as it related only to the overseas company.