A Guernsey dental practice has been slapped by the data protection watchdog after an employee’s Microsoft 365 account was compromised and used to send out phishing emails.
In a recent determination, the Office of the Data Protection Authority (ODPA) found Fresh Dental had breached the Data Protection (Bailiwick of Guernsey) Law 2017, relating to duties around data processors and the requirement to take reasonable steps to ensure data security.
The breach occurred in October 2024, when a Fresh Dental employee’s Microsoft 365 account was compromised and used to send phishing emails to a number of recipients. Fresh Dental notified the Authority of the breach on the same day.
Following concerns about both the breach and Fresh Dental’s response, the Authority opened a formal inquiry.
As part of its findings, the Authority concluded that Fresh Dental did not have a legally binding written agreement in place with its IT provider, despite the provider acting as a processor of personal data on its behalf.
“When asked to provide a copy of the legally binding agreement in place between Fresh Dental and its IT provider, Fresh Dental confirmed that there was no such agreement,” the determination stated, noting the provider had been used for approximately eight years.
The Authority also found that Fresh Dental failed to take reasonable steps to ensure an appropriate level of security for personal data, particularly given that “the processing of special category health data is a core activity of Fresh Dental”.
While some security measures were in place, the Authority said they were insufficient to prevent the compromise and that additional measures should have been implemented, including employee training, phishing detection measures and effective penetration testing.
For example, the penetration testing conducted by the business only accounted for what the ODPA described as “one limited element” of the possible areas that could have been targeted, and missed the vulnerable area that was exploited in the phishing attack.
The determination noted that Fresh Dental did not provide employee training on cyber security risks, despite stating within its own policies that such training would be provided.
“Had this training been provided, the likelihood of the employee recognising the signs of a malicious e-mail would have increased, reducing the risk of compromise,” the Authority said.
What is a penetration test?
“Penetration testing is a method of gaining assurance in the security of an IT system by
attempting to breach some or all of that system’s security, using the same tools and
techniques that might be used by an adversary. The aim of a penetration test is to
identify vulnerabilities within a system before the same vulnerability is discovered by a
threat actor, allowing the organisation to undertake mitigating action.”
Concerns were also raised about Fresh Dental’s investigation into the breach. The Authority found that limited records were retained, meaning the practice could not demonstrate that reasonable steps had been taken to identify the root cause of the incident.
“It is noted by the Authority that Fresh Dental did have an incident response plan in place. However, from the lack of records and the evidence submitted to the Authority by Fresh Dental, it is clear that this plan was not followed,” the determination states.
No representations were received from Fresh Dental during the ODPA’s investigation process.
The Authority subsequently issued an enforcement order under section 73 of the Law, requiring Fresh Dental to implement improved technical and organisational security measures, introduce cyber security training for staff.
They were also asked to put a legally binding data processing agreement in place with their IT provider within three months.
In addition, the order requires Fresh Dental to undertake a penetration test of its computer systems within six months and to consider and implement any reasonable recommendations arising from that test within nine months.