Outcomes - Selected Case Summaries
Categories
Local law firm made aware of personal data breach
Decisions | 16 March 2023
A local law firm was notified by their IT service provider (their data processor) of a business email compromise involving a member of staff, which appeared to have resulted in a personal data breach.
The law firm requested the IT service provider to investigate the breach and an independent investigation was launched by a third-party auditing firm. We asked for access to the investigation reports, but the Ombudsman had to issue an Information Order to obtain them.
Whilst the breach was serious in nature, and the investigation reports showed that a successful phishing attack had exposed an employee’s email account, an attempt to fraudulently change bank account details was detected in time and stopped, which resulted in no financial loss to any involved party.
All recommendations from the third-party auditing firm to protect the firm from similar future attacks were implemented. We considered the measures appropriate and recommended a regular review of the firm's security in accordance with best practices.