An organisation operating in the broadcasting sector notified a data breach to the DPC relating to an employee who had fallen victim to a phishing email. The email, purporting to be an advertisement for an internal vacancy, requested that the employee input their email and data storage platform credentials as well as their Multifactor Authentication (MFA) Authenticator Prompt. Having obtained this information from the employee, the bad actor who sent the phishing email was then able to gain access to this employee’s email and data storage platform account. 

Categories of personal data that were potentially accessed by the bad actor included names, email address, photos/videos, financial data and special category data (health data). The affected individuals included employees within the organisation and third party contacts who had engaged with the broadcaster. The organisation became aware of the breach when the employee reported issues logging into their email and data storage platform. The organisation’s phishing detection systems had disabled the phished account automatically after 17 minutes, but the account was then manually reactivated by their in-house IT team in error. A manual review of audit logs showed suspicious logins attempted from different locations leading to the account being reset and the bad actor being locked out permanently.  

The DPC reminded the organisation of its obligations as a data controller. On foot of this, the organisation implemented preventative measures in order to mitigate against a recurrence of this breach. These measures included spam/ phishing filters, reminders to all staff to exercise caution opening external emails, increased training and staff awareness exercises, and new guidelines in relation to the reactivation of suspended user accounts.