Outcomes - Selected Case Summaries

Categories

 

Phishing attack at professional association

Informal Resolution | 07 June 2021

A staff member of a professional association fell victim to a phishing attack. The password was immediately reset and all active sessions were terminated. Audit logs showed that no other email accounts were compromised, and no access to SharePoint was gained. All recipients of the phishing email were notified of the breach. Multi-factor authentication (MFA) had not been implemented, but was quickly enabled.

We determined that the risk to data subjects was low. We advised the association to provide regular cybersecurity awareness training and engage in periodic phishing simulation testing among staff. We also recommended that an incident response procedure be developed to establish clear reporting lines in case of a future attack.