From:
Sent: Wednesday, July 31, 2024 3:05 PM
To: Legal Team <>
Subject: Cyber Security Attack Against Firm
Hello Legal Team,
As you are aware there was a phishing cyber security attack against the company. During routine system
monitoring and evaluation the IT team found that there was a significant cybersecurity breach that resulted in
leaked sensitive customer data (financial and PII). The investigation showed that employees clicked on an email
that turned out to be fraudulent.
Please find the below details regarding the outcome of the attack:
Financial & Reputational Damage:
Nearly 1500 records were lost
Due to sensitive customer information being leaked, customers may not feel comfortable banking with
the institution.
Potential loss of accounts due to customers leaving to a more secure institution
Training will be required and costly for all employees
Monitoring application required for all 1,400 employees netting in nearly a $630,000 cost
All systems will need to be inspected and brought to industry standards
Affected Customer Communication Strategies:
Emails will go out to each customer along with letters mailed to addresses on file
Phone calls will be made to high priority customers
Online FAQs will be made available
Customer support available for customers to call and ask additional questions
Failures identified in Process/Security:
No current company intrusion detection or intrusion protection
Systems have not been assessed for vulnerabilities in over a year
Software patches are required
Employees have not been continuously trained regarding data sensitivity in over a year
No clear process or procedure outlined to identify and quickly respond and mitigate cyber attacks
Timeline for Corrective Action:
1. Communication (August 2024-December 2024)
a. Transparent communication with stakeholders regarding investigation and remediation
b. Provide ongoing updates
2. Internal Training (August 5-9th)
a. Immediately schedule a week’s worth of training for employees (1hr each day) to reinforce best
practices for securing sensitive data
b. Explain type of attacks and ways to mitigate exploitation
3. Perform a security assessment (August 1- 30th)
a. Implement immediate fixes: security patches to address vulnerabilities (updating software,
enhancing access controls etc.)
b. Enable immediate enhanced monitoring and detection mechanisms
4. Data Protection (August 2024- August 2025)
a. Offer customers credit monitoring services
b. Provide guidance on identity theft protection
c. Assist with financial implications
Sent: Wednesday, July 31, 2024 3:05 PM
To: Legal Team <>
Subject: Cyber Security Attack Against Firm
Hello Legal Team,
As you are aware there was a phishing cyber security attack against the company. During routine system
monitoring and evaluation the IT team found that there was a significant cybersecurity breach that resulted in
leaked sensitive customer data (financial and PII). The investigation showed that employees clicked on an email
that turned out to be fraudulent.
Please find the below details regarding the outcome of the attack:
Financial & Reputational Damage:
Nearly 1500 records were lost
Due to sensitive customer information being leaked, customers may not feel comfortable banking with
the institution.
Potential loss of accounts due to customers leaving to a more secure institution
Training will be required and costly for all employees
Monitoring application required for all 1,400 employees netting in nearly a $630,000 cost
All systems will need to be inspected and brought to industry standards
Affected Customer Communication Strategies:
Emails will go out to each customer along with letters mailed to addresses on file
Phone calls will be made to high priority customers
Online FAQs will be made available
Customer support available for customers to call and ask additional questions
Failures identified in Process/Security:
No current company intrusion detection or intrusion protection
Systems have not been assessed for vulnerabilities in over a year
Software patches are required
Employees have not been continuously trained regarding data sensitivity in over a year
No clear process or procedure outlined to identify and quickly respond and mitigate cyber attacks
Timeline for Corrective Action:
1. Communication (August 2024-December 2024)
a. Transparent communication with stakeholders regarding investigation and remediation
b. Provide ongoing updates
2. Internal Training (August 5-9th)
a. Immediately schedule a week’s worth of training for employees (1hr each day) to reinforce best
practices for securing sensitive data
b. Explain type of attacks and ways to mitigate exploitation
3. Perform a security assessment (August 1- 30th)
a. Implement immediate fixes: security patches to address vulnerabilities (updating software,
enhancing access controls etc.)
b. Enable immediate enhanced monitoring and detection mechanisms
4. Data Protection (August 2024- August 2025)
a. Offer customers credit monitoring services
b. Provide guidance on identity theft protection
c. Assist with financial implications
