GDPR Case Study

This week, students were expected to carry out a Week 5 E-Portfolio activity, during which a list of case studies was provided for review. These contained a span of breaches from 2014 to 2018. The activity instructions were to choose a case study and answer the following questions: • What is the specific aspect of GDPR that your case study addresses? • How was it resolved? • If this was your organization what steps would you take as an Information Security Manager to mitigate the issue?

For the purpose of the exercise, my choice of case study was a Crypto Ransomware Attack on a Primary School in 2016.

In October 2016, the primary school had been hit by an assault known as “Crypto Ransomware,” in which a third party had encrypted some of its information systems, making the school’s contents lost. PPSNs (Personal Public Service Numbers) and dates of birth were among the personal information included in these files. For the encrypted files to be released, the school was asked to pay a ransom. An assessment was carried out which identified that the school had deficiencies in the measures it had taken to secure the pupil’s personal data including:

-No polices or procedures were in place to maintain adequate backups; -No procedures or policy documents existed focusing on system attacks such as ransomware or viruses; -No contracts with data processors (the ICT services providers) were in place (as is required under Section 2C (3) of the Data Protection Acts 1988 and 2003) setting out their obligations and, as a result, actions taken by the ICT suppliers were inadequate in response to the attack; and -A lack of staff training and awareness of the risks associated with opening unknown email attachments or files.

As a result, under the provisions of Section 2 (1)(d) of the Acts, the school failed in having adequate security measures in place to protect against the unauthorized processing and disclosure of personal data. (Data Protection Commission, N.D)

The above data breach was resolved by issuing recommendations:

  • Establish a program for staff education and awareness of the dangers of using personal USB keys and email.
  • Putting in place a procedure for contract reviews to make sure the right agreements are in place with its IT vendors. -Make sure that any ICT support the school receives is handled by qualified data processors, whether it’s provided locally or in accordance with the Board’s recommendations. (Data Protection Commission, N.D)

Having reviewed the above case study, I would take the following steps:

Establish Routine Network Backups and Updates – by backing up all files and data to prevent loss. It is important to ensure these backups are stored offline or in an air-gapped location to protect them from attacks. Also updating all software and systems regularly to patch vulnerabilities.

Implement Policies and Plans – by developing a comprehensive plan that includes industry standard procedures and protections.

Implement Cyber Awareness Training – Provide regular cybersecurity training to employees to educate them on best practices and potential current threats. Also, ensure that staff are aware of security protocols and how to respond to suspicious activities.

Conduct Routine Network Security Assessments – Conducting regular security assessments by following cybersecurity compliance standards.

Develop incident response plans – by outlining roles, communications and actions during ransomware attack. This includes contact lists for partners or vendors that need to be notified in case of an attack.

References:

Case Studies Data Protection Commission. (n.d.). Case Studies Data Protection Commission. [online] Available at: https://dataprotection.ie/en/pre-gdpr/case-studies. [Accessed 19 March 2024].
CISA (2023). I’ve Been Hit By Ransomware! CISA. [online] www.cisa.gov. Available at: https://www.cisa.gov/stopransomware/ive-been-hit-ransomware. [Accessed 19 March 2024].