Unauthorised access to employees’ personal data
This is the fourth in a series of articles in which we discuss the duties of a data controller with respect to data protection breaches in the employment context, drawing on Guidelines 01/2021 on Examples regarding Personal Data Breach Notification adopted on 14 December 2021 (version 2.0) from the European Data Protection Board (EDPB).
Example 4. Exfiltration of email
A hypermarket chain detected, three months after configuration, that some email accounts had been altered and rules created so that every email containing certain expressions (e.g. “invoice,” “payment,” “bank wire,” “credit card authentication,” “bank account details”) would be moved to an unused folder and also forwarded to an external email address. And by that time, a social engineering attack had already been performed, i.e., the attacker, posing as a supplier, had had that supplier’s bank account details altered into his own. Finally, by that time, several fake invoices had been sent that included the new bank account details.
The monitoring system of the email platform ended up giving an alert regarding the folders. The company was unable to detect how the attacker was able to gain access to the email accounts to begin with, but it supposed that an infected email was to blame for giving access to the group of users in charge of the payments. Due to the keyword-based forwarding of emails, the attacker received information on 99 employees: name and wages in a particular month regarding 89 data subjects; name, marital status, number of children, wages, work hours and other information on salary received by 10 employees whose contracts were ended. The controller only notified the 10 employees in the latter group. (Guidelines p. 32)
Assessment of risk to data subjects
The EDPB found that in this case, the risk of infringement of the rights and freedoms of the persons whose data were contained in the email accounts was high, and thus the data controller (the employer) must notify the breach to the supervisory authority, inform the data subjects affected, and also internally document the breach and the remedial measures taken.
In its assessment, the board also stated: “Even if the attacker was probably not aiming at collecting personal data, since the breach could lead to both material (e.g. financial loss) and non-material damage (e.g. identity theft or fraud), or the data could be used to facilitate other attacks (e.g. phishing), the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons. Therefore the breach should be communicated to all 99 employees and not only to the 10 employees whose salary information was leaked” (Guidelines p. 32).
Polish perspective on the example
If this breach had involved a Polish employer, the conclusion by the EDPB would also be warranted, i.e. the employer would have to notify the President of the Personal Data Protection office (PUODO), communicate the breach to the data subjects (all 99 staff affected), and internally document the occurrence of the breach and the remedial measures taken.
It should be pointed out that in Poland, PUODO has published a guide to the obligations of data controllers in relation to data breaches, setting forth in detail how in the notice the controller should describe the potential consequences of the breach for the data subjects and the feasible measures to mitigate the effects of the breach which can be taken by the data subjects. Sometimes data controllers want to avoid “frightening” the data subjects, and fail to include in their notices the descriptions recommended by the regulator. In practice this often makes it necessary to repeat the notifications, in light of objections to the wording on the part of the regulator.
Remedial measures
In the EDPB’s opinion, following such a breach the following measures should be taken to mitigate the consequences and the risk of occurrence of a similar breach in the future (Guidelines p. 32):
- Force a change in the passwords for the compromised accounts
- Block sending emails to the attacker’s email account
- Notify the email service provider of the email used by the attacker regarding the attacker’s actions
- Remove the rules set by the attacker
- Refine the alerts of the monitoring system to give an alert as soon as an automatic rule is created
- Alternatively, remove the right for users to set forwarding rules, needing the IT service team to do this only on request, or introduce a policy that users should check and report on the rules set on their accounts once per week, or more often, in areas handling financial data
- Conduct a general review and upgrade of the security system, e.g. emphasising automation reviews and change controls, incident detection and response measures.
Although the EDPB does not mention it in the Guidelines, it would seem advisable to conduct training among employees raising their awareness of phishing, social engineering fraud and similar attacks, because the breach could result from an infected email.
We should add that in the example here, the regulator might conclude that the security system adopted by the data controller was of such poor quality that the organisational and technical measures for data protection did not meet the requirements of Art. 32 GDPR, which in turn would expose the controller to a risk of liability for infringement of Art. 32, e.g. in the form of a fine.
Karolina Romanowska, Łukasz Rutkowski