19/06/2021 Cyber attack on myHRdept on 18th June @ 1.43pm
At 13.43 yesterday we became aware that a hacker, masquerading as one of our HR staff, Emma, had sent phishing emails to many of our clients. By 13.49 we had reset myHRdept central email passwords and that of the compromised account and contacted our IT supplier to investigate the origin of the problem and assess the risk. The hacker was traced back to an IP address in Bosnia and Herzegovina. By 13.59, 16 minutes after the initial hack had become apparent, we had emailed all of our clients warning them to look out for the email, and we did so again shortly afterwards when a new phishing email, purporting to be from myHRdept, was sent to us at 14.03.
Between 2pm and 3pm the myHRdept team phoned each of our clients to warn them about the emails, and for the few we didn’t manage to speak to, a personal email was sent.
As well as identifying the origin of the attack, our IT supplier also confirmed the links contained in the phishing emails appeared to have been disabled on the destination website and did not seem to present a threat (though we don’t suggest you click on them). Because these links had been disabled it was not possible to determine what the aim of the attack was (ie. were they trying to get people to download a file containing a virus or were they spoofing a website to trick people into divulging personal information). Thankfully by the time he had checked the links had already been disabled.
There is no evidence that any client or client’s employee personal data has been breached, however we are currently working with Microsoft to ascertain IP address activity on the hacked email address prior to the attack coming to our attention. If earlier suspicious activity is detected we will extend our investigations and will further update our clients.
Thankfully the hacker’s email was rejected by a large number of our clients’ mail servers and blocked as ‘spam’, but unfortunately not all mail servers have that ability by default, hence many of our clients receiving the original email. I would recommend those who received the email look into strengthening their spam filter systems as this type of email is becoming more common.
Our disaster-recovery plan worked well for us on this occasion, though we are reminded that regular drills are the key to combating attacks of this nature. We are very grateful to our staff for immediately manning the phones to contact our clients, and with their help we manage to contain the attack within an hour, with critical actions taken to stop the hacker in his tracks in a matter of minutes. The ramifications and time wasted on this criminal action continue to mount up, and we are currently in the process of compiling a report for the ICO, in accordance with our GDPR policy.
I apologise again to all of our clients for the inconvenience this matter may have caused, and I would like to thank those who took the trouble to contact us as soon as they saw the problem.
What do you need to do now?
Please report suspicious emails to us as soon as you receive them, and never open a link from us unless you are sure it is genuine (call us on 01628 820515 to verify.)
Please check your junk folders and delete any email from us on 17th June, either from Emma’s address or from ‘myHRdept.’
IF YOU SENT AN EMAIL TO EMMA’S EMAIL ADDRESS ON 17TH JUNE AND HAVE NOT HAD A RESPONSE PLEASE CONTACT US IMMEDIATELY.