The salutation on the email simply said “Hi”. It arrived at 4.36am on a public holiday in the inbox of a public facing email address, and it appeared to have been sent from a personal email address belonging to the organisation’s chief executive.
In the organisation’s unguarded response to the email, the personal information of thousands of its members was released into the hands of unknown people. This phishing technique, designed to dupe the unwary, had, in this case, hit its payload.
Within hours of the breach, the management of the New Zealand Nurses Organisation (NZNO) became aware of the error. We have already blogged about this incident. The organisation now had to examine the nature of information lost and the possible implications it might have for the members affected.
Responding to a breach
In the immediate aftermath, the NZNO communicated the breach to its members and the Office of the Privacy Commissioner. The seriousness of the breach could have been worse. As it happened, only the email addresses and names of members were given away. Unusually, this was the only information requested by the phishers.
The NZNO also commissioned an independent review of the incident and its response. The review was undertaken by Prof David Lacey, the managing director of the not-for-profit identity theft prevention and advisory agency, IDCare.
In his report, Prof Lacey suggests the NZNO was specifically targeted because its public facing website had sufficient information on it to facilitate such attacks, that the health industry is a common target of phishing, and its membership is attractive to individuals and organised crime groups that commit such attacks. The likely intention of getting the stolen information was to conduct further phishing attacks in order to deliver malware or related viruses, such as ransomware.
The report explains the source of the phishing email was a domain registered by a large Lithuanian telecommunications and ISP provider which is owned by a Swedish telecommunications carrier. The report notes the domain remains active and the NZNO could legitimately report the abuse of this domain to the ISP provider - although there is no way of retrieving digital information once it has been leaked in this way.
Preventing a future event
While the report sets out a number of observations and recommendations specific to this particular incident, the lessons learned could just about apply to many organisations wanting to avoid or mitigate a data breach caused by phishing.
Prof Lacey notes the NZNO’s overall response was in accordance with the Privacy Act and the Privacy Commissioner’s data breach guidelines. Despite the organisation not having a data breach response plan before the incident - something which it has since rectified - its crisis management was largely effective.
The steps taken by the organisation’s incident response team - the assessment and containment of the incident, and the speed with which impacted individuals were informed - were all deemed to follow best practice.
There are, however, opportunities to enhance the organisation’s management of personal information. These relate to information security, control over information requests, privacy statement enhancements, staff training and a review of what information the organisation collects, how it does so and why.
The report concludes the breach happened because the frontline staff that are likely to have direct contact with cyber criminals via phishing emails, had little or no knowledge of the cyber risks. It is critical for organisations to ensure employees in these roles are supported by awareness and familiarisation training.
A critical element in preventing phishing is for individuals to seek support. In other words, it’s okay to ask a colleague, family member or friend about an email, if the recipient is unsure about its legitimacy.
But the report warns the NZNO, like any other organisation, will never be risk-free of cyber incidents. Putting in place the best possible systems to prevent or respond to a breach is a necessary challenge for all organisations that want to avoid a data disaster.
The Independent Review into a Cyber Incident for the NZ Nurses Organisation report is available here.
Image credit: DigitCert blog