A Jersey company has avoided a fine after suffering three separate data breaches
The seriousness of the attack on Channel Ship Services has prompted the island's Information Commissioner to issue a public statement for the first time.
The marine recruitment firm's systems were hit by a virus in August 2018, later enabling hackers to access personal data - including travel itineraries, family information and employment details.
The breaches continued to May 2019.
Information Commissioner, Dr Jay Fedorak, says the firm failed to respond appropriately to the ransom attack because the staff 'lacked proper knowledge' of the Data Protection law, and the company's IT provider gave 'unclear advice'.
CSS has since updated its computer systems, trained all staff and cooperated with the investigation.
"The Board of the JDPA has determined that, on balance, the circumstances of this case were grave enough to warrant a public statement, but did
not require the imposition of a financial penalty. Nevertheless, data processors and controllers should be aware that the JDPA have a range of enforcement options at its disposal and will impose fines when appropriate." - JDPA Board Chair Jacob Kohnstamm
CSS will remain under watch for several months and be subject to a final review by the Authority's information security expert.
The OIC hopes its public response serves as a warning to other local firms and says in future in will impose fines 'when appropriate'.
"‘All data controllers and processors must provide appropriate security for personal data and respond promptly and appropriately when they suffer a breach." - Jay Fedorak, Information Commissioner.
CSS Ltd says 'a small number of individuals, none of whom reside in Jersey, was compromised' in the extortion attempt, and that no payments were made in response to the blackmail threats.
"All the individuals whose data was compromised were contacted last year and none have suffered any harm as a result of this breach.
Since this incident the company has used the lessons learned to upgrade its IT infrastructure and networks, and would like to extend its thanks to Logicalis (Jersey) for the expertise and support they have provided in ensuring our systems are robust and able to rebut any future attacks of this type.
CSS Ltd would like to remind all companies who hold or process data, whether personal or commercial that, threats of this sort can and do occur, and that they should keep policies, procedures and infrastructure up to date in line with current threats and risks." - Chris Inns, Operations Director