A ransomware attack last year on liquor store company Jacques Scott Group affected the personal data of 150 people, including employees, shareholders and pension account holders, the Office of the Ombudsman stated on Monday.
The Ombudsman pointed out, however, that no financial data nor passwords of the individuals affected had been leaked. No customers of the liquor store were impacted.
Ransomware is a malicious software that infects computers and locks out users. Infected systems show a message demanding a fee to release the system and allow it to work properly again.
According to the Ombudsman’s statement, the ransomware attack on Jacques Scott led to employees being denied access to the enterprise network and a number of critical systems.
Jacques Scott notified the Office of the Ombudsman and the affected data subjects as required by law.
The liquor store chain’s external IT service provider carried out an initial analysis, and the company then hired Deloitte and SigNus Technologies to investigate the breach and take “mitigating action”, the Office of the Ombudsman stated.
Although critical system logs were not available, the personal data of the 150 individual affected was not thought to have been leaked.
The Office of the Ombudsman has issued Jacques Scott with an enforcement order after finding that the company breached the Data Protection Law, which requires data controllers “to ensure that adequate technical and organizational measures are taken against unauthorized or unlawful processing”.
A separate violation relates to Jacques Scott’s failure to incorporate certain mandatory provisions required by the Data Protection Law into the agreement with its data processor.
The enforcement notice contains no sanctions for Jacques Scott, but outlines a series of recommendations.
“The Ombudsman recognized that JSG took appropriate steps to mitigate the effects of the ransomware, and adopted the recommendations made by Deloitte, as well as formulating a number of additional recommendations,” the statement from the Ombudsman said.
It pointed that no customer data is believed to have been accessed and that there appears to have been “no serious or ongoing consequences” for those whose data was compromised in the ransomware attack.
“This situation is a good representation of the serious data protection concerns now facing both private and public sector organizations in Cayman,” Ombudsman Sandy Hermiston said in the press release. “Mitigation after the fact is simply not enough. All of these entities must proactively take security precautions with their computerized record-keeping systems – the Data Protection Law makes it their responsibility.”
The Ombudsman recommended future steps to prevent ransomware attacks, including:
- Providing training to employees on cybersecurity prevention and response, in line with any information security policies and procedures the company may develop;
- Enabling logs on all critical network devices to ensure information is kept in the event of future cyberattacks and also ensuring multiple backups of information are maintained with that at least one backup kept off-site;
- Implementing periodic vulnerability assessments to identify IT security weaknesses.
The Ombudman’s statement added that, as with all enforcement orders made under the Data Protection Law, Jacques Scott has 45 days from the issuing of the order to seek judicial review of the Ombudsman’s decision.
The Compass has reached out the Jacques Scott for comment and is awaiting a response.
See the full enforcement order here.
Related Videos
