11/2018 (2) Website phishing

A private sector (educational) data controller reported an incident of phishing, where a staff member had clicked on a suspicious website link and entered their credentials resulting in their email account becoming compromised.

The data controller had not enabled multi factor authentication on its email accounts. Had this technical measure and appropriate cyber security training been in place from the outset this data breach may have been preventable.