Hacking and what to do about it

Mar 25, 2020 | Tony Byrne's View

The EU’s GDPR (General Data Protection Regulation) became enforceable on 25 May 2018. GDPR is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas.

We have obtained the highest level of GDPR compliance certification because we recognise the importance of protecting our clients’ data. This was highlighted to us before the GDPR implementation date when two of our clients’ email accounts were hacked. One hacker sent us an email from our client’s own email account requesting a withdrawal of £50,000. Fortunately we already had a robust system in place which meant we were able to contact the client, who was on holiday abroad at the time, identify her by asking a series of security questions and we were able to ascertain that the withdrawal instruction was not from her. Somebody had hacked her email account. In other words the fraudster had taken temporary control of her email account and posed as her.

We use gmail. Emails between gmail accounts are encrypted. In other words the emails get translated into characters that are indecipherable when sent and translate back into the original wording once received by the recipient. Unfortunately a large proportion of our clients do not have gmail. So we decided to introduce encrypted email through a service known as Egress. It does mean clients have to create a user name and password and use their Egress email account when we send them sensitive personal data regarding their finances. So far this has worked well because we have had no further hacking attempts.

I have heard an anecdotal story of a firm of independent financial advisers where a hacker requested a £500K withdrawal from an investment. The young inexperienced and untrained administrator approved the request, sent the money and it was paid to the hacker who was untraceable. Ouch! The firm either had to make a claim under its professional indemnity insurance policy or close down. It is that serious.

I heard of another instance where a property buyer received an email from his solicitor asking for the deposit to be emailed to their clients account. He transferred £50K straight into a hacker’s bank account. The email looked genuine but it turned out to be a good copy. One character in the email account had been changed. Again the money was never recovered.

So as you can see the issue of hacking is a very real problem and one that we take very seriously. Because of the increase in hacking attempts we have decided to go one step further and introduce a portal.

So what is a portal? A portal is a kind of electronic filing cabinet for electronic documents. We intend to offer a portal to all of our clients later this year. What it will mean is that we will no longer email documents to clients. Instead we will file them in an electronic folder in their portal. We will email clients securely to let them know we have filed a document on their portal. They will then need to log into their portal to retrieve the document.

We have delayed the introduction of our portal until our preferred supplier offers encrypted email as well as a portal which we expect to happen later this year. We will then no longer offer Egress email as a service.

So rest assured. We have done everything possible to ensure your personal data is safe with us and we are determined to make it even safer in the future once we have a portal. Keep your data safe. You know it makes sense.

Share:

Archives

Subscribe