Data breach caused by phishing

Is there a data breach within your own organisation? Or have you identified a data breach somewhere else in your environment and do you want to give the Dutch Data Protection Authority (Dutch DPA) a tip-off because you are worried about it?

Directly reporting a data breach or giving a data breach tip-off

On this page you read what you have to do in the event of a (possible) data breach caused by phishing. Here you can also read what you can do to mitigate the risk and the consequences of a data breach caused by phishing.

This is phishing

In the case of phishing, a victim receives an email and is persuaded to click on a link or open an attachment. The internet criminal who sends the email tries to gain the confidence of the victim in a variety of ways. For example by using personal information. Or by sending emails that can hardly be distinguished from emails of your organisation or your relations.

Link to website

For example, the victim receives an email with a link to a website, supposedly to view an important document. But the victim has to log in first. The victim thinks that they are on a reliable website, but in reality enters data on the fake website of the internet criminal. That person then abuses the data, for example by logging in to the victim's email account.

Email with attachment

The victim may also receive an email with an (infected) attachment. When the victim opens the attachment, malware is installed on the system. The internet criminal will then be able to gain access to the system through that malware.

Discovering phishing

An incident caused by phishing is often discovered because new phishing emails are disseminated from the victim's mailbox. Or because the victim no longer receives emails, because an email rule has been created that forwards emails automatically to the criminal.

Data breach or not?

There is no data breach if you (or an employee) have received a phishing mail, but have done nothing with it. But have you clicked on a link, opened an attachment or entered data on a website? Then there may be a data breach.

Measures after phishing

Was an attempt at phishing successful? Then take action as quickly as possible to mitigate the consequences.

Put a stop to the breach

Did an employee, for example, enter login data or open a file and in this way provide an internet criminal with access to a mailbox in your organisation?

• Change the password and/or block the email account. The first step is to put a stop to this access as quickly as possible.
• After this, check if no email rules have been created. In this way, you prevent emails ending up outside your organisation.
• Do you (or the affected employee) also use the login details of the email account for logging in to other applications or systems of your organisation? Then immediately change the passwords of all applications and systems to which the employee has access. 

Technical investigation

As a next step, you have to establish the scale of the data breach. You do this by conducting a digital forensic investigation. You investigate whether the criminal has had access to personal data and if so, to which personal data.

Since the internet criminal has had access to the mailbox, the criminal may have viewed the details of the contact persons and the contents of the emails and attachments stored in the email account. The criminal may have forwarded, copied or downloaded these data.

This often results in 2 groups of victims who have been affected by the data breach:

1. Contact persons of the email account. You have to inform this group of victims about the data breach. They run the risk of receiving phishing messages.
2. Persons whose data can be found in emails or attachments in the mailbox. You have to inform this group of victims if the data breach is likely to result in a high risk for their rights and freedoms. For example, if a copy of their identity document has been stored in the affected mailbox.

Checking log data

An important way to find out what the internet criminal has had access to is checking the log data. Do you not have any or sufficient logging to be able to determine exactly what the internet criminal has done? Then you cannot assume that the breach was limited to access or the further dissemination of phishing mails.

Reporting a data breach caused by phishing to the Dutch DPA

The same criteria for reporting to the Dutch DPA apply for a data breach caused by phishing and a data breach due to another cause. This means that you have to report the data breach caused by phishing to the Dutch DPA, unless the data breach is not likely to entail a risk for the rights and freedoms of the data subjects (victims).

Access to email account

Does an internet criminal gain access to your or an employee's email account by means of phishing? Then this is usually a data breach that you have to report to the Dutch DPA.

Not only did the login details of that employee end up with a third party, but this could have happened with personal data of contact persons and relations as well. Besides, the intentions of the internet criminal are malicious and aimed at gaining access to your corporate network or information of other persons.

Is there no proof that the internet criminal has used or copied personal data? Does your logging, for example, not give a conclusive answer about the reading or forwarding of emails? Then you still have to assume that the criminal may have done something with the personal data after all. That means there is a data breach. The Dutch DPA may ask you to provide the logging or further information about this for purposes of substantiation.

Informing victims about a data breach caused by phishing

The same criteria for informing the victims apply for a data breach caused by phishing and a data breach due to another cause. This means that you have to inform the victims if the data breach is likely to entail a high risk for their rights and freedoms.

High risk

Data breaches caused by phishing often entail a high risk. After all, the internet criminals have gained access to data with malicious intentions. In most cases, you therefore have to inform the victims about the data breach.

Did a data breach caused by phishing not result in the leaking of special personal data, such as health data? And were sensitive data, such as copies of identity documents, not leaked either? Then there may nevertheless be a high risk. By using personal data that seem innocent, such as an email address, internet criminals can cause a lot of damage to your organisation or your relations.

Spear phishing

The criminals can, for example, use information obtained by them for carrying out a targeted phishing action against (other parts of) your organisation or your relations. This is also called 'spear phishing'. The criminals may use the personal data and information obtained from your email account to impersonate an employee of your organisation and send targeted messages to your relations in this way. For example with the request to pay so-called unpaid invoices or transfer amounts to another bank account from now on.

Tips for mitigating the risk and consequences of a data breach caused by phishing

The following tips for mitigating the risk of a data breach caused by phishing and the consequences of this data breach are available for you and your employees:
 

• Implement multifactor authentication as an additional step for access to the email accounts in your organisation.
• Regularly remove old email messages.
• Process as few special personal data and sensitive personal data as possible through email. Use, for example, a separate application for confidentially sending and receiving such data.
• Create sufficient awareness among your employees, so that they are able to recognise phishing mails. For example, by providing a training.
• Limit access from outside the organisation to the email accounts and applications in your organisation. For example by using a VPN connection, IP address whitelisting, or trusted devices.