In October 2024, Guernsey’s Data Protection Authority (the Authority) was informed of a personal data breach at Guernsey-based Fresh Dental following a successful phishing attack.
Threat actors had unlawfully accessed a Fresh Dental employee’s email (Microsoft 365) account and the information held within that account.
The compromised account was then used to send phishing e-mails to a number of recipients, risking further compromise of these accounts and the unauthorised access to any potential personal data within.
The Authority’s investigation identified multiple technical failings in Fresh Dental’s security measures, leaving it vulnerable to phishing attacks and other similar threats.
Fresh Dental’s own investigation of the security breach was hampered by these technical failings, lacked appropriate records and was therefore considered by the Authority to be insufficient.
The following issues were also identified:
- Fresh Dental failed to provide appropriate cyber security training to staff; and
- Fresh Dental failed to undertake appropriate penetration testing prior to the breach.
In addition, no formal agreement had been implemented between Fresh Dental and its IT provider to address its handling of personal data as a 3rd party processor.
Why was that a problem?
The Law requires controllers to implement a legally binding agreement in writing between themselves and processors, such as IT providers, prior to sharing any personal data. This ensures there are clear instructions on what the controller considers permitted processing by that third party. It also requires the processor to comply with specific duties under the Law that support the controller.
By failing to implement an agreement, Fresh Dental was relying on a processor to handle customer information without these necessary safeguards in place.
The Law also requires a controller or processor take reasonable steps to ensure a level of security appropriate to the personal data being processed. This includes measures to protect personal data from cyber incidents, such as phishing attacks. In this case, the failure to implement these measures left Fresh Dental and the data it holds vulnerable to threat actors.
What has happened as a result?
The Authority determined that Fresh Dental contravened the Law as follows:
- Fresh Dental did not have a legally binding agreement in place with its IT provider, as required by the Law.
- Fresh Dental failed to undertake reasonable steps to ensure an appropriate level of security to the personal data it processed.
The Authority has issued Fresh Dental with an enforcement order, requiring that it take certain steps to comply with the Law, including:
- Implement technical and organisational measures to reduce the risk of phishing attacks and other similar threats;
- Undertake a penetration test of Fresh Dental’s systems to ensure they are appropriately secure; and
- Implement a legally binding agreement with their IT provider, addressing the processing of personal data.
What can be learned from this?
Fresh Dental is a dental practice and therefore processes special category health data as part of its core activities. Organisations processing special category data should implement safeguards proportionate to the sensitivity of that data. While organisations might choose to outsource parts of their data processing activities they cannot outsource their responsibility for protecting that data.
The impact of phishing attacks is not limited to the first recipient. There can be wide-reaching consequences of such a breach, through cascading emails sent out from the compromised account.
Organisations should take reasonable steps to reduce the risk of phishing attacks and other similar cyber-attacks. What is considered reasonable and proportionate will vary depending on the size and nature of the organisation.
Appropriate penetration testing can highlight potential vulnerabilities in an organisation’s system(s) and allow time for the controller to implement security measures to protect any personal data, prior to a breach.
