RiffRaff   10 #1 Posted March 21, 2018 My wife's employer has just admitted that the company has been a victim to a so-called spear phishing attack, and has issued guidelines for employees to follow as regards their personal bank accounts, etc. Surprised at the admission that it took a whole month for the attack to be noticed. Would that be regarded as "normal"? Share this post Link to post Share on other sites Share this content via...
melthebell   864 #2 Posted March 21, 2018 Companies dont normally tell straight away, i think it can be hard to tell whats actually gone on? and theres also a reluctance to admit? Share this post Link to post Share on other sites Share this content via...
Cyclone   10 #3 Posted March 21, 2018 However it might be a crime to not notify individuals who have been affected in as timely a manner as possible. Not realising though for a month, that's not a crime obviously. Presumably after the breach has occurred it's only going to be noticed when something is done with the information, like further attacks on several employee's. Even just a single attack wouldn't give you enough information to link it to the source as being the employer. Share this post Link to post Share on other sites Share this content via...
geared   319 #4 Posted March 21, 2018 Data protection laws were recently updated as well weren't they?  Basically reminding small businesses that they have as much responsibility to customer data as any big company. Share this post Link to post Share on other sites Share this content via...
Cyclone   10 #5 Posted March 21, 2018 GDPR doesn't take effect until sometime in May I think. Share this post Link to post Share on other sites Share this content via...
RiffRaff   10 #6 Posted March 21, 2018 The company's admitted that payroll data has been breached - name, monthly salary payment, bank account number and sort code, etc., as well as full sharesave accounts data. They've advised that the main risk is the potential for fraudsters to use the information to set up unauthorised direct debit or standing order instructions on personal bank accounts, but claim the risk is "very low".  Curious, how these risks always seem to be "very low" at first, don't you think?!  Makes you wonder why the hackers spend so much time doing it.... Share this post Link to post Share on other sites Share this content via...
tinfoilhat   11 #7 Posted March 21, 2018 GDPR doesn't take effect until sometime in May I think.  Indeed and you have to inform the ICO of a breach after that date or face a fine of up to 5% of the company turnover. Share this post Link to post Share on other sites Share this content via...
apelike   10 #8 Posted March 21, 2018 Makes you wonder why the hackers spend so much time doing it....  A lot of hackers do it because they can and not necessarily for personal gain. Share this post Link to post Share on other sites Share this content via...
Cyclone   10 #9 Posted March 21, 2018 The company's admitted that payroll data has been breached - name, monthly salary payment, bank account number and sort code, etc., as well as full sharesave accounts data. They've advised that the main risk is the potential for fraudsters to use the information to set up unauthorised direct debit or standing order instructions on personal bank accounts, but claim the risk is "very low". Curious, how these risks always seem to be "very low" at first, don't you think?!  Makes you wonder why the hackers spend so much time doing it....  They could also now call those people and having a lot of details they can try to trick them into handing over a pin or an online banking password. We're calling from XYZ bank about your account 12345678 sort code 12-34-56, we just need you to confirm your online banking password to verify security and then we need to talk to you about a problem with your salary payment for this month, which we see is normal £1234.56 is that correct? Share this post Link to post Share on other sites Share this content via...