"In this case, while the organisation involved advises its customers not to change their passwords, it still might be wise for them to do so while the facts of the case are still unclear. The people affected may also want to keep an eye out for statements or advice from the Information Commissioner and of course, they should be wary of their emails being used for fraudulent purposes, such as phishing attacks. They should also think about monitoring their bank accounts for unusual activity."
What does this mean for businesses?
Stewart said, "Businesses cannot avoid all cyber security risks, but there are many steps that they can take to reduce their vulnerability and to mitigate damage after an incident. Undertaking a security and threat vulnerability assessment is a key first step to understanding risks. Where customer data includes personal identifiers, its use should be minimised and encrypted. A serious compromise of security is not just an operational challenge, but it also damages customer trust and confidence and can lead to very serious legal and regulatory consequences.
"Acting quickly once an incident is detected is vital. Undertaking a proper investigation into what has happened, is key as this will enable the causes to be properly understood and addressed, enabling appropriate containment and then strategies deployed to be deployed. Understandably, access to the vulnerable data needs to be restricted as soon as possible and notifying the people affected, the regulator and the authorities must be on the agenda from the moment of incident detection."