Outcomes - Selected Case Summaries
Categories
Processor employees fall victim to a smishing attack allowing access to customer information
Decisions | 15 August 2023
Former and current employees of a global financial services provider (a data processor) fell victim to a malicious smishing text message. The message directed employees to a fake login page which resembled the original page. The page then captured employee credentials to access internal processor administrative tools and applications which resulted in a breach of certain customer information.
The attack affected over 70,000 customers, only one of whom resided in Cayman. The data impacted included email addresses, partial phone numbers, and processor IDs, and the breach resulted in spam, unsolicited direct marketing emails, and attempts to access employee and customer accounts.
The provider investigated and implemented several measures in response to the attack. A cybersecurity awareness blog post was made available on the entity’s website and sent to all customers. Upon review of the actions taken, we determined that the institution failed to notify the affected data subjects within the statutory 5 days, and did not inform them what data was impacted. While helpful, the blogpost did not fulfil this role. We communicated the need to comply with all the statutory requirements (section 16) of the DPA.