“Hostile” hackers steal family info from recruitment firm

Wednesday 29 January 2020

Private information about family members, ID details and travel itineraries were among the details stolen when “hostile” hackers targeted a local recruitment firm, it has emerged.

The news came in the first public statement to be issued by Jersey’s Data Protection Authority since its inception.

Following an investigation, the authority that CSS Limited had suffered three data breaches across 2018 and 2019. 

One of the breaches involved a system shutdown in August 2018 when CSS was attacked by the GandCrab virus. 

Less than a year later, the firm also suffered a “loss of system integrity” between January and May 2019. 

However, the most serious incident came in November 2018 when the company’s systems were infiltrated by a “hostile third party”, which led to a “loss of information about data subjects including identity information, travel itineraries, family information and employment documentation” – information that could be used to facilitate identity theft. 

Express asked whether the hacking had been referred to law enforcement authorities for investigation, but Information Commissioner Dr Jay Fedorak said he could neither confirm or deny this. 

In its statement, the authority said that staff failed to appreciate the significance of the breach and its potential impact on those whose details had been compromised. 

It said that CSS employees were not fully informed about the requirements of the data protection law, and didn’t know that they needed to inform the authority about what had happened.

Pictured: Information Commissioner Dr Jay Fedorak.

The firm was also found to have failed to put adequate firewalls in place or exercised “due diligence in the selection and monitoring of its IT provider”, which was found to have provided “conflicting and unclear advice” about the breaches.

But credit was given to CSS for its “full and frank admissions” about what had happened once the authority began its investigation and for allowing investigators to access their systems. 

CSS also took “significant steps” to update its IT systems, including replacing its previous provider, following the breaches.

The Data Protection Authority has the ability to impose penalties that can stretch into the hundreds of thousands, but decided not to do so in this case given the steps that the company has taken.

Nonetheless, they decided to issue a public statement to raise awareness and encourage compliance with the law.

JDPA Board Chair Jacob Kohnstamm commented: “The Board of the JDPA has determined that, on balance, the circumstances of this case were grave enough to warrant a public statement, but did not require the imposition of a financial penalty.

“Nevertheless, data processors and controllers should be aware that the JDPA have a range of enforcement options at its disposal and will impose fines when appropriate.”

Dr Fedorak added: “All data controllers and processors must provide appropriate security for personal data and respond promptly and appropriately when they suffer a breach.

“This is particularly important when the data includes passport details and other information that could be used to facilitate identity theft.”