DUAL Group
Austria
Finland
France
Germany
Ireland
Italy
Netherlands
Spain
Sweden
Switzerland
United Kingdom
Europe
Australia
Hong Kong
New Zealand
Singapore
USA
Cyber Claims scenarios
The event
Social engineering fraud resulted in client’s funds being transferred to a fraudster’s account. Upon further investigation it became apparent that an unauthorised third party had obtained access to the email account of one of the insured’s partners the previous year (most likely via a phishing email).
The account contained high risk personal and financial data of various individuals and was being monitored by the adversary
The response
The following incident response services were appointed upon notification:
Forensics
Carried out (in conjunction with the insured’s external IT outsourcer) an onsite forensics review and discovered a persistent attack took place over a 60-70 day period on an Office 365 account, undetected. The unauthorised third party was simply logging into the emails in real time to undertake reconnaissance. The Office 365 account was found to contain 88,000 emails providing access to numerous files.
Legal
Provide legal advice as well as assist in notification to the ICO. An e-discovery tool was used to ascertain the total number of data subjects that required notification and a full review was undertaken to be able to assess the severity of the breach in order to notify individuals accordingly.
Credit monitoring
Provision of credit and fraud monitoring services where requested.
PR
Provision of support in respect of notifying the appropriate individuals and mitigating the risk to their reputation
| Total paid | |
|---|---|
| Claim | £0 |
| Costs | £110,000 |
| Fees | £25,000 |
| Total | £135,000 |
The event
Several employees at the insured law firm received an email purporting to be from a solicitor of a law firm belonging to an international employment law alliance (which the insured was a member of). Having been told that the law firm from which the e-mail was sent from had been compromised and the email was a phishing campaign it came to light that one of the insured employees had clicked the link attached to the email.
Following the link being clicked, the insured was notified by a number of third parties that they had received an email, and were questioning of its validity. Immediately following these notifications, the insured instructed the outsource service company who looked after their IT operations to review. The outsource service company carried out a full scan (including the individual’s Office 365 account) and were unable to find any malicious activity or unauthorised access/compromise of the network. The email was deemed to be a spoof...
The insured subsequently notified DUAL and the 24/7 breach response partners as a precautionary measure. This was indeed the right thing to do as it transpired that there had been a compromise of the Office 365 account and the forwarded phishing emails were genuine and not a spoof. The breach response team then set the wheels in motion to discover the full extent of the compromise.
The response
The following incident response services were appointed upon notification:
First response
Determined from initial correspondence from the insured that the recipients of the phishing email included clients, members of the insured’s PR firm, lawyers instructed on the other side etc. suggesting that the adversary had compromised the email account and obtained the solicitor’s client list. With many emails on the solicitor’s account containing sensitive personal and corporate information, it was deemed necessary to conduct a full forensics review to confirm whether the account was compromised and if so, whether notification to the ICO and affected data subjects was necessary.
Foresics
Carried out a mailbox review of the documents potentially containing Personally Identifiable Information using an e-discovery tool. It was ascertained that a total of 801 individuals potentially required notification.
Legal
Assisted in the first instance to notify the ICO and SRA regarding the possible breach. Upon confirmation of the breach, they were able to assess and determine that out of the 801 individuals identified, only 171 data subjects elicited notification requirements under GDPR (160 PII/11 PHI).
Identity protection
A specialist vendor was appointed to offer monitoring services.
PR
Assisted in notifying data subjects, finalising the notification communications and PR materials.
The event
The insured organises winter holidays for high net worth clients. Whilst arranging a package to hire a chalet for a client, confirmation was provided for one week’s rental over the phone by the chalet owner.
The chalet owner requested full payment for the let with a supporting invoice. This payment was made by the insured, but shortly after the payment was made the insured received an email from the chalet owner saying they had provided incorrect bank details and alternative information was presented.
The insured contacted their bank to cancel the original payment and made a new payment, sending confirmation to the chalet owner who acknowledged receipt.
Over the coming days whilst finalising details of the trip, the chalet owner commented that they had not received payment. They chased again via telephone at which point it became apparent that malicious actors had intervened and were intercepting email traffic between the insured and the chalet owner.
It finally became clear that the chalet owner had been the victim of hacking, but thought they had secured their systems following the attack. All emails received by the insured appeared (and are most likely) to have come directly from the chalet owner’s correct email account.
The response
In this event, there was no network security event, but there was coverage on the policy for Social Engineering Loss:
1.4 Social Engineering Loss incurred by You following a Social Engineering Fraud, first discovered and notified to Us during the Period of Insurance (Defined as) Social Engineering Fraud means a misrepresentation of fact or an intentional, malicious, wilful or fraudulent act undertaken by a third party that misleads an employee and directly results in Your money, Your securities or Your other assets being transferred, disbursed, paid, delivered, altered, corrupted or lost;
Although this is a cyber policy, with social engineering coverage there does not have to be an intrusion into the insured network for the policy to trigger and the funds transferred are covered up to the sublimit provided.
| Total paid | |
| Claims | £0 |
| Cost | £100,000 |
| Fees | £25,000 |
| Total | £135,000 |