Sunday 23 February 2020
Select a region

“Hostile” hackers steal family info from recruitment firm

“Hostile” hackers steal family info from recruitment firm

Wednesday 29 January 2020

“Hostile” hackers steal family info from recruitment firm

Private information about family members, ID details and travel itineraries were among the details stolen when “hostile” hackers targeted a local recruitment firm, it has emerged.

The news came in the first public statement to be issued by Jersey’s Data Protection Authority since its inception.

Following an investigation, the authority that CSS Limited had suffered three data breaches across 2018 and 2019. 

One of the breaches involved a system shutdown in August 2018 when CSS was attacked by the GandCrab virus. 

Less than a year later, the firm also suffered a “loss of system integrity” between January and May 2019. 

However, the most serious incident came in November 2018 when the company’s systems were infiltrated by a “hostile third party”, which led to a “loss of information about data subjects including identity information, travel itineraries, family information and employment documentation” – information that could be used to facilitate identity theft. 

Express asked whether the hacking had been referred to law enforcement authorities for investigation, but Information Commissioner Dr Jay Fedorak said he could neither confirm or deny this. 

In its statement, the authority said that staff failed to appreciate the significance of the breach and its potential impact on those whose details had been compromised. 

It said that CSS employees were not fully informed about the requirements of the data protection law, and didn’t know that they needed to inform the authority about what had happened.

Jay Fedorak Information Commissioner

Pictured: Information Commissioner Dr Jay Fedorak.

The firm was also found to have failed to put adequate firewalls in place or exercised “due diligence in the selection and monitoring of its IT provider”, which was found to have provided “conflicting and unclear advice” about the breaches.

But credit was given to CSS for its “full and frank admissions” about what had happened once the authority began its investigation and for allowing investigators to access their systems. 

CSS also took “significant steps” to update its IT systems, including replacing its previous provider, following the breaches.

The Data Protection Authority has the ability to impose penalties that can stretch into the hundreds of thousands, but decided not to do so in this case given the steps that the company has taken.

Nonetheless, they decided to issue a public statement to raise awareness and encourage compliance with the law.

JDPA Board Chair Jacob Kohnstamm commented: “The Board of the JDPA has determined that, on balance, the circumstances of this case were grave enough to warrant a public statement, but did not require the imposition of a financial penalty.

“Nevertheless, data processors and controllers should be aware that the JDPA have a range of enforcement options at its disposal and will impose fines when appropriate.”

Dr Fedorak added: “All data controllers and processors must provide appropriate security for personal data and respond promptly and appropriately when they suffer a breach.

“This is particularly important when the data includes passport details and other information that could be used to facilitate identity theft.”

Sign up to newsletter



Comments on this story express the views of the commentator only, not Bailiwick Publishing. We are unable to guarantee the accuracy of any of those comments.

Once your comment has been submitted, it won’t appear immediately. There is no need to submit it more than once. Comments are published at the discretion of Bailiwick Publishing, and will include your username.

Posted by Scott Mills on
just the tip of the "cracking" iceberg. Cracking is the correct definition in this case.
To place a comment please login

You have landed on the Bailiwick Express website, however it appears you are based in . Would you like to stay on the site, or visit the site?