A medium-sized law firm reported that it was the victim of a social engineering attack. A staff member opened an email from a malicious third party that secretly installed malware on their computer. The malware enabled monitoring email communications and permitted the bad actor to defraud a client of a sum of money. The firm reported the breach to the DPC.

Through its DPC engagement with the firm, the DPC established that the firm used a widely used cloud email service which was managed by a contractor . Basic security settings such as strong passwords were not properly enforced and multi-factor authentication was not implemented . Upon becoming aware of the incident, the firm immediately commissioned a full investigation to establish the root cause and the extent of the breach . Based on the findings of the investigation, the firm responded promptly and implemented further technical security measures as well as additional cyber security and data protection training to all staff. The DPC requested that updates be provided on the implementation of appropriate organisational and technical security measures to prevent a reoccurrence of a similar breach 

.